@canonmsg/codex-plugin 0.11.2 → 0.11.4

package/README.md

@@ -71,10 +71,12 @@ Advertise multiple project choices to the Canon app:
 canon-codex --cwd ~/dev --workspace-root ~/dev
 ```
 
-`--cwd` is the default workspace. Each `--workspace-root` value is an approved local root; the host discovers immediate child projects with common markers such as `.git`, `package.json`, `pyproject.toml`, `Cargo.toml`, or `go.mod` and publishes them as selectable projects during session creation. Use repeated `--workspace /path/to/project` entries to advertise specific projects outside those roots. Worktree mode creates a per-conversation git worktree under `~/.canon/conversation-worktrees`; shared-project mode runs directly in the selected directory.
+`--cwd` is the default workspace. Each `--workspace-root` value is an approved local root; the host discovers immediate child projects with common markers such as `.git`, `package.json`, `pyproject.toml`, `Cargo.toml`, or `go.mod` and publishes them as selectable projects during session creation. Use repeated `--workspace /path/to/project` entries to advertise specific projects outside those roots. Worktree mode creates a best-effort per-conversation git worktree under `~/.canon/conversation-worktrees`; shared-project mode runs directly in the selected directory.
 
 If worktree isolation is requested for a project that cannot support it, Canon may fall back to shared-project execution and surface the fallback reason in session details instead of failing the session outright.
 
+Worktree mode is project isolation, not an operating-system sandbox. The Codex CLI sandbox and approval policy enforce actual file and command behavior.
+
 Useful flags:
 
 ```bash
@@ -85,6 +87,8 @@ Codex also supports `--add-dir /extra/path` for additional writable directories
 
 Recent Codex CLI releases no longer accept `--ask-for-approval` with `codex exec`. If you previously launched Canon with `--sandbox workspace-write --ask-for-approval never`, switch to `--full-auto`.
 
+Do not start Canon with `--sandbox danger-full-access` as an unlabeled default. Use `--dangerously-bypass-approvals-and-sandbox` only when you intentionally want Canon to advertise the owner-only Bypass policy.
+
 Local smoke test:
 
 ```bash

package/dist/app-server-approval.d.ts

@@ -0,0 +1,32 @@
+import type { ApprovalNativeRequestMetadata, ApprovalRequestCategory, ApprovalRequestDetail, ApprovalResult, ApprovalRisk } from '@canonmsg/core';
+/**
+ * Mapping for Codex app-server native approval requests.
+ *
+ * The current Canon Codex host still uses `codex exec --json`, which cannot
+ * block on these methods. Keep this as metadata/decision plumbing for the
+ * future app-server transport, not as an advertised `exec --json` UI mode.
+ */
+export type CodexAppServerApprovalMethod = 'item/commandExecution/requestApproval' | 'item/fileChange/requestApproval' | 'item/permissions/requestApproval' | 'execCommandApproval' | 'applyPatchApproval';
+export interface CodexNativeApprovalRequest {
+    method: CodexAppServerApprovalMethod;
+    params: Record<string, unknown>;
+}
+export interface CanonCodexApprovalRequest {
+    toolName: string;
+    toolInput: Record<string, unknown>;
+    toolSummary: string;
+    category: ApprovalRequestCategory;
+    risk: ApprovalRisk;
+    riskLevel: 'normal' | 'destructive';
+    native: ApprovalNativeRequestMetadata;
+    details: ApprovalRequestDetail[];
+}
+export type CodexApprovalDecision = {
+    decision: 'accept';
+} | {
+    decision: 'acceptForSession';
+} | {
+    decision: 'decline';
+};
+export declare function mapCodexAppServerApprovalRequest(request: CodexNativeApprovalRequest): CanonCodexApprovalRequest | null;
+export declare function mapCanonApprovalResultToCodexDecision(result: ApprovalResult): CodexApprovalDecision;

package/dist/app-server-approval.js

@@ -0,0 +1,168 @@
+function isRecord(value) {
+    return Boolean(value && typeof value === 'object' && !Array.isArray(value));
+}
+function readString(record, keys) {
+    for (const key of keys) {
+        const value = record[key];
