Add explicit Codex full-access mode

Author: xuio

.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "codex-subagents",
   "version": "0.1.0",
-  "description": "Launch OpenAI Codex agents, Spark agents, and parallel Codex subagents from Claude Code through a daemonless read-only MCP server.",
+  "description": "Launch OpenAI Codex agents, Spark agents, and parallel Codex subagents from Claude Code through a daemonless MCP server with read-only defaults and explicit full-access mode.",
   "author": {
     "name": "xuio"
   },

CHANGELOG.md

@@ -4,5 +4,6 @@
 
 - Initial Claude Code plugin for launching Codex agents through a daemonless stdio MCP server.
 - Added read-only defaults, non-interactive approvals, Codex desktop binary resolution, and per-call `project_dir`.
+- Added explicit full-access mode via `dangerously_bypass_approvals_and_sandbox`.
 - Added single-agent, parallel-agent, Spark preset, and nested Codex subagent support.
 - Added unit, MCP smoke, reliability, runtime, desktop Claude Code, and opt-in live Claude/Codex validation scripts.

README.md

@@ -4,13 +4,14 @@
 
 Claude Code plugin that exposes OpenAI Codex agents through a daemonless stdio MCP server.
 
-The plugin lets Claude Code launch one Codex agent or several Codex agents in parallel. It is designed for read-only delegation by default: codebase exploration, review, planning, risk checks, documentation mapping, and other sidecar work where Claude should collect independent Codex results without giving those agents write access.
+The plugin lets Claude Code launch one Codex agent or several Codex agents in parallel. It is designed for read-only delegation by default: codebase exploration, review, planning, risk checks, documentation mapping, and other sidecar work where Claude should collect independent Codex results without giving those agents write access. When explicitly requested, Claude can also launch Codex with the same full local capabilities as normal non-sandbox Codex.
 
 ## Defaults
 
 - Codex binary: prefers `/Applications/Codex.app/Contents/Resources/codex` when the Codex desktop app is installed, then falls back to configured overrides and `codex` on `PATH`.
 - Sandbox: `read-only`.
 - Approvals: non-interactive `approval_policy="never"`.
+- Full local access: opt in per call with `dangerously_bypass_approvals_and_sandbox: true`, which maps to Codex's `--dangerously-bypass-approvals-and-sandbox` flag and allows DNS/network access plus unrestricted file and git writes.
 - Service tier: omitted by default so Codex uses its normal account/default service tier. Pass `service_tier` only when you explicitly want one.
 - Transport: stdio MCP, launched by Claude Code for the active session. No daemon is required.
 - Prompt delivery: stdin, not command-line arguments.
@@ -45,6 +46,18 @@ To let a Codex agent spawn its own Codex subagents, pass:
 
 Custom subagents are passed to Codex as `agents.<name>...` config overrides and also materialized in a temporary Codex home for the duration of one run. The target project is not modified, and the default sandbox remains `read-only`.
 
+## Full Access Mode
+
+By default, all tools run Codex with `--sandbox read-only`. If the user explicitly asks Codex to edit files, use network/DNS, run git writes, install packages, or otherwise behave like an unrestricted local Codex run, pass:
+
+```json
+{
+  "dangerously_bypass_approvals_and_sandbox": true
+}
+```
+
+This uses Codex's `--dangerously-bypass-approvals-and-sandbox` flag. It bypasses all sandboxing and approval prompts for that Codex process, so keep it request-scoped and do not set it as a default.
+
 ## Structured Output And MCP Config
 
 Pass `output_contract` when Claude needs machine-readable Codex results:
@@ -136,7 +149,7 @@ After startup, ask Claude to use Codex subagents, or invoke the plugin skill:
 
 `codex_doctor` runs installation and safety diagnostics without invoking a model.
 
-Each agent accepts model, reasoning effort, sandbox, project directory, timeout, isolated Codex home, and output-size controls. Pass `project_dir` when Claude Code wants Codex to inspect the same repository or subdirectory Claude is currently working in. If `project_dir` is omitted, the server uses `CLAUDE_PROJECT_DIR` when Claude Code provides it. Omit model to use Codex's configured default or the plugin's optional configured default model.
+Each agent accepts model, reasoning effort, sandbox, full-access bypass, project directory, timeout, isolated Codex home, and output-size controls. Pass `project_dir` when Claude Code wants Codex to inspect the same repository or subdirectory Claude is currently working in. If `project_dir` is omitted, the server uses `CLAUDE_PROJECT_DIR` when Claude Code provides it. Omit model to use Codex's configured default or the plugin's optional configured default model.
 
