@canonmsg/codex-plugin 0.11.2 → 0.11.3

package/README.md

@@ -71,10 +71,12 @@ Advertise multiple project choices to the Canon app:
 canon-codex --cwd ~/dev --workspace-root ~/dev
 ```
 
-`--cwd` is the default workspace. Each `--workspace-root` value is an approved local root; the host discovers immediate child projects with common markers such as `.git`, `package.json`, `pyproject.toml`, `Cargo.toml`, or `go.mod` and publishes them as selectable projects during session creation. Use repeated `--workspace /path/to/project` entries to advertise specific projects outside those roots. Worktree mode creates a per-conversation git worktree under `~/.canon/conversation-worktrees`; shared-project mode runs directly in the selected directory.
+`--cwd` is the default workspace. Each `--workspace-root` value is an approved local root; the host discovers immediate child projects with common markers such as `.git`, `package.json`, `pyproject.toml`, `Cargo.toml`, or `go.mod` and publishes them as selectable projects during session creation. Use repeated `--workspace /path/to/project` entries to advertise specific projects outside those roots. Worktree mode creates a best-effort per-conversation git worktree under `~/.canon/conversation-worktrees`; shared-project mode runs directly in the selected directory.
 
 If worktree isolation is requested for a project that cannot support it, Canon may fall back to shared-project execution and surface the fallback reason in session details instead of failing the session outright.
 
+Worktree mode is project isolation, not an operating-system sandbox. The Codex CLI sandbox and approval policy enforce actual file and command behavior.
+
 Useful flags:
 
 ```bash
@@ -85,6 +87,8 @@ Codex also supports `--add-dir /extra/path` for additional writable directories
 
 Recent Codex CLI releases no longer accept `--ask-for-approval` with `codex exec`. If you previously launched Canon with `--sandbox workspace-write --ask-for-approval never`, switch to `--full-auto`.
 
