Fix Codex exec resume sandbox arg ordering

This commit is contained in:
cc-dan
2026-03-17 03:08:07 +00:00
parent 7c993f1c4a
commit 7ec87714c5
3 changed files with 12 additions and 4 deletions

View File

@@ -73,16 +73,22 @@ function createAgentRuntime(deps) {
}
const runtimeId = getRuntimeSessionId(session);
const args = ['exec'];
if (runtimeId) args.push('resume');
args.push('--json', '--skip-git-repo-check');
const permMode = session.permissionMode || 'yolo';
// `-s/--sandbox` is an option for `codex exec`, but not for `codex exec resume`.
// When resuming, it must appear before the `resume` subcommand, otherwise Codex CLI errors
// with: "unexpected argument '-s' found".
if (runtimeId && permMode === 'plan') {
args.push('-s', 'read-only');
}
if (runtimeId) args.push('resume');
switch (permMode) {
case 'yolo':
args.push('--dangerously-bypass-approvals-and-sandbox');
break;
case 'plan':
args.push('-s', 'read-only');
if (!runtimeId) args.push('-s', 'read-only');
break;
case 'default':
default:

View File

@@ -16,7 +16,8 @@ function readStdin() {
(async function main() {
const args = process.argv.slice(2);
const isResume = args[0] === 'exec' && args[1] === 'resume';
// cc-web can place `resume` after other `codex exec` options (e.g. --json, -s).
const isResume = args[0] === 'exec' && args.includes('resume');
const threadId = (() => {
if (!isResume) return `mock-${crypto.randomUUID()}`;
for (let i = args.length - 1; i >= 2; i--) {

View File

@@ -398,8 +398,9 @@ async function main() {
.split('\n')
.filter((line) => line.includes(`"event":"process_spawn"`) && line.includes(firstMessageSession.sessionId.slice(0, 8)));
const lastSpawn = allSpawnsForSession[allSpawnsForSession.length - 1] || '';
assert(lastSpawn.includes('exec resume') && lastSpawn.includes(threadIdBeforeMode), 'Codex mode switch should keep resume thread id');
assert(lastSpawn.includes('resume') && lastSpawn.includes(threadIdBeforeMode), 'Codex mode switch should keep resume thread id');
assert(lastSpawn.includes('-s read-only'), 'Codex plan mode should set sandbox read-only');
assert(lastSpawn.includes('-s read-only resume'), 'Codex resume in plan mode must place -s before resume subcommand');
const runtimeToml = fs.readFileSync(path.join(configDir, 'codex-runtime-home', 'config.toml'), 'utf8');
assert(runtimeToml.includes('preferred_auth_method = "apikey"'), 'Codex custom profile should write isolated runtime auth mode');