Skip to content

core: respect environment_context for network access in prompt (#3136) #3153

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
+3 −1
Open

core: respect environment_context for network access in prompt (#3136) #3153

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e01ae2a
core: respect environment_context for network access in prompt (#3136)
AjayKumbham Sep 4, 2025
1f3c8c8
Merge branch 'main' into fix/network-access-prompt-config
AjayKumbham Sep 8, 2025
0b9a790
Merge branch 'main' into fix/network-access-prompt-config
AjayKumbham Sep 10, 2025
deb0199
Merge branch 'main' into fix/network-access-prompt-config
AjayKumbham Sep 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion codex-rs/core/prompt.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,8 @@ Network sandboxing prevents you from accessing network without approval. Options
- **restricted**
- **enabled**

You will receive an explicit `environment_context` message at the start of a session that includes `sandbox_mode` and `network_access`. Always rely on those values when reasoning about capabilities. Do not assume network status; if `network_access` is `enabled`, treat outbound network as available. If it is `restricted`, assume no outbound network access unless a command is escalated/approved.

Approvals are your mechanism to get user consent to perform more privileged actions. Although they introduce friction to the user because your work is paused until the user responds, you should leverage them to accomplish your important work. Do not let these settings or the sandbox deter you from attempting to accomplish the user's task. Approval options are

- **untrusted**: The harness will escalate most commands for user approval, apart from a limited allowlist of safe "read" commands.
Expand All @@ -179,7 +181,7 @@ When you are running with approvals `on-request`, and sandboxing enabled, here a

Note that when sandboxing is set to read-only, you'll need to request approval for any command that isn't a read.

You will be told what filesystem sandboxing, network sandboxing, and approval mode are active in a developer or user message. If you are not told about this, assume that you are running with workspace-write, network sandboxing ON, and approval on-failure.
You will be told what filesystem sandboxing, network sandboxing, and approval mode are active via the initial `environment_context` message. If, and only if, that context is missing, assume that you are running with workspace-write, network sandboxing ON, and approval on-failure. When the context is present, never contradict it in your reasoning or messages (e.g., do not say network access “might not be available” when `network_access` is `enabled`).

## Validating your work

Expand Down