+        if (typeof value === 'string' && value.trim())
+            return value.trim();
+    }
+    return undefined;
+}
+function firstString(value) {
+    if (typeof value === 'string' && value.trim())
+        return value.trim();
+    if (Array.isArray(value)) {
+        return value.map((entry) => (typeof entry === 'string' ? entry.trim() : '')).find(Boolean);
+    }
+    return undefined;
+}
+function stringifyPreview(value, maxLength = 500) {
+    if (typeof value === 'string')
+        return value.length > maxLength ? `${value.slice(0, maxLength - 3)}...` : value;
+    const json = JSON.stringify(value ?? {});
+    return json.length > maxLength ? `${json.slice(0, maxLength - 3)}...` : json;
+}
+function nativeHandle(method, params) {
+    const native = {
+        runtime: 'codex',
+        method,
+    };
+    const requestId = readString(params, ['requestId', 'id', 'callId']);
+    const provider = readString(params, ['provider']);
+    const origin = readString(params, ['origin']);
+    const surface = readString(params, ['surface']);
+    const threadId = readString(params, ['threadId', 'conversationId']);
+    const turnId = readString(params, ['turnId']);
+    const runId = readString(params, ['runId']);
+    const itemId = readString(params, ['itemId']);
+    const toolCallId = readString(params, ['toolCallId', 'toolUseId']);
+    const approvalId = readString(params, ['approvalId']);
+    const pluginId = readString(params, ['pluginId']);
+    const sessionKey = readString(params, ['sessionKey', 'sessionId']);
+    const cwd = readString(params, ['cwd', 'workingDirectory']);
+    const model = readString(params, ['model']);
+    if (requestId)
+        native.requestId = requestId;
+    if (provider)
+        native.provider = provider;
+    if (origin)
+        native.origin = origin;
+    if (surface)
+        native.surface = surface;
+    if (threadId)
+        native.threadId = threadId;
+    if (turnId)
+        native.turnId = turnId;
+    if (runId)
+        native.runId = runId;
+    if (itemId)
+        native.itemId = itemId;
+    if (toolCallId)
+        native.toolCallId = toolCallId;
+    if (approvalId)
+        native.approvalId = approvalId;
+    if (pluginId)
+        native.pluginId = pluginId;
+    if (sessionKey)
+        native.sessionKey = sessionKey;
+    if (cwd)
+        native.cwd = cwd;
+    if (model)
+        native.model = model;
+    return native;
+}
+function commandRisk(command) {
+    if (/\brm\s+(-rf?|--force)|\bgit\s+reset\s+--hard|\bgit\s+push\s+--force|\bdrop\s+(table|database)\b/i.test(command)) {
+        return 'destructive';
+    }
+    return 'high';
+}
+function detail(label, value, monospace = true) {
+    return value ? [{ label, value, monospace }] : [];
+}
+function mapCommandRequest(method, params) {
+    const command = readString(params, ['command', 'cmd'])
+        ?? firstString(params.argv)
+        ?? firstString(params.args)
+        ?? stringifyPreview(params);
+    const cwd = readString(params, ['cwd', 'workingDirectory']);
+    const risk = commandRisk(command);
+    return {
+        toolName: 'codex.command',
+        toolInput: {
+            command,
+            ...(cwd ? { cwd } : {}),
+        },
+        toolSummary: command,
+        category: 'command',
+        risk,
+        riskLevel: risk === 'destructive' ? 'destructive' : 'normal',
+        native: nativeHandle(method, params),
+        details: [
+            ...detail('Command', command),
+            ...detail('Working directory', cwd),
+        ],
+    };
+}
+function mapFileRequest(method, params) {
+    const path = readString(params, ['path', 'filePath', 'targetPath']);
+    const summary = path
+        ?? firstString(params.paths)
+        ?? stringifyPreview(params.changes ?? params.patch ?? params);
+    const patch = readString(params, ['patch', 'diff']);
+    const destructive = /\b(delete|remove|unlink)\b/i.test(stringifyPreview(params, 1000));
+    return {
+        toolName: method === 'applyPatchApproval' ? 'codex.applyPatch' : 'codex.fileChange',
+        toolInput: {
+            ...(path ? { path } : {}),
