Skip to content

feat: add support for /etc/codex/requirements.toml on UNIX #8277

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bolinfest merged 1 commit into from
Dec 18, 2025
Merged

feat: add support for /etc/codex/requirements.toml on UNIX #8277

bolinfest merged 1 commit into from
Dec 18, 2025
+186 −16

Conversation

@bolinfest
Copy link
Collaborator

@bolinfest bolinfest commented Dec 18, 2025
edited
Loading

This implements the new config design where config requirements are loaded separately (and with a special schema) as compared to config settings. In particular, on UNIX, with this PR, you could define /etc/codex/requirements.toml with:

allowed_approval_policies = ["never", "on-request"]

to enforce that Config.approval_policy must be one of those two values when Codex runs.

We plan to expand the set of things that can be restricted by /etc/codex/requirements.toml in short order.

Note that requirements can come from several sources:

  • new MDM key on macOS (not implemented yet)
  • /etc/codex/requirements.toml
  • re-interpretation of legacy MDM key on macOS (com.openai.codex/config_toml_base64)
  • re-interpretation of legacy /etc/codex/managed_config.toml

So our resolution strategy is to load TOML data from those sources, in order. Later TOMLs are "merged" into previous TOMLs, but any field that is already set cannot be overwritten. See ConfigRequirementsToml::merge_unset_fields().

@bolinfest bolinfest requested a review from shijie-oai December 18, 2025 21:08
shijie-oai
shijie-oai reviewed Dec 18, 2025
View reviewed changes
codex-rs/core/src/config_loader/mod.rs

/// If available, apply requirements from `/etc/codex/requirements.toml` to
/// `config_requirements_toml` by filling in any unset fields.
async fn load_requirements_toml(
Copy link
Collaborator

@shijie-oai shijie-oai Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Side note: we should also consider (and I think we are) exposing requirements config in CLI and app-server to show only available options (i.e. sandbox policies).

@bolinfest bolinfest merged commit 2f048f2 into main Dec 18, 2025
50 of 52 checks passed
@bolinfest bolinfest deleted the pr8277 branch December 18, 2025 21:36
@github-actions github-actions bot locked and limited conversation to collaborators Dec 18, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@shijie-oai shijie-oai shijie-oai approved these changes

@gt-oai gt-oai Awaiting requested review from gt-oai

@gverma-openai gverma-openai Awaiting requested review from gverma-openai

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bolinfest @shijie-oai