Add explicit danger-full-access example flag

Author: nshkrdotcom

examples/README.md

@@ -35,6 +35,7 @@ applies to Codex CLI subprocesses and MCP HTTP/OAuth flows.
 ./examples/run_all.sh
 ./examples/run_all.sh --ssh-host example.internal
 ./examples/run_all.sh --ssh-host example.internal --cwd /srv/trusted/repo
+./examples/run_all.sh --ssh-host example.internal --danger-full-access
 ./examples/run_all.sh --ssh-host builder@example.internal --ssh-port 2222
 ```
 
@@ -62,6 +63,7 @@ their existing local default when you omit the flag.
 Supported SSH flags for CLI/app-server examples:
 
 - `--cwd <path>`
+- `--danger-full-access`
 - `--ssh-host <host>` or `--ssh-host <user>@<host>`
 - `--ssh-user <user>`
 - `--ssh-port <port>`
@@ -73,6 +75,13 @@ those upstream surfaces do not expose `--skip-git-repo-check`. Point it at a
 trusted directory on the remote host when you want those examples to run over
 `execution_surface: :ssh_exec`.
 
+`--danger-full-access` keeps the same transport placement and switches only the
+Codex runtime sandbox mode to `:danger_full_access`. This is the explicit
+example-level escape hatch for remote Linux hosts where sandboxed shell tool
+execution fails before the command runs, for example when the host's userns or
+AppArmor policy blocks the `bwrap` path that the remote Codex CLI is trying to
+use.
+
 `--ssh-host` is mutually exclusive with `--ollama`, because `--ollama` is the
 local OSS route and `--ssh-host` is remote subprocess placement.
 
@@ -142,6 +151,7 @@ SSH usage for CLI/app-server examples is explicit:
 
 ```bash
 mix run examples/live_cli_demo.exs -- --ssh-host example.internal "What is the capital of France?"
+mix run examples/live_cli_demo.exs -- --ssh-host example.internal --danger-full-access "Run the shell command ls and then say done."
 mix run examples/live_app_server_basic.exs -- --ssh-host builder@example.internal --ssh-port 2222 --cwd /srv/trusted/repo "Reply with exactly ok and nothing else."
 mix run examples/live_cli_session.exs -- --ssh-host example.internal --cwd /srv/trusted/repo "Summarize this repository in three bullets."
 ```

examples/run_all.sh

@@ -6,12 +6,13 @@ cd "$ROOT"
 
 usage() {
   cat <<'EOF'
-Usage: bash examples/run_all.sh [--ollama] [--ollama-model MODEL] [--cwd PATH] [--ssh-host HOST] [--ssh-user USER] [--ssh-port PORT] [--ssh-identity-file PATH] [--help]
+Usage: bash examples/run_all.sh [--ollama] [--ollama-model MODEL] [--cwd PATH] [--danger-full-access] [--ssh-host HOST] [--ssh-user USER] [--ssh-port PORT] [--ssh-identity-file PATH] [--help]
 
 Options:
   --ollama               Run all examples against local Codex OSS + Ollama.
   --ollama-model MODEL   Override the Ollama model. Default: gpt-oss:20b
   --cwd PATH             Working directory override. In SSH mode, app-server thread demos require a trusted remote cwd.
+  --danger-full-access   Run CLI/app-server examples with sandbox=danger_full_access.
   --ssh-host HOST        Run CLI/app-server examples over execution_surface=:ssh_exec.
   --ssh-user USER        Optional SSH user override.
   --ssh-port PORT        Optional SSH port override.
@@ -58,6 +59,10 @@ while [[ $# -gt 0 ]]; do
       cwd_configured=true
       shift
       ;;
+    --danger-full-access)
+      example_args+=("$1")
+      shift
+      ;;
     --ssh-host|--ssh-user|--ssh-port|--ssh-identity-file)
       if [[ $# -lt 2 ]]; then
         echo "ERROR: $1 requires a value." >&2
@@ -167,6 +172,9 @@ else
   else
     echo "CLI model: shared core default"
   fi
+  if [[ " ${example_args[*]} " == *" --danger-full-access "* ]]; then
+    echo "CLI/App-server sandbox override: danger_full_access"
+  fi
   EXAMPLE_TIMEOUT_SECONDS="${CODEX_EXAMPLES_TIMEOUT_SECONDS:-}"
   echo
 fi

lib/codex/examples_support.ex

@@ -15,6 +15,7 @@ defmodule Codex.ExamplesSupport do
     defstruct argv: [],
               execution_surface: nil,
               example_cwd: nil,
+              example_danger_full_access: false,
               ssh_host: nil,
               ssh_user: nil,
               ssh_port: nil,
@@ -24,6 +25,7 @@ defmodule Codex.ExamplesSupport do
             argv: [String.t()],
             execution_surface: ExecutionSurface.t() | nil,
             example_cwd: String.t() | nil,
+            example_danger_full_access: boolean(),
             ssh_host: String.t() | nil,
             ssh_user: String.t() | nil,
             ssh_port: pos_integer() | nil,
@@ -34,6 +36,7 @@ defmodule Codex.ExamplesSupport do