+            ...(patch ? { patch } : {}),
+        },
+        toolSummary: summary,
+        category: 'file',
+        risk: destructive ? 'destructive' : 'high',
+        riskLevel: destructive ? 'destructive' : 'normal',
+        native: nativeHandle(method, params),
+        details: [
+            ...detail('Path', path),
+            ...detail('Patch', patch),
+        ],
+    };
+}
+function mapPermissionRequest(method, params) {
+    const action = readString(params, ['action', 'permission', 'toolName', 'tool'])
+        ?? stringifyPreview(params);
+    return {
+        toolName: 'codex.permission',
+        toolInput: { action },
+        toolSummary: action,
+        category: 'tool',
+        risk: 'normal',
+        riskLevel: 'normal',
+        native: nativeHandle(method, params),
+        details: detail('Permission', action, false),
+    };
+}
+export function mapCodexAppServerApprovalRequest(request) {
+    if (!isRecord(request.params))
+        return null;
+    if (request.method === 'item/commandExecution/requestApproval'
+        || request.method === 'execCommandApproval') {
+        return mapCommandRequest(request.method, request.params);
+    }
+    if (request.method === 'item/fileChange/requestApproval'
+        || request.method === 'applyPatchApproval') {
+        return mapFileRequest(request.method, request.params);
+    }
+    if (request.method === 'item/permissions/requestApproval') {
+        return mapPermissionRequest(request.method, request.params);
+    }
+    return null;
+}
+export function mapCanonApprovalResultToCodexDecision(result) {
+    if (result.decision === 'deny')
+        return { decision: 'decline' };
+    if (result.sessionRule)
+        return { decision: 'acceptForSession' };
+    return { decision: 'accept' };
+}

package/dist/host.js

@@ -3,7 +3,7 @@ import { setDefaultResultOrder } from 'node:dns';
 import { randomUUID } from 'node:crypto';
 import { dirname } from 'node:path';
 import { parseArgs } from 'node:util';
-import { getCodexImagePath, materializeMessageMedia, } from '@canonmsg/agent-sdk';
+import { getCodexImagePath, materializeMessageMedia, materializeReplyContextMedia, } from '@canonmsg/agent-sdk';
 import { RUNTIME_NEW_SESSION_ACTION, RUNTIME_STOP_ACTION, RUNTIME_STOP_AND_DROP_ACTION, buildCanonHostPrompt, buildConfiguredWorkspaceOptionsWithRoots, buildFirstPartyCodingRuntimeDescriptor, buildHydratedInboundContext, diffCanonMemberIds, buildPublicWorkspaceRoots, buildPublicWorkspaceOptions, createConversationMetadataLoader, createRuntimeStatePublisher, EXECUTION_ENVIRONMENT_MODES, ExecutionEnvironmentError, CanonClient, CanonStream, DEFAULT_PARTICIPATION_HISTORY_FETCH_LIMIT, DEFAULT_RUNTIME_CAPABILITIES, FINAL_MESSAGE_HANDOFF_MS, getActiveProfileLock, initRTDBAuth, buildLocalRuntimeId, heartbeatLocalRuntimeEntry, loadRuntimeSessionState, markLocalRuntimeStopped, normalizeTurnMetadata, normalizeTurnState, prepareConversationEnvironment, loadHostSessionConfig, releaseConversationEnvironment, resolveCanonAgent, rtdbRead, rtdbWrite, shouldTriggerAgentTurn, saveRuntimeSessionState, publishHostAgentRuntime, publishHostSessionSnapshots, renderCanonHostInboundContent, resolveHostWorkspaceCwd, upsertLocalRuntimeEntry, } from '@canonmsg/core';
 import { buildInboundContextLines, decideAutoReply, } from './inbound-policy.js';
 import { CodexConversationAdapter, } from './adapter.js';
@@ -202,6 +202,21 @@ function buildCanonPrompt(input) {
 function renderInboundContent(message, materialized) {
     return renderCanonHostInboundContent(message, materialized);
 }
+async function materializePromptReplyContext(input) {
+    if (!input.replyContext?.found || !input.replyContext.attachments?.length) {
+        return { replyContext: input.replyContext, materialized: [] };
+    }
+    try {
+        return await materializeReplyContextMedia(input.replyContext, {
+            agentId: input.agentId,
+            conversationId: input.conversationId,
+        });
+    }
+    catch (error) {
+        console.error(`${input.logPrefix} Failed to materialize replied-to media:`, error instanceof Error ? error.message : error);
