Skip to content

feat(core): persist network approvals in execpolicy#12357

Merged
viyatb-oai merged 22 commits intomainfrom
codex/viyatb/network-approvals-core
Feb 24, 2026
Merged

feat(core): persist network approvals in execpolicy#12357
viyatb-oai merged 22 commits intomainfrom
codex/viyatb/network-approvals-core

Conversation

@viyatb-oai
Copy link
Collaborator

@viyatb-oai viyatb-oai commented Feb 20, 2026

Summary

Persist network approval allow/deny decisions as network_rule(...) entries in execpolicy (not proxy config)

It adds network_rule parsing + append support in codex-execpolicy, including decision="prompt" (parse-only; not compiled into proxy allow/deny lists)

  • compile execpolicy network rules into proxy allow/deny lists and update the live proxy state on approval
  • preserve requirements execpolicy network_rule(...) entries when merging with file-based execpolicy
  • reject broad wildcard hosts (for example *) for persisted network_rule(...)

Copy link
Contributor

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 66af14c3f9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Copy link
Collaborator

@dylan-hurd-oai dylan-hurd-oai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple smaller comments - then would like to add some integration tests for this! Similar to approvals.rs

Once these are addressed, looks good

@viyatb-oai
Copy link
Collaborator Author

adding a allow positive test needed harness changes in how the cloud requirements are setup in the test, so skipped that.

@viyatb-oai viyatb-oai enabled auto-merge (squash) February 24, 2026 05:37

let mut candidate = previous_cfg.clone();
let (target_entries, opposite_entries) = target.split_lists(&mut candidate);
let (target_entries, opposite_entries) = candidate.split_domain_lists_mut(target);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not blocking, but I'm curious about this abstraction and if we can simplify this to avoid passing around mutable references - can fix in a follow-up PR.

@viyatb-oai viyatb-oai merged commit c3048ff into main Feb 24, 2026
148 of 167 checks passed
@viyatb-oai viyatb-oai deleted the codex/viyatb/network-approvals-core branch February 24, 2026 05:37
@github-actions github-actions bot locked and limited conversation to collaborators Feb 24, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants