Change codex command option to '--yolo'#105
Closed
reyoung wants to merge 3 commits into
Closed
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the _build_codex_command method in the Codex provider to include the --yolo flag when constructing the codex CLI command.
Changes:
- Added
--yoloflag to the codex command construction
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
|
Thanks for the awesome PR @reyoung. This is a valid gap. Claude Code already hardcodes A couple asks before we can merge:
# --yolo (alias for --dangerously-bypass-approvals-and-sandbox):
# bypass approval prompts and sandboxing. CAO agents run in
# non-interactive tmux sessions where interactive approval prompts
# block handoff/assign flows. This mirrors Claude Code's
# --dangerously-skip-permissions and Gemini CLI's --yolo flags.
|
haofeif
requested changes
Mar 10, 2026
haofeif
left a comment
Contributor
There was a problem hiding this comment.
Please address the PR feedback, many thanks for all your help!
Contributor
Hi @reyoung do you get a chance to address the feedback pls ? Many thanks |
haofeif
added a commit
that referenced
this pull request
Mar 21, 2026
Merges the intent of PR #105. CAO agents run in non-interactive tmux sessions where Codex's interactive approval prompts block handoff/assign flows. The --yolo flag (alias for --dangerously-bypass-approvals-and-sandbox) mirrors Claude Code's --dangerously-skip-permissions and Gemini CLI's --yolo flags. E2E results: 5/8 passed. 3 failures are pre-existing Codex model behavior issues (timeouts, supervisor not calling MCP tools) unrelated to this change. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
6 tasks
haofeif
added a commit
that referenced
this pull request
Mar 31, 2026
#125) * feat(security): add allowedTools — universal tool restriction across all providers Add role-based tool restrictions that translate CAO's unified tool vocabulary (execute_bash, fs_read, fs_write, fs_*, @cao-mcp-server) to each provider's native enforcement mechanism: - Q CLI / Kiro CLI: allowedTools in agent JSON (install time) - Claude Code: --disallowedTools flags alongside --dangerously-skip-permissions - Copilot CLI: --deny-tool flags override --allow-all - Gemini CLI: Policy Engine TOML deny rules in ~/.gemini/policies/ - Kimi CLI / Codex: Security system prompt (soft enforcement) Key changes: - AgentProfile: add role field (supervisor/developer/reviewer) - Constants: ROLE_TOOL_DEFAULTS with per-role defaults - launch.py: --allowed-tools and --yolo CLI flags, confirmation prompt - New utils/tool_mapping.py: CAO-to-native tool name translation - All 7 providers: native restriction flags in command builders - Database: allowed_tools column for cross-provider inheritance - MCP server: allowed_tools inheritance for handoff/assign - Built-in profiles: role + allowedTools frontmatter + security constraints - SECURITY.md: full documentation of tool restriction system - E2E tests: file-based bash execution proof across all providers Gemini CLI enforcement uses Policy Engine deny rules (not deprecated excludeTools) which work even in --yolo mode by completely excluding denied tools from the model's memory. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * docs: add tool restrictions documentation - README.md: add Tool Restrictions section with role defaults, usage examples, and provider enforcement table - docs/tool-restrictions.md: comprehensive guide covering unified CLI (--allowed-tools, --yolo), role-based defaults, CAO tool vocabulary, resolution order, per-provider behavior matrix, cross-provider inheritance, and security recommendations - docs/agent-profile.md: add role field, allowedTools documentation, tool vocabulary reference, and resolution order - docs/gemini-cli.md: add Tool Restrictions section explaining Policy Engine TOML deny rules and why excludeTools was replaced Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * style: apply black formatting to pass CI code quality checks Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * style: fix isort import ordering in test_allowed_tools.py Move `from pathlib import Path` to stdlib import group. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * feat(codex): add --yolo flag to bypass approval prompts in tmux sessions Merges the intent of PR #105. CAO agents run in non-interactive tmux sessions where Codex's interactive approval prompts block handoff/assign flows. The --yolo flag (alias for --dangerously-bypass-approvals-and-sandbox) mirrors Claude Code's --dangerously-skip-permissions and Gemini CLI's --yolo flags. E2E results: 5/8 passed. 3 failures are pre-existing Codex model behavior issues (timeouts, supervisor not calling MCP tools) unrelated to this change. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(e2e): pre-warm uvx cache to prevent MCP startup timeouts Agent profiles launch cao-mcp-server via uvx --from git+..., which downloads ~80 packages on a cold cache (~20s). This exceeds Codex's default 10s MCP startup timeout, causing flaky test failures. Add a session-scoped fixture that runs uvx once before tests to populate the cache (<3s on subsequent runs). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * feat(tool-restrictions): redesign to opt-in roles + allowedTools system - Role is a high-level abstraction (named bundle of allowedTools) - allowedTools is the low-level fine-grained control - No role + no allowedTools = unrestricted (backward compatible) - Support custom roles via settings.json "roles" key - Fix supervisor defaults: add fs_read and fs_list - Remove DEFAULT_ROLE (no role = unrestricted, not developer) - Rewrite docs/tool-restrictions.md with clear concept hierarchy - Update tests for new defaults and opt-in behavior Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * feat(tool-restrictions): improve launch prompts, default to developer, deduplicate docs - Change default when no role/allowedTools set from unrestricted ["*"] to developer defaults — secure by default while preserving backward compat - Add --yolo warning prompt (visible but non-blocking) - Add "To grant all permissions, re-run with --yolo" hint to normal prompt - Add "no role set" reminder with docs link when profile lacks role/allowedTools - Change confirmation text from "Do you trust all the actions in this folder?" to "Proceed?" — clearer that it confirms the shown restrictions, not blanket trust - Deduplicate agent-profile.md: replace duplicated roles/vocabulary/resolution tables with brief summary linking to tool-restrictions.md - Add allowedTools-only example (no role needed) to tool-restrictions.md - Add "Launch Confirmation Prompt" section with Confirmation vs --yolo comparison - Add "Example Profiles" section linking to examples directory - Fix stale supervisor defaults in README.md (add fs_read, fs_list) - Add "Tool restrictions" bullet to Key Features in README.md - Add role/allowedTools to all example profiles missing them - Add Codex allowed_tools e2e tests with xfail for soft enforcement Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(ci): fix black formatting and update launch prompt assertions - Run black on launch.py to fix formatting - Update test_launch.py assertions: old "Do you trust all the actions in this folder?" → new "Proceed?" prompt text - Add WARNING assertion for --yolo test Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * docs(tool-restrictions): clarify @cao-mcp-server is pass-through, not enforced Address PR #125 feedback: make explicit that @cao-mcp-server in allowedTools is a declarative marker, not translated to native enforcement flags. MCP tools remain always available. Also add WebFetch reference link. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * refactor(examples): use role only, remove redundant allowedTools Replace dual role + allowedTools with role-only in all 14 example profiles. Add inline comment showing the role's default permissions and pointing to docs/tool-restrictions.md for fine-grained control. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * refactor(agent_store): use role only, remove redundant allowedTools Same cleanup as examples/ — built-in profiles now use role-only with inline comment showing default permissions. Also fixes stale supervisor defaults (was missing fs_read, fs_list). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * docs(README): simplify Tool Restrictions section, link to full reference Replace detailed tables and examples with a brief summary and link to docs/tool-restrictions.md for the comprehensive reference. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Contributor
|
closing the PR as it is included in #125 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue #, if available:
Description of changes:
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.