feat(codex): Codex agent-provider payload v2 — app-server on capability seams, vault-only auth

container/AGENTS.md

@@ -0,0 +1,15 @@
+You are a NanoClaw agent. Your name, destinations, and message-sending rules are provided in the runtime system prompt at the top of each turn.
+
+## Communication
+
+Be concise. Prefer outcomes over play-by-play; when the work is done, the final message should be about the result.
+
+When you produce a file for the user in the workspace — a document, export, or asset — deliver it with `send_file` in the same turn; announcing without sending is an unfinished reply.
+
+## Workspace
+
+Files you create are saved in `/workspace/agent/`. Use this for notes, research, artifacts, and anything that should persist across turns in this group.
+
+## Conversation History
+
+The `conversations/` folder holds searchable past conversation transcripts or exchange archives for this group. Use it to recall prior context when a request references something that happened before.

container/Dockerfile

@@ -20,7 +20,7 @@ ARG INSTALL_CJK_FONTS=false
 # mean every rebuild silently picks up the latest and can break in lockstep
 # across all users.
 ARG CLAUDE_CODE_VERSION=2.1.116
-ARG CODEX_VERSION=0.124.0
+ARG CODEX_VERSION=0.138.0
 ARG AGENT_BROWSER_VERSION=latest
 ARG VERCEL_VERSION=latest
 ARG BUN_VERSION=1.3.12

container/agent-runner/src/providers/codex-app-server.test.ts

@@ -1,47 +1,162 @@
-import { describe, it, expect } from 'bun:test';
+import { describe, expect, it, afterEach } from 'bun:test';
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
 
-import { STALE_THREAD_RE, tomlBasicString } from './codex-app-server.js';
+import {
+  type AppServer,
+  attachCodexAutoApproval,
+  buildCodexProcessEnv,
+  tomlBasicString,
+  writeCodexConfigToml,
+} from './codex-app-server.js';
 
-describe('tomlBasicString', () => {
-  it('leaves safe strings unchanged inside quotes', () => {
-    expect(tomlBasicString('hello')).toBe('"hello"');
-    expect(tomlBasicString('bun')).toBe('"bun"');
-    expect(tomlBasicString('/usr/local/bin/node')).toBe('"/usr/local/bin/node"');
+let tmpHome: string | null = null;
+const originalHome = process.env.HOME;
+
+afterEach(() => {
+  process.env.HOME = originalHome;
+  if (tmpHome) {
+    fs.rmSync(tmpHome, { recursive: true, force: true });
+    tmpHome = null;
+  }
+});
+
+describe('Codex config TOML', () => {
+  it('escapes basic strings', () => {
+    expect(tomlBasicString('a "quoted" \\\\ value')).toBe('"a \\"quoted\\" \\\\\\\\ value"');
+  });
+
+  it('rejects newlines', () => {
+    expect(() => tomlBasicString('bad\nvalue')).toThrow(/newline/);
   });
 
-  it('escapes double-quotes', () => {
-    expect(tomlBasicString('a"b')).toBe('"a\\"b"');
-    expect(tomlBasicString('"quoted"')).toBe('"\\"quoted\\""');
+  it('hardcodes danger-full-access + never and writes model, effort, and MCP servers', () => {
+    tmpHome = fs.mkdtempSync(path.join(os.tmpdir(), 'codex-home-'));
+    process.env.HOME = tmpHome;
+
+    writeCodexConfigToml(
+      {
+        nanoclaw: {
+          command: 'bun',
+          args: ['run', '/app/src/mcp-tools/index.ts'],
+          env: { FOO: 'bar' },
+        },
+      },
+      { model: 'gpt-5', effort: 'medium' },
+    );
+
+    const content = fs.readFileSync(path.join(tmpHome, '.codex', 'config.toml'), 'utf-8');
+    expect(content).toContain('sandbox_mode = "danger-full-access"');
+    expect(content).toContain('approval_policy = "never"');
+    expect(content).toContain('project_doc_max_bytes = 32768');
+    expect(content).toContain('model = "gpt-5"');
+    expect(content).toContain('model_reasoning_effort = "medium"');
+    expect(content).not.toContain('[sandbox_workspace_write]');
+    expect(content).not.toContain('writable_roots =');
+    expect(content).toContain('[mcp_servers.nanoclaw]');
+    expect(content).toContain('command = "bun"');
+    expect(content).toContain('args = ["run", "/app/src/mcp-tools/index.ts"]');
+    expect(content).toContain('[mcp_servers.nanoclaw.env]');
+    expect(content).toContain('FOO = "bar"');
+  });
+});
+
+describe('Codex auto-approval', () => {
+  // NanoClaw (container isolation + OneCLI) is the boundary, so the handler accepts
+  // every request unconditionally — even paths/commands a sandbox policy would refuse.
+  it('grants full filesystem + network for permission requests', () => {
+    const { server, writes } = fakeServer();
+    attachCodexAutoApproval(server);
+
+    server.serverRequestHandlers[0]({
+      id: 1,
+      method: 'item/permissions/requestApproval',
+      params: { permissions: { fileSystem: { read: ['/workspace/agent'], write: ['/workspace/agent'] } } },
+    });
+
+    const result = JSON.parse(writes[0]).result as {
+      permissions: { fileSystem: { read: string[]; write: string[] }; network: { enabled: boolean } };
+      scope: string;
+    };
+    expect(result.scope).toBe('turn');
+    expect(result.permissions.fileSystem.read).toEqual(['/']);
+    expect(result.permissions.fileSystem.write).toEqual(['/']);
+    expect(result.permissions.network.enabled).toBe(true);
   });
 
