Restore safe defaults for Codex sandbox and execution checkout by ganesh47 · Pull Request #59 · ganesh47/cstack

ganesh47 · 2026-04-23T04:49:13Z

A change had made insecure defaults so codex.sandbox was danger-full-access and workflows.build/ship/deliver.allowDirty defaulted to true, causing untrusted runs to get full host filesystem/network access and execute directly in the source checkout.
Restore safer, least-privilege defaults so runs are isolated and the Codex process runs with a constrained sandbox unless explicitly opted-in.

Reverted the default Codex sandbox to workspace-write by updating DEFAULT_CONFIG.codex.sandbox in src/config.ts.
Defaulted allowDirty to false for build, ship, and deliver in src/config.ts so execution checkouts are isolated unless --allow-dirty or explicit config is used.
Updated runtime messaging to remove language implying “dangerous-by-default” behavior in src/runtime-config.ts, src/commands/build.ts, src/commands/ship.ts, src/commands/deliver.ts, and src/inspector.ts so output reflects the neutral/default policy and --safe semantics.
Updated documentation and tests to match the restored behavior: README.md guidance and tests under test/config.test.ts, test/build.test.ts, and test/deliver.test.ts now assert isolated checkouts and workspace-write sandbox by default.

Ran npx vitest run test/config.test.ts -t "provides stable deliver GitHub defaults" and it passed.
Ran npx vitest run test/build.test.ts -t "uses an isolated checkout and workspace-write by default when sandbox and allowDirty are not configured" and it passed.
Ran npx vitest run test/deliver.test.ts -t "uses an isolated checkout and workspace-write by default when sandbox and allowDirty are not configured" and it passed.

Restore safe default sandbox and isolated execution

e6014ae

ganesh47 added aardvark codex labels Apr 23, 2026 — with ChatGPT Codex Connector

Provide feedback