Skip to content

feat(core): persist network approvals in execpolicy#12357

Merged
viyatb-oai merged 22 commits intomainfrom
codex/viyatb/network-approvals-core
Feb 24, 2026
Merged

feat(core): persist network approvals in execpolicy#12357
viyatb-oai merged 22 commits intomainfrom
codex/viyatb/network-approvals-core

Conversation

@viyatb-oai
Copy link
Collaborator

@viyatb-oai viyatb-oai commented Feb 20, 2026
edited
Loading

Summary

Persist network approval allow/deny decisions as network_rule(...) entries in execpolicy (not proxy config)

It adds network_rule parsing + append support in codex-execpolicy, including decision="prompt" (parse-only; not compiled into proxy allow/deny lists)

  • compile execpolicy network rules into proxy allow/deny lists and update the live proxy state on approval
  • preserve requirements execpolicy network_rule(...) entries when merging with file-based execpolicy
  • reject broad wildcard hosts (for example *) for persisted network_rule(...)

This was referenced Feb 20, 2026
Merged
Closed
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Feb 20, 2026
View reviewed changes
Copy link
Contributor

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 66af14c3f9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

dylan-hurd-oai
dylan-hurd-oai reviewed Feb 22, 2026
View reviewed changes
dylan-hurd-oai
dylan-hurd-oai reviewed Feb 23, 2026
View reviewed changes
Copy link
Collaborator

@dylan-hurd-oai dylan-hurd-oai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple smaller comments - then would like to add some integration tests for this! Similar to approvals.rs

Once these are addressed, looks good

@viyatb-oai
Copy link
Collaborator Author

viyatb-oai commented Feb 23, 2026

adding a allow positive test needed harness changes in how the cloud requirements are setup in the test, so skipped that.

@viyatb-oai viyatb-oai enabled auto-merge (squash) February 24, 2026 05:37
dylan-hurd-oai
dylan-hurd-oai reviewed Feb 24, 2026
View reviewed changes
codex-rs/network-proxy/src/runtime.rs

let mut candidate = previous_cfg.clone();
let (target_entries, opposite_entries) = target.split_lists(&mut candidate);
let (target_entries, opposite_entries) = candidate.split_domain_lists_mut(target);
Copy link
Collaborator

@dylan-hurd-oai dylan-hurd-oai Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not blocking, but I'm curious about this abstraction and if we can simplify this to avoid passing around mutable references - can fix in a follow-up PR.

@viyatb-oai viyatb-oai merged commit c3048ff into main Feb 24, 2026
148 of 167 checks passed
@viyatb-oai viyatb-oai deleted the codex/viyatb/network-approvals-core branch February 24, 2026 05:37
@github-actions github-actions bot locked and limited conversation to collaborators Feb 24, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@dylan-hurd-oai dylan-hurd-oai dylan-hurd-oai approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@viyatb-oai @dylan-hurd-oai