 Prefer `start_agent_run` or `start_agents_run` for work that may run longer than a normal MCP request. The async job API keeps Claude responsive, supports cancellation, and avoids request failures caused by long-running Codex subprocesses.
 

SECURITY.md

@@ -7,6 +7,8 @@ This plugin launches Codex from Claude Code through a local stdio MCP server. Th
 - Prompts are sent over stdin instead of command-line arguments.
 - Custom nested subagents are written to a temporary Codex home and cleaned up after the run.
 
+Full local access is available only when a tool call explicitly sets `dangerously_bypass_approvals_and_sandbox: true`. That passes Codex's `--dangerously-bypass-approvals-and-sandbox` flag, bypassing all sandboxing and approval prompts for that process. Do not enable it for routine review or exploration.
+
 ## Reporting A Vulnerability
 
 Please report security issues through GitHub Security Advisories for this repository. If advisories are not available, open an issue with a minimal description and avoid posting secrets, tokens, private logs, or sensitive project contents.

dist/index.js

@@ -21720,6 +21720,7 @@ function tomlString(value) {
 function buildCodexExecArgs(options, outputPath, env = process.env) {
   const { model, reasoningEffort, reasoningSummary } = validateRunConfiguration(options, env);
   const sandbox = options.sandbox ?? "read-only";
+  const bypassSandbox = options.dangerouslyBypassApprovalsAndSandbox ?? false;
   const ephemeral = options.ephemeral ?? true;
   const resume = Boolean(options.resumeSessionId || options.resumeLast);
   const args = resume ? [
@@ -21737,15 +21738,18 @@ function buildCodexExecArgs(options, outputPath, env = process.env) {
     "--json",
     "--color",
     "never",
-    "--sandbox",
-    sandbox,
     "-c",
     `approval_policy=${tomlString("never")}`,
     "-c",
     `model_reasoning_effort=${tomlString(reasoningEffort)}`,
     "--output-last-message",
     outputPath
   ];
+  if (bypassSandbox) {
+    args.push("--dangerously-bypass-approvals-and-sandbox");
+  } else if (!resume) {
+    args.push("--sandbox", sandbox);
+  }
   if (model) args.push("--model", model);
   if (!resume && options.profile) args.push("--profile", options.profile);
   if (!resume && options.cwd) args.push("--cd", options.cwd);
@@ -21795,6 +21799,9 @@ function validationFailureResult(options) {
     modelPreset: options.runOptions.modelPreset,
     reasoningEffort,
     sandbox: options.runOptions.sandbox ?? "read-only",
+    dangerouslyBypassApprovalsAndSandbox: Boolean(
+      options.runOptions.dangerouslyBypassApprovalsAndSandbox
+    ),
     serviceTier: options.runOptions.serviceTier,
     exitCode: null,
     signal: null,
@@ -21833,6 +21840,9 @@ function baseFailureResult(options) {
     modelPreset: options.runOptions.modelPreset,
     reasoningEffort: options.runOptions.reasoningEffort ?? defaultReasoningEffort(options.env),
     sandbox: options.runOptions.sandbox ?? "read-only",
+    dangerouslyBypassApprovalsAndSandbox: Boolean(
+      options.runOptions.dangerouslyBypassApprovalsAndSandbox
+    ),
     serviceTier: options.runOptions.serviceTier,
     exitCode: options.exitCode ?? null,
     signal: options.signal ?? null,
@@ -22132,6 +22142,9 @@ async function runAgent(options) {
       modelPreset: options.modelPreset,
       reasoningEffort: options.reasoningEffort ?? defaultReasoningEffort(childEnv),
       sandbox: options.sandbox ?? "read-only",
+      dangerouslyBypassApprovalsAndSandbox: Boolean(
+        options.dangerouslyBypassApprovalsAndSandbox
+      ),
       serviceTier: options.serviceTier,
       exitCode,
       signal,
@@ -22672,6 +22685,7 @@ var usageGuide = [
   "",
   "Default operating rules:",
   "- Keep sandbox read-only unless the user explicitly asks for a different sandbox.",
+  "- If the user explicitly asks for non-sandbox/full local capabilities, set dangerously_bypass_approvals_and_sandbox true. This maps to Codex's --dangerously-bypass-approvals-and-sandbox flag and allows DNS/network plus unrestricted file and git writes.",
   "- Approvals are non-interactive; do not expect Codex to ask permission.",
   '- Prefer model_preset "spark" for responsive focused checks, small reviews, UI iteration, and sidecar analysis.',
