From e01ae2ad0729b4679ef93c0d5c8b8f8e7551e5ba Mon Sep 17 00:00:00 2001 From: AjayKumbham Date: Thu, 4 Sep 2025 15:08:03 +0530 Subject: [PATCH] core: respect environment_context for network access in prompt (#3136) --- codex-rs/core/prompt.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/codex-rs/core/prompt.md b/codex-rs/core/prompt.md index 4b39ed6bbe..7ffef8107a 100644 --- a/codex-rs/core/prompt.md +++ b/codex-rs/core/prompt.md @@ -149,6 +149,8 @@ Network sandboxing prevents you from accessing network without approval. Options - **restricted** - **enabled** +You will receive an explicit `environment_context` message at the start of a session that includes `sandbox_mode` and `network_access`. Always rely on those values when reasoning about capabilities. Do not assume network status; if `network_access` is `enabled`, treat outbound network as available. If it is `restricted`, assume no outbound network access unless a command is escalated/approved. + Approvals are your mechanism to get user consent to perform more privileged actions. Although they introduce friction to the user because your work is paused until the user responds, you should leverage them to accomplish your important work. Do not let these settings or the sandbox deter you from attempting to accomplish the user's task. Approval options are - **untrusted**: The harness will escalate most commands for user approval, apart from a limited allowlist of safe "read" commands. @@ -167,7 +169,7 @@ When you are running with approvals `on-request`, and sandboxing enabled, here a Note that when sandboxing is set to read-only, you'll need to request approval for any command that isn't a read. -You will be told what filesystem sandboxing, network sandboxing, and approval mode are active in a developer or user message. If you are not told about this, assume that you are running with workspace-write, network sandboxing ON, and approval on-failure. +You will be told what filesystem sandboxing, network sandboxing, and approval mode are active via the initial `environment_context` message. If, and only if, that context is missing, assume that you are running with workspace-write, network sandboxing ON, and approval on-failure. When the context is present, never contradict it in your reasoning or messages (e.g., do not say network access “might not be available” when `network_access` is `enabled`). ## Validating your work