-  it('escapes backslashes', () => {
-    expect(tomlBasicString('a\\b')).toBe('"a\\\\b"');
-    expect(tomlBasicString('C:\\path\\to\\bin')).toBe('"C:\\\\path\\\\to\\\\bin"');
+  it('accepts file-change and command-exec approvals regardless of path', () => {
+    const { server, writes } = fakeServer();
+    attachCodexAutoApproval(server);
+
+    server.serverRequestHandlers[0]({ id: 2, method: 'item/fileChange/requestApproval', params: { grantRoot: '/etc' } });
+    server.serverRequestHandlers[0]({
+      id: 3,
+      method: 'item/commandExecution/requestApproval',
+      params: { command: 'rm -rf /', cwd: '/' },
+    });
+
+    expect(JSON.parse(writes[0]).result).toEqual({ decision: 'accept' });
+    expect(JSON.parse(writes[1]).result).toEqual({ decision: 'accept' });
   });
 
-  it('escapes backslash before quote (order matters)', () => {
-    expect(tomlBasicString('\\"')).toBe('"\\\\\\""');
+  it('approves legacy patch and command-exec approvals regardless of path', () => {
+    const { server, writes } = fakeServer();
+    attachCodexAutoApproval(server);
+
+    server.serverRequestHandlers[0]({
+      id: 4,
+      method: 'applyPatchApproval',
+      params: { fileChanges: { '/etc/passwd': {} } },
+    });
+    server.serverRequestHandlers[0]({ id: 5, method: 'execCommandApproval', params: { command: 'rm -rf /', cwd: '/' } });
+
+    expect(JSON.parse(writes[0]).result).toEqual({ decision: 'approved' });
+    expect(JSON.parse(writes[1]).result).toEqual({ decision: 'approved' });
   });
 
-  it('rejects strings containing newlines', () => {
-    expect(() => tomlBasicString('line1\nline2')).toThrow(/newline/);
-    expect(() => tomlBasicString('trailing\n')).toThrow(/newline/);
-    expect(() => tomlBasicString('crlf\r\nhere')).toThrow(/newline/);
+  it('fails closed for unknown server requests', () => {
+    const { server, writes } = fakeServer();
+    attachCodexAutoApproval(server);
+
+    server.serverRequestHandlers[0]({ id: 6, method: 'new/unknown/request' });
+
+    const response = JSON.parse(writes[0]);
+    expect(response.error.message).toContain('Unhandled Codex app-server request');
   });
 });
 
-describe('STALE_THREAD_RE', () => {
-  it('matches stale-thread error messages', () => {
-    expect(STALE_THREAD_RE.test('thread not found')).toBe(true);
-    expect(STALE_THREAD_RE.test('unknown thread xyz')).toBe(true);
-    expect(STALE_THREAD_RE.test('No such thread: abc')).toBe(true);
-    expect(STALE_THREAD_RE.test('invalid thread_id')).toBe(true);
-  });
+describe('Codex process env', () => {
+  it('forwards proxy/runtime env without leaking secret-like host env', () => {
+    const env = buildCodexProcessEnv({
+      PATH: '/bin',
+      HOME: '/home/node',
+      CODEX_HOME: '/home/node/.codex',
+      HTTPS_PROXY: 'http://proxy',
+      OPENAI_API_KEY: 'sk-test',
+      ONECLI_API_KEY: 'onecli-secret',
+      SOME_TOKEN: 'token',
+    });
 
-  it('does not match transient or unrelated errors', () => {
-    expect(STALE_THREAD_RE.test('rate limit exceeded')).toBe(false);
-    expect(STALE_THREAD_RE.test('authentication failed')).toBe(false);
-    expect(STALE_THREAD_RE.test('connection reset by peer')).toBe(false);
-    expect(STALE_THREAD_RE.test('internal server error')).toBe(false);
+    expect(env.PATH).toBe('/bin');
+    expect(env.HOME).toBe('/home/node');
+    expect(env.CODEX_HOME).toBe('/home/node/.codex');
+    expect(env.HTTPS_PROXY).toBe('http://proxy');
+    expect(env.OPENAI_API_KEY).toBeUndefined();
+    expect(env.ONECLI_API_KEY).toBeUndefined();
+    expect(env.SOME_TOKEN).toBeUndefined();
   });
 });
+
+function fakeServer(): { server: AppServer; writes: string[] } {
+  const writes: string[] = [];
+  const server = {
+    process: { stdin: { write: (line: string) => writes.push(line) } },
+    readline: { close: () => {} },
+    pending: new Map(),
+    notificationHandlers: [],
+    exitHandlers: [],
+    serverRequestHandlers: [],
+  } as unknown as AppServer;
+  return { server, writes };
+}