   '- Use reasoning_effort "medium" by default, "low" for simple checks, and "high" or "xhigh" only for difficult analysis. Do not use "minimal"; Codex currently auto-attaches web_search and the API rejects that tool with minimal reasoning.',
@@ -22739,6 +22753,9 @@ var commonInputSchema = {
     "Codex model reasoning effort. Prefer medium by default, low for simple checks, high/xhigh only for difficult analysis. `minimal` is rejected because Codex currently auto-attaches web_search, which the API does not allow with minimal reasoning."
   ),
   sandbox: sandboxModeSchema.default("read-only").describe("Codex sandbox mode. Keep read-only unless the user explicitly asks otherwise."),
+  dangerously_bypass_approvals_and_sandbox: external_exports.boolean().default(false).describe(
+    "Bypass all Codex sandboxing and approval prompts with Codex's --dangerously-bypass-approvals-and-sandbox flag. This gives Codex normal local capabilities such as DNS/network access and unrestricted file/git writes. Only set when the user explicitly asks for non-sandbox/full-access execution."
+  ),
   service_tier: serviceTierSchema.optional().describe(
     "Optional Codex service tier. Omit by default; only set this when the user explicitly asks for a service tier."
   ),
@@ -22848,6 +22865,7 @@ function toRunOptions(args) {
     modelPreset: args.model_preset,
     reasoningEffort: args.reasoning_effort,
     sandbox: args.sandbox,
+    dangerouslyBypassApprovalsAndSandbox: args.dangerously_bypass_approvals_and_sandbox,
     serviceTier: args.service_tier,
     modelVerbosity: args.model_verbosity,
     reasoningSummary: args.reasoning_summary,
@@ -22892,6 +22910,7 @@ function toParallelRunOptions(args) {
       modelPreset: agent.model_preset ?? args.model_preset,
       reasoningEffort: agent.reasoning_effort ?? args.reasoning_effort,
       sandbox: agent.sandbox ?? args.sandbox,
+      dangerouslyBypassApprovalsAndSandbox: agent.dangerously_bypass_approvals_and_sandbox ?? args.dangerously_bypass_approvals_and_sandbox,
       serviceTier: agent.service_tier ?? args.service_tier,
       modelVerbosity: agent.model_verbosity ?? args.model_verbosity,
       reasoningSummary: agent.reasoning_summary ?? args.reasoning_summary,
@@ -22977,7 +22996,7 @@ server.registerTool(
   "run_agent",
   {
     title: "Run one Codex agent",
-    description: "Launch one OpenAI Codex agent via codex exec. Use automatically when the user asks Claude to use Codex, ask Codex, get a Codex second opinion, run a Codex subagent, use Codex Spark, or delegate one read-only analysis task. Defaults to the Codex desktop app binary when installed, read-only sandbox, Codex's normal service tier, and non-interactive approvals.",
+    description: "Launch one OpenAI Codex agent via codex exec. Use automatically when the user asks Claude to use Codex, ask Codex, get a Codex second opinion, run a Codex subagent, use Codex Spark, or delegate one read-only analysis task. Defaults to the Codex desktop app binary when installed, read-only sandbox, Codex's normal service tier, and non-interactive approvals. For explicit non-sandbox/full-access requests, set dangerously_bypass_approvals_and_sandbox true.",
     inputSchema: {
       prompt: external_exports.string().min(1).describe(
         "Concrete instructions for the Codex agent. Include scope, read-only expectation, desired output shape, and file/line reference requirements when reviewing code."
@@ -23043,6 +23062,7 @@ var parallelAgentSchema = external_exports.object({
   model_preset: commonInputSchema.model_preset,
   reasoning_effort: commonInputSchema.reasoning_effort,
   sandbox: commonInputSchema.sandbox.optional(),
+  dangerously_bypass_approvals_and_sandbox: commonInputSchema.dangerously_bypass_approvals_and_sandbox.optional(),
   service_tier: commonInputSchema.service_tier.optional(),
   model_verbosity: commonInputSchema.model_verbosity,
   reasoning_summary: commonInputSchema.reasoning_summary,
@@ -23073,7 +23093,7 @@ server.registerTool(
   "run_agents",
   {
     title: "Run parallel Codex agents",
-    description: "Launch multiple independent OpenAI Codex agents concurrently and return one structured result per agent. Use automatically when the user asks for parallel Codex agents, multiple Codex subagents, broad review by independent agents, or several concurrent Codex workstreams. Split work by clear ownership, pass project_dir, keep defaults read-only, and use max_parallel to bound concurrency.",
