Add workspace metadata shell preflight#19848
Closed
evawong-oai wants to merge 2 commits intomainfrom
Closed
Conversation
This was referenced Apr 27, 2026
evawong-oai
force-pushed
the
codex/bugb15632-seatbelt-preserved-paths
branch
from
7a081ee to
fe774aa
Compare
evawong-oai
force-pushed
the
codex/bugb15632-preserved-path-preflight
branch
from
fca3989 to
1bc0b13
Compare
evawong-oai
force-pushed
the
codex/bugb15632-seatbelt-preserved-paths
branch
from
fe774aa to
017761a
Compare
evawong-oai
force-pushed
the
codex/bugb15632-preserved-path-preflight
branch
2 times, most recently
from
2b511ae to
b0df7b1
Compare
evawong-oai
force-pushed
the
codex/bugb15632-seatbelt-preserved-paths
branch
from
017761a to
613fe13
Compare
evawong-oai
force-pushed
the
codex/bugb15632-preserved-path-preflight
branch
from
b0df7b1 to
e76a989
Compare
evawong-oai
force-pushed
the
codex/bugb15632-seatbelt-preserved-paths
branch
2 times, most recently
from
6e4de4c to
0b8c428
Compare
evawong-oai
force-pushed
the
codex/bugb15632-preserved-path-preflight
branch
2 times, most recently
from
6c3c566 to
669222a
Compare
evawong-oai
force-pushed
the
codex/bugb15632-seatbelt-preserved-paths
branch
2 times, most recently
from
6541b90 to
c2bf30f
Compare
evawong-oai
force-pushed
the
codex/bugb15632-preserved-path-preflight
branch
from
669222a to
a1666bf
Compare
evawong-oai
force-pushed
the
codex/bugb15632-seatbelt-preserved-paths
branch
from
c2bf30f to
5e3f0d4
Compare
evawong-oai
force-pushed
the
codex/bugb15632-preserved-path-preflight
branch
2 times, most recently
from
427c425 to
5259804
Compare
evawong-oai
force-pushed
the
codex/bugb15632-seatbelt-preserved-paths
branch
from
5e3f0d4 to
ea88850
Compare
evawong-oai
force-pushed
the
codex/bugb15632-preserved-path-preflight
branch
from
5259804 to
f9a5bc4
Compare
evawong-oai
force-pushed
the
codex/bugb15632-seatbelt-preserved-paths
branch
from
ea88850 to
c008a8f
Compare
evawong-oai
changed the title
evawong-oai
force-pushed
the
codex/bugb15632-seatbelt-preserved-paths
branch
from
c008a8f to
a767cac
Compare
evawong-oai
force-pushed
the
codex/bugb15632-preserved-path-preflight
branch
from
f9a5bc4 to
e683055
Compare
evawong-oai
added a commit
that referenced
this pull request
Apr 28, 2026
## Summary Make FileSystemSandboxPolicy the semantic source of truth for project root metadata protection. Under writable roots, `.git`, `.codex`, and `.agents` stay protected unless user policy grants an explicit write rule for that metadata path. ## Scope 1. Add `protected_metadata_names` to `WritableRoot`. 2. Teach `FileSystemSandboxPolicy::can_write_path_with_cwd` to reject protected metadata writes under writable roots unless explicitly allowed. 3. Default workspace write profiles to protect `.git`, `.codex`, and `.agents`. 4. Add the Linux fallback setup needed before Linux enforcement lands later in the stack. ## Reviewer Focus 1. The policy decision belongs in FileSystemSandboxPolicy, not shell command parsing. 2. Legacy SandboxPolicy remains a compatibility projection, not the source of the new rule. 3. Explicit user write rules can still opt into these metadata paths. ## Stack 1. Policy primitive: this PR 2. macOS Seatbelt adapter: #19847 3. Shell preflight UX: #19848 4. Runtime profile propagation: #19849 5. Linux bubblewrap adapter: #19852 ## Validation 1. codex protocol permissions tests 2. formatting for codex protocol and codex linux sandbox 3. diff whitespace check
evawong-oai
force-pushed
the
codex/bugb15632-seatbelt-preserved-paths
branch
from
a767cac to
19909d3
Compare
evawong-oai
added a commit
that referenced
this pull request
Apr 28, 2026
## Summary Translate FileSystemSandboxPolicy project root metadata carveouts into macOS Seatbelt rules. ## Scope 1. Thread protected metadata names into Seatbelt access roots. 2. Ask FileSystemSandboxPolicy whether each metadata carveout is writable. 3. Emit Seatbelt deny rules that block creating or replacing protected metadata names under writable roots. 4. Add coverage for first time metadata creation and read only carveouts. ## Reviewer Focus 1. This PR only covers the macOS sandbox adapter. 2. The policy decision comes from FileSystemSandboxPolicy. 3. Read only subpath carveouts and metadata protection checks should compose cleanly. ## Stack 1. Policy primitive: #19846 2. macOS Seatbelt adapter: this PR 3. Shell preflight UX: #19848 4. Runtime profile propagation: #19849 5. Linux bubblewrap adapter: #19852 ## Validation 1. formatting for codex sandboxing 2. codex sandboxing package tests
Base automatically changed from
codex/bugb15632-seatbelt-preserved-paths
to
main
April 28, 2026 17:13
evawong-oai
force-pushed
the
codex/bugb15632-preserved-path-preflight
branch
from
e683055 to
74f29c7
Compare
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 74f29c7e2d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
viyatb-oai
reviewed
Apr 28, 2026
viyatb-oai
reviewed
Apr 28, 2026
viyatb-oai
reviewed
Apr 28, 2026
evawong-oai
force-pushed
the
codex/bugb15632-preserved-path-preflight
branch
2 times, most recently
from
9fcd271 to
9ee9e1c
Compare
bolinfest
reviewed
Apr 28, 2026
bolinfest
reviewed
Apr 28, 2026
evawong-oai
force-pushed
the
codex/bugb15632-preserved-path-preflight
branch
2 times, most recently
from
8d29c35 to
35e30b8
Compare
evawong-oai
force-pushed
the
codex/bugb15632-preserved-path-preflight
branch
from
35e30b8 to
321204f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add an early user facing check that explains simple literal shell redirections into protected project root metadata. The check uses FileSystemSandboxPolicy for the protected metadata names and message.
Scope
Reviewer Focus
Stack
Validation