feat(codex): first-class Codex CLI skill runtime#902
Open
dpol1 wants to merge 5 commits into
Open
Conversation
…y profile The .codex/ profile makes Codex a first-class Magpie runtime (issue apache#313): config.toml pins the workspace-write sandbox with workspace network access disabled and on-request approvals, loaded only after the operator trusts the project; rules/magpie.rules is the human-in-the-loop layer — scoped read-only GitHub operations are allowed, known remote mutations prompt, and credential disclosure (gh auth token|refresh) is forbidden. Signed-off-by: Davide Polato <dpol1@apache.org>
The new mode lints .codex/config.toml and rules/magpie.rules as one contract: workspace-write sandbox, workspace network access off, on-request approvals, and representative exec-policy coverage (remote mutations prompt, gh auth token forbidden, a scoped read-only allow rule present, gh release download never unconditionally allowed). Invariants only — unrelated adopter Codex configuration is preserved. The rule parser strips full-line comments before splitting on declaration starts, so a commented-out rule cannot satisfy an invariant and a ')' inside a justification cannot truncate a block. Codex leaves the harness-neutral posture lists now that it has a dedicated mode. Signed-off-by: Davide Polato <dpol1@apache.org>
docs/adapters/codex.md is the operator contract: skill discovery from the canonical .agents/skills tree, install and verify lifecycle, the sandbox and HITL security model, the explicit deterministic-guard gap (agent-guard stays reachable only via its harness-neutral --check/--exec modes), and the trust boundary. Codex is labelled experimental everywhere it is promoted (prerequisites, adapter registry, vendor-neutrality) until a minimum tested runtime version and an adopter pilot are recorded; the secure-agent-setup doc routes Codex readers to the adapter before the Claude-only sections. Signed-off-by: Davide Polato <dpol1@apache.org>
… the adopter lifecycle Each of the four setup-isolated skills now starts with a runtime-routing section: a Codex session follows the adapter's install/verify/update/ doctor branch and never treats a missing .claude file as a failure; the Claude Code branch is unchanged. The magpie-setup lifecycle handles the committed Codex policy end to end — adopt merges config.toml and magpie.rules preserving unrelated keys and validates with sandbox-lint --codex, verify gains check 8g, upgrade reports policy drift without auto-weakening, and unadopt removes only Magpie-owned values while never touching Codex project trust. Signed-off-by: Davide Polato <dpol1@apache.org>
…ime spec One single-case runtime-routing suite per setup-isolated skill asserts the new routing step: a Codex session must follow the Codex adapter, not require .claude files, and stop before the Claude-specific branch. The spec-loop entry records the contract, acceptance criteria, validation commands, and known gaps of the experimental Codex runtime. Signed-off-by: Davide Polato <dpol1@apache.org>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.codex/config.toml(workspace-write, network off, on-request approvals) and.codex/rules/magpie.rules(scoped read allows, prompted remote mutations, forbidden credential disclosure).sandbox-lint --codexvalidates both statically..agents/skillssymlinks natively, so SKILL.md stays the single source. The setup and setup-isolated skills route Codex sessions to explicit Codex steps before any Claude-only branch, and new eval fixtures pin that routing.Type of change
.claude/skills/<name>/) — eval fixtures updated belowtools/<system>/*.md)tools/*/withpyproject.toml)docs/,README.md,CONTRIBUTING.md)projects/_template/)prek, workflows, validators)Test plan
prek run --all-filespasses (all hooks green, includingcheck-placeholders,symlink-lint, workspace ruff/mypy/pytest,skill-and-tool-validate,spec-validate)uv run pytest(103 passed intools/sandbox-lint, including the newtests/test_codex.pyinvariant cases for tampered configs and rules) /ruff check/mypyall clean(`PYTHONPATH=tools/skill-evals/src python3 -m skill_evals.runner tools/skill-evals/e
(runtime-routing suites for all four
setup-isolated-setup-*skills, each with acg the Codex branch is taken and no.claude` file is treated as a failure)/skillsdiscovery,$magpie-security-issue-triageinvocation, approval prompt on aghmutation)RFC-AI-0004 compliance
(
approval_policy = "on-request"; exec-policy rules prompt ongh pr/gh issuemu(
workspace-writewithnetwork_access = false; networked bridges cross the native<PROJECT>,<tracker>,<upstream>,<security-list>) used in all skill / tool prose (thecheck-placeholdersprek hook is the mechanical gate)Linked issues
Closes #313.
Notes for reviewers (optional)
.claude/skills. Codex follows the existing.agents/skillssymlinks, so nothing is duplicated. If that call looks wrong, the runtime-contract table indocs/adapters/codex.mdis the place to push back.sandbox-lintparsesmagpie.rulesby splitting onprefix_rule(after dropping commeeal Starlark parser. Deliberate trade-off: the invariants only need block-level matching,and a parser dependency felt heavier than the problem. Tampering cases are covered intests/test_codex.py.