+    description: "Launch multiple independent OpenAI Codex agents concurrently and return one structured result per agent. Use automatically when the user asks for parallel Codex agents, multiple Codex subagents, broad review by independent agents, or several concurrent Codex workstreams. Split work by clear ownership, pass project_dir, keep defaults read-only, and use max_parallel to bound concurrency. For explicit non-sandbox/full-access requests, set dangerously_bypass_approvals_and_sandbox true.",
     inputSchema: {
       agents: external_exports.array(parallelAgentSchema).min(1).max(12).describe(
         "Independent Codex agent tasks. Use names like api, tests, security, docs, performance, or ui when helpful."
@@ -23385,6 +23405,7 @@ server.registerTool(
         defaultModel: defaultModel(),
         defaultReasoningEffort: defaultReasoningEffort(),
         defaultSandbox: "read-only",
+        fullAccessFlag: "dangerously_bypass_approvals_and_sandbox",
         defaultServiceTier: "codex-default",
         modelPresets: {
           codex: "gpt-5.3-codex",
@@ -23452,6 +23473,7 @@ server.registerTool(
       ok: defaultReasoningEffort() !== "minimal",
       detail: {
         sandbox: "read-only",
+        dangerouslyBypassApprovalsAndSandbox: false,
         approvalPolicy: "never",
         defaultModel: defaultModel(),
         defaultReasoningEffort: defaultReasoningEffort(),
@@ -23465,6 +23487,8 @@ server.registerTool(
       supported: {
         modelPresets,
         reasoningEfforts,
+        sandboxModes,
+        fullAccessFlag: "dangerously_bypass_approvals_and_sandbox",
         outputContracts,
         mcpConfigPolicies
       }
@@ -23475,7 +23499,7 @@ server.registerPrompt(
   "codex_agent",
   {
     title: "Delegate to one Codex agent",
-    description: "Prompt Claude to launch one read-only Codex agent through this MCP server.",
+    description: "Prompt Claude to launch one Codex agent through this MCP server; read-only by default.",
     argsSchema: {
       prompt: external_exports.string().describe("Task for the Codex agent."),
       model: external_exports.string().optional().describe("Optional Codex model."),
@@ -23491,7 +23515,8 @@ server.registerPrompt(
           type: "text",
           text: [
             "Use the codex-subagents MCP tool `run_agent` for this task.",
-            "Keep the sandbox read-only unless I explicitly say otherwise.",
+            "Keep the sandbox read-only unless I explicitly ask for another sandbox or full non-sandbox access.",
+            "For full non-sandbox access, set dangerously_bypass_approvals_and_sandbox true.",
             model ? `Use model ${model}.` : "Use the configured Codex model default.",
             model_preset ? `Use model_preset ${model_preset}.` : "",
             reasoning_effort ? `Use reasoning_effort ${reasoning_effort}.` : "Use reasoning_effort medium unless the task clearly needs more.",
@@ -23507,7 +23532,7 @@ server.registerPrompt(
   "codex_parallel",
   {
     title: "Delegate to parallel Codex agents",
-    description: "Prompt Claude to split independent work across multiple read-only Codex agents through this MCP server.",
+    description: "Prompt Claude to split independent work across multiple Codex agents through this MCP server; read-only by default.",
     argsSchema: {
       prompt: external_exports.string().describe("Parallel delegation request."),
       max_parallel: external_exports.string().optional().describe("Optional max parallelism."),
@@ -23522,7 +23547,8 @@ server.registerPrompt(
           type: "text",
           text: [
             "Use the codex-subagents MCP tool `run_agents` for this task.",
-            "Create one agent object per independent workstream and run them read-only.",
+            "Create one agent object per independent workstream and run them read-only unless I explicitly ask for full non-sandbox access.",
+            "For full non-sandbox access, set dangerously_bypass_approvals_and_sandbox true.",
             max_parallel ? `Use max_parallel ${max_parallel}.` : "Use max_parallel 4 unless fewer agents are needed.",
             model_preset ? `Use model_preset ${model_preset} unless an agent needs a different model.` : "",
             "Ask each Codex agent for concise findings with file paths and line references when relevant.",