+        return { replyContext: input.replyContext, materialized: [] };
+    }
+}
 function summarizeCommand(command) {
     const trimmed = command.trim();
     if (!trimmed)
@@ -398,10 +413,12 @@ export async function main() {
         ]);
         return buildHydratedInboundContext({
             agentId,
+            conversationId: input.conversationId,
             conversation,
             page,
             activeSelfContextId: input.activeSelfContextId,
             selfContexts: input.selfContexts,
+            provenance: input.provenance,
             message: input.message,
             senderName: input.senderName,
             isOwner: input.isOwner,
@@ -664,10 +681,6 @@ export async function main() {
                 console.error(`[canon-codex] [${input.conversationId.slice(0, 8)}] Failed to materialize media:`, error instanceof Error ? error.message : error);
             }
         }
-        const imagePaths = materialized
-            .map((attachment) => getCodexImagePath(attachment))
-            .filter((path) => path !== null);
-        const mediaAddDirs = uniqueStrings(materialized.map((attachment) => dirname(attachment.path)));
         const content = renderInboundContent(input.message, materialized);
         const hydrated = await loadHydratedInboundContext({
             conversationId: input.conversationId,
@@ -676,11 +689,24 @@ export async function main() {
             isOwner: input.isOwner,
             activeSelfContextId: input.activeSelfContextId,
             selfContexts: input.selfContexts,
+            provenance: input.provenance,
             hydratedPage: input.hydratedPage,
         });
         const behavior = input.behavior ?? hydrated.behavior;
         const activeSelfContextId = hydrated.activeSelfContextId;
         const selfContexts = hydrated.selfContexts;
+        const replyMedia = await materializePromptReplyContext({
+            replyContext: hydrated.replyContext,
+            agentId,
+            conversationId: input.conversationId,
+            logPrefix: `[canon-codex] [${input.conversationId.slice(0, 8)}]`,
+        });
+        const replyContext = replyMedia.replyContext;
+        const promptMaterialized = [...replyMedia.materialized, ...materialized];
+        const imagePaths = promptMaterialized
+            .map((attachment) => getCodexImagePath(attachment))
+            .filter((path) => path !== null);
+        const mediaAddDirs = uniqueStrings(promptMaterialized.map((attachment) => dirname(attachment.path)));
         const participantContext = hydrated.participantContext;
         const autoReply = decideAutoReply(participantContext, behavior);
         if (!autoReply.allow) {
@@ -717,6 +743,7 @@ export async function main() {
             participantContext,
             behavior,
             selfContexts,
+            replyContext,
         });
         if (session.running && deliveryIntent === 'interrupt') {
             enqueuePrompt(session, prompt, deliveryIntent, true, input.message.id, shouldMarkAccepted, imagePaths, mediaAddDirs);
@@ -1072,6 +1099,7 @@ export async function main() {
                     behavior: payload.behavior,
                     activeSelfContextId: payload.activeSelfContextId,
                     selfContexts: payload.selfContexts,
+                    provenance: payload.provenance,
                 });
                 if (message.id) {
                     saveRuntimeSessionState(runtimeId, {

package/dist/index.d.ts

@@ -1,3 +1,5 @@
 export { main as hostMain } from './host.js';
 export { main as registerMain } from './register.js';
 export { main as setupMain } from './setup.js';
+export { mapCanonApprovalResultToCodexDecision, mapCodexAppServerApprovalRequest, } from './app-server-approval.js';
+export type { CanonCodexApprovalRequest, CodexAppServerApprovalMethod, CodexApprovalDecision, CodexNativeApprovalRequest, } from './app-server-approval.js';

package/dist/index.js

@@ -1,3 +1,4 @@
 export { main as hostMain } from './host.js';
 export { main as registerMain } from './register.js';