   @context_key {__MODULE__, :ssh_context}
   @ssh_switches [
     cwd: :string,
+    danger_full_access: :boolean,
     ssh_host: :string,
     ssh_identity_file: :string,
     ssh_port: :integer,
@@ -110,21 +113,18 @@ defmodule Codex.ExamplesSupport do
   @spec ssh_enabled?() :: boolean()
   def ssh_enabled?, do: match?(%SSHContext{execution_surface: %ExecutionSurface{}}, context())
 
+  @spec danger_full_access?() :: boolean()
+  def danger_full_access?, do: context().example_danger_full_access == true
+
   @spec execution_surface() :: ExecutionSurface.t() | nil
   def execution_surface, do: context().execution_surface
 
   @spec command_opts(keyword()) :: keyword()
   def command_opts(opts \\ []) when is_list(opts) do
-    opts =
-      case execution_surface() do
-        %ExecutionSurface{} = surface -> Keyword.put(opts, :execution_surface, surface)
-        nil -> opts
-      end
-
-    case example_working_directory() do
-      cwd when is_binary(cwd) and cwd != "" -> Keyword.put_new(opts, :cwd, cwd)
-      _ -> opts
-    end
+    opts
+    |> maybe_put_command_execution_surface()
+    |> maybe_put_command_working_directory()
+    |> maybe_put_command_danger_full_access()
   end
 
   @spec example_working_directory() :: String.t() | nil
@@ -187,6 +187,7 @@ defmodule Codex.ExamplesSupport do
     attrs
     |> maybe_put_example_working_directory()
     |> maybe_put_skip_git_repo_check()
+    |> maybe_put_thread_danger_full_access()
     |> ThreadOptions.new()
   end
 
@@ -309,29 +310,67 @@ defmodule Codex.ExamplesSupport do
 
   defp build_context(parsed, argv) do
     example_cwd = Keyword.get(parsed, :cwd)
+    example_danger_full_access = Keyword.get(parsed, :danger_full_access, false)
     ssh_host = Keyword.get(parsed, :ssh_host)
     ssh_user = Keyword.get(parsed, :ssh_user)
     ssh_port = Keyword.get(parsed, :ssh_port)
     ssh_identity_file = Keyword.get(parsed, :ssh_identity_file)
 
     case normalize_example_cwd(example_cwd) do
       {:ok, example_cwd} ->
-        do_build_context(argv, example_cwd, ssh_host, ssh_user, ssh_port, ssh_identity_file)
+        do_build_context(
+          argv,
+          example_cwd,
+          example_danger_full_access,
+          ssh_host,
+          ssh_user,
+          ssh_port,
+          ssh_identity_file
+        )
 
       {:error, _reason} = error ->
         error
     end
   end
 
-  defp do_build_context(argv, example_cwd, nil, ssh_user, ssh_port, ssh_identity_file) do
+  defp do_build_context(
+         argv,
+         example_cwd,
+         example_danger_full_access,
+         nil,
+         ssh_user,
+         ssh_port,
+         ssh_identity_file
+       ) do
     with :ok <- validate_ssh_flag_dependencies(nil, ssh_user, ssh_port, ssh_identity_file) do
-      {:ok, %SSHContext{argv: argv, example_cwd: example_cwd}}
+      {:ok,
+       %SSHContext{
+         argv: argv,
+         example_cwd: example_cwd,
+         example_danger_full_access: example_danger_full_access
+       }}
     end
   end
 
-  defp do_build_context(argv, example_cwd, ssh_host, ssh_user, ssh_port, ssh_identity_file) do
+  defp do_build_context(
+         argv,
+         example_cwd,
+         example_danger_full_access,
+         ssh_host,
+         ssh_user,
+         ssh_port,
+         ssh_identity_file
+       ) do
     with :ok <- validate_ssh_flag_dependencies(ssh_host, ssh_user, ssh_port, ssh_identity_file) do
-      build_ssh_context(argv, example_cwd, ssh_host, ssh_user, ssh_port, ssh_identity_file)
+      build_ssh_context(
+        argv,
+        example_cwd,
+        example_danger_full_access,
+        ssh_host,
+        ssh_user,
+        ssh_port,
+        ssh_identity_file
+      )
     end
   end
 
@@ -343,7 +382,15 @@ defmodule Codex.ExamplesSupport do
     end
   end
 
-  defp build_ssh_context(argv, example_cwd, ssh_host, ssh_user, ssh_port, ssh_identity_file) do
+  defp build_ssh_context(
+         argv,
+         example_cwd,
+         example_danger_full_access,
+         ssh_host,
+         ssh_user,
+         ssh_port,
+         ssh_identity_file
+       ) do
     with {:ok, {destination, parsed_user}} <- split_host(ssh_host),
          {:ok, effective_user} <- coalesce_user(parsed_user, ssh_user),
          {:ok, identity_file} <- normalize_identity_file(ssh_identity_file),
@@ -362,6 +409,7 @@ defmodule Codex.ExamplesSupport do
          argv: argv,
          execution_surface: execution_surface,
          example_cwd: example_cwd,
