Skip to content

fix(codex): allow sandboxed Kanban worker handoffs#26212

Closed
hehehe0803 wants to merge 1 commit into
NousResearch:mainfrom
hehehe0803:fix/codex-kanban-writable-root
Closed

fix(codex): allow sandboxed Kanban worker handoffs#26212
hehehe0803 wants to merge 1 commit into
NousResearch:mainfrom
hehehe0803:fix/codex-kanban-writable-root

Conversation

@hehehe0803

@hehehe0803 hehehe0803 commented May 15, 2026

Copy link
Copy Markdown
Contributor

Summary

  • keep Codex app-server Kanban workers inside workspace-write sandboxing
  • add the active Kanban board directory as the only extra writable root when HERMES_KANBAN_TASK is present
  • update Codex app-server runtime docs to describe the per-board SQLite DB handoff path

Fixes #26203

Test Plan

  • python -m pytest tests/agent/transports/test_codex_app_server_runtime.py -q
  • Kanban smoke board codex-runtime-orchestration-smoke-2 completed with backend-worker, frontend-worker, and fullstack-worker
  • Real-world portfolio_tracker frontend worker smoke completed in isolated worktree

Security notes

This avoids the brittle workaround of using :danger-no-sandbox. The override is scoped to Codex app-server workers with HERMES_KANBAN_TASK set, forces sandbox_mode="workspace-write", disables network, and adds only the current board directory derived from HERMES_KANBAN_DB as writable.

@alt-glitch alt-glitch added type/bug Something isn't working P2 Medium — degraded but workaround exists comp/agent Core agent loop, run_agent.py, prompt builder labels May 15, 2026
NishantEC

This comment was marked as outdated.

Sign in to view

@teknium1 teknium1 mentioned this pull request May 17, 2026
Merged
teknium1 added a commit that referenced this pull request May 17, 2026
@teknium1
chore(release): map hehehe0803 email for #26212 salvage
ee7cd10
@teknium1

teknium1 commented May 17, 2026

Copy link
Copy Markdown
Contributor

Merged via #27557 with your authorship preserved via rebase-merge. Commit 4a7cd2e16 is on main. Thanks for the fix!

@teknium1 teknium1 closed this May 17, 2026
gweeteve pushed a commit to gweeteve/hermes-agent that referenced this pull request Jun 2, 2026
@teknium1
chore(release): map hehehe0803 email for NousResearch#26212 salvage
6c093d2
@teknium1 teknium1 mentioned this pull request Jun 12, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@NishantEC NishantEC NishantEC left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

comp/agent Core agent loop, run_agent.py, prompt builder P2 Medium — degraded but workaround exists type/bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Codex app-server Kanban workers cannot complete tasks under sandbox without board DB writable root

4 participants

@hehehe0803 @teknium1 @NishantEC @alt-glitch