+Do not start Canon with `--sandbox danger-full-access` as an unlabeled default. Use `--dangerously-bypass-approvals-and-sandbox` only when you intentionally want Canon to advertise the owner-only Bypass policy.
+
 Local smoke test:
 
 ```bash

package/dist/host.js

@@ -3,7 +3,7 @@ import { setDefaultResultOrder } from 'node:dns';
 import { randomUUID } from 'node:crypto';
 import { dirname } from 'node:path';
 import { parseArgs } from 'node:util';
-import { getCodexImagePath, materializeMessageMedia, } from '@canonmsg/agent-sdk';
+import { getCodexImagePath, materializeMessageMedia, materializeReplyContextMedia, } from '@canonmsg/agent-sdk';
 import { RUNTIME_NEW_SESSION_ACTION, RUNTIME_STOP_ACTION, RUNTIME_STOP_AND_DROP_ACTION, buildCanonHostPrompt, buildConfiguredWorkspaceOptionsWithRoots, buildFirstPartyCodingRuntimeDescriptor, buildHydratedInboundContext, diffCanonMemberIds, buildPublicWorkspaceRoots, buildPublicWorkspaceOptions, createConversationMetadataLoader, createRuntimeStatePublisher, EXECUTION_ENVIRONMENT_MODES, ExecutionEnvironmentError, CanonClient, CanonStream, DEFAULT_PARTICIPATION_HISTORY_FETCH_LIMIT, DEFAULT_RUNTIME_CAPABILITIES, FINAL_MESSAGE_HANDOFF_MS, getActiveProfileLock, initRTDBAuth, buildLocalRuntimeId, heartbeatLocalRuntimeEntry, loadRuntimeSessionState, markLocalRuntimeStopped, normalizeTurnMetadata, normalizeTurnState, prepareConversationEnvironment, loadHostSessionConfig, releaseConversationEnvironment, resolveCanonAgent, rtdbRead, rtdbWrite, shouldTriggerAgentTurn, saveRuntimeSessionState, publishHostAgentRuntime, publishHostSessionSnapshots, renderCanonHostInboundContent, resolveHostWorkspaceCwd, upsertLocalRuntimeEntry, } from '@canonmsg/core';
 import { buildInboundContextLines, decideAutoReply, } from './inbound-policy.js';
 import { CodexConversationAdapter, } from './adapter.js';
@@ -202,6 +202,21 @@ function buildCanonPrompt(input) {
 function renderInboundContent(message, materialized) {
     return renderCanonHostInboundContent(message, materialized);
 }
+async function materializePromptReplyContext(input) {
+    if (!input.replyContext?.found || !input.replyContext.attachments?.length) {
+        return { replyContext: input.replyContext, materialized: [] };
+    }
+    try {
+        return await materializeReplyContextMedia(input.replyContext, {
+            agentId: input.agentId,
+            conversationId: input.conversationId,
+        });
+    }
+    catch (error) {
+        console.error(`${input.logPrefix} Failed to materialize replied-to media:`, error instanceof Error ? error.message : error);
+        return { replyContext: input.replyContext, materialized: [] };
+    }
+}
 function summarizeCommand(command) {
     const trimmed = command.trim();
     if (!trimmed)
@@ -664,10 +679,6 @@ export async function main() {
                 console.error(`[canon-codex] [${input.conversationId.slice(0, 8)}] Failed to materialize media:`, error instanceof Error ? error.message : error);
             }
         }
-        const imagePaths = materialized
-            .map((attachment) => getCodexImagePath(attachment))
-            .filter((path) => path !== null);
-        const mediaAddDirs = uniqueStrings(materialized.map((attachment) => dirname(attachment.path)));
         const content = renderInboundContent(input.message, materialized);
         const hydrated = await loadHydratedInboundContext({
             conversationId: input.conversationId,
@@ -681,6 +692,18 @@ export async function main() {
         const behavior = input.behavior ?? hydrated.behavior;
         const activeSelfContextId = hydrated.activeSelfContextId;
         const selfContexts = hydrated.selfContexts;
+        const replyMedia = await materializePromptReplyContext({
+            replyContext: hydrated.replyContext,
+            agentId,
+            conversationId: input.conversationId,
+            logPrefix: `[canon-codex] [${input.conversationId.slice(0, 8)}]`,
+        });
+        const replyContext = replyMedia.replyContext;
+        const promptMaterialized = [...replyMedia.materialized, ...materialized];
+        const imagePaths = promptMaterialized
+            .map((attachment) => getCodexImagePath(attachment))
+            .filter((path) => path !== null);
+        const mediaAddDirs = uniqueStrings(promptMaterialized.map((attachment) => dirname(attachment.path)));
         const participantContext = hydrated.participantContext;
         const autoReply = decideAutoReply(participantContext, behavior);
         if (!autoReply.allow) {
@@ -717,6 +740,7 @@ export async function main() {
             participantContext,
             behavior,
             selfContexts,
+            replyContext,
         });
         if (session.running && deliveryIntent === 'interrupt') {
             enqueuePrompt(session, prompt, deliveryIntent, true, input.message.id, shouldMarkAccepted, imagePaths, mediaAddDirs);

package/dist/permission-mode.d.ts

@@ -2,15 +2,19 @@ import type { CodexSandboxMode } from './adapter.js';
 export declare const CODEX_PERMISSION_OPTIONS: readonly [{
     readonly value: "readonly";
     readonly label: "Read-only";
+    readonly description: "Inspect files and project state without making changes.";
 }, {
     readonly value: "workspace";
     readonly label: "Workspace-write";
+    readonly description: "Edit inside the selected workspace using Codex CLI sandboxing.";
 }, {
     readonly value: "full-auto";
     readonly label: "Full auto";
+    readonly description: "Automatically run workspace-write actions with lower-friction approvals.";
 }, {
     readonly value: "bypass";
     readonly label: "Bypass (dangerous)";
+    readonly description: "Skip Codex approval and sandbox protection. Use only in an externally sandboxed environment.";
 }];
 export type CodexPermissionMode = (typeof CODEX_PERMISSION_OPTIONS)[number]['value'];
 export type CodexApprovalShape = {

package/dist/permission-mode.js

@@ -1,8 +1,8 @@
 export const CODEX_PERMISSION_OPTIONS = [
-    { value: 'readonly', label: 'Read-only' },
-    { value: 'workspace', label: 'Workspace-write' },
-    { value: 'full-auto', label: 'Full auto' },
-    { value: 'bypass', label: 'Bypass (dangerous)' },
+    { value: 'readonly', label: 'Read-only', description: 'Inspect files and project state without making changes.' },
+    { value: 'workspace', label: 'Workspace-write', description: 'Edit inside the selected workspace using Codex CLI sandboxing.' },
+    { value: 'full-auto', label: 'Full auto', description: 'Automatically run workspace-write actions with lower-friction approvals.' },
+    { value: 'bypass', label: 'Bypass (dangerous)', description: 'Skip Codex approval and sandbox protection. Use only in an externally sandboxed environment.' },
 ];
 export function mapCanonPermissionToCodex(mode) {
     switch (mode) {
@@ -29,12 +29,8 @@ export function deriveCodexPermissionEnvelope(args) {
             availablePermissionModes: codexOptionsThrough('readonly'),
         };
     }
-    if (args.sandbox === 'danger-full-access') {
-        return {
-            availablePermissionModes: args['dangerously-bypass-approvals-and-sandbox']
-                ? [...CODEX_PERMISSION_OPTIONS]
-                : codexOptionsThrough('full-auto'),
-        };
+    if (args.sandbox === 'danger-full-access' && !args['dangerously-bypass-approvals-and-sandbox']) {
+        throw new Error('Codex sandbox danger-full-access cannot be used as an unlabeled Canon default. Use --dangerously-bypass-approvals-and-sandbox if you intentionally want the Bypass policy.');
     }
     if (args['dangerously-bypass-approvals-and-sandbox']) {
         return {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@canonmsg/codex-plugin",
-  "version": "0.11.2",
+  "version": "0.11.3",
   "description": "Canon host integration for Codex CLI",
   "type": "module",
   "main": "dist/index.js",
@@ -29,8 +29,8 @@
     "prepack": "npm run build"
   },
   "dependencies": {
-    "@canonmsg/agent-sdk": "^1.4.0",
-    "@canonmsg/core": "^0.18.0"
+    "@canonmsg/agent-sdk": "^1.4.1",
+    "@canonmsg/core": "^0.18.1"
   },
   "engines": {
     "node": ">=18.0.0"