+         example_danger_full_access: example_danger_full_access,
          ssh_host: destination,
          ssh_user: effective_user,
          ssh_port: ssh_port,
@@ -432,6 +480,15 @@ defmodule Codex.ExamplesSupport do
     end
   end
 
+  defp maybe_put_thread_danger_full_access(attrs) when is_map(attrs) do
+    if danger_full_access?() and not present?(present_value?(attrs, :sandbox)) and
+         present_value?(attrs, :dangerously_bypass_approvals_and_sandbox) != true do
+      Map.put(attrs, :sandbox, :danger_full_access)
+    else
+      attrs
+    end
+  end
+
   defp present_value?(attrs, key) when is_map(attrs) and is_atom(key) do
     case {Map.get(attrs, key), Map.get(attrs, Atom.to_string(key))} do
       {nil, nil} -> nil
@@ -515,9 +572,32 @@ defmodule Codex.ExamplesSupport do
         {name, value} -> "--#{name}=#{value}"
       end)
 
-    "invalid example flags: #{rendered}. Supported flags: --cwd, --ssh-host, --ssh-user, --ssh-port, --ssh-identity-file"
+    "invalid example flags: #{rendered}. Supported flags: --cwd, --danger-full-access, --ssh-host, --ssh-user, --ssh-port, --ssh-identity-file"
   end
 
   defp maybe_put_kw(opts, _key, nil), do: opts
   defp maybe_put_kw(opts, key, value), do: Keyword.put(opts, key, value)
+
+  defp maybe_put_command_execution_surface(opts) when is_list(opts) do
+    case execution_surface() do
+      %ExecutionSurface{} = surface -> Keyword.put(opts, :execution_surface, surface)
+      nil -> opts
+    end
+  end
+
+  defp maybe_put_command_working_directory(opts) when is_list(opts) do
+    case example_working_directory() do
+      cwd when is_binary(cwd) and cwd != "" -> Keyword.put_new(opts, :cwd, cwd)
+      _ -> opts
+    end
+  end
+
+  defp maybe_put_command_danger_full_access(opts) when is_list(opts) do
+    if danger_full_access?() and not Keyword.has_key?(opts, :sandbox) and
+         not Keyword.has_key?(opts, :dangerously_bypass_approvals_and_sandbox) do
+      Keyword.put(opts, :sandbox, :danger_full_access)
+    else
+      opts
+    end
+  end
 end

test/codex/examples_support_test.exs

@@ -46,6 +46,7 @@ defmodule Codex.ExamplesSupportTest do
                ExamplesSupport.parse_argv([
                  "--cwd",
                  "/srv/codex",
+                 "--danger-full-access",
                  "--ssh-host",
                  "builder@example.internal",
                  "--ssh-port",
@@ -61,6 +62,7 @@ defmodule Codex.ExamplesSupportTest do
       assert context.execution_surface.transport_options[:port] == 2222
       assert context.execution_surface.transport_options[:identity_file] =~ "/tmp/id_ed25519"
       assert context.example_cwd == "/srv/codex"
+      assert context.example_danger_full_access == true
     end
 
     test "rejects orphan ssh flags without --ssh-host" do
@@ -89,6 +91,29 @@ defmodule Codex.ExamplesSupportTest do
     end
   end
 
+  describe "command_opts/1" do
+    test "injects shared cwd and danger-full-access for command helpers" do
+      assert {:ok, context} =
+               ExamplesSupport.parse_argv([
+                 "--cwd",
+                 "/srv/codex",
+                 "--danger-full-access",
+                 "--ssh-host",
+                 "example.internal"
+               ])
+
+      Process.put({ExamplesSupport, :ssh_context}, context)
+
+      opts = ExamplesSupport.command_opts([])
+
+      assert opts[:cwd] == "/srv/codex"
+      assert opts[:sandbox] == :danger_full_access
+      assert opts[:execution_surface].surface_kind == :ssh_exec
+    after
+      Process.delete({ExamplesSupport, :ssh_context})
+    end
+  end
+
   describe "thread_opts/1" do
     test "injects skip_git_repo_check in ssh mode" do
       assert {:ok, context} = ExamplesSupport.parse_argv(["--ssh-host", "example.internal"])
@@ -138,6 +163,22 @@ defmodule Codex.ExamplesSupportTest do
     after
       Process.delete({ExamplesSupport, :ssh_context})
     end
+
+    test "injects danger-full-access when requested for examples" do
+      assert {:ok, context} =
+               ExamplesSupport.parse_argv([
+                 "--danger-full-access",
+                 "--ssh-host",
+                 "example.internal"
+               ])
+
+      Process.put({ExamplesSupport, :ssh_context}, context)
+
+      assert {:ok, thread_opts} = ExamplesSupport.thread_opts(%{})
+      assert thread_opts.sandbox == :danger_full_access
+    after
+      Process.delete({ExamplesSupport, :ssh_context})
+    end
   end
 
   describe "ensure_remote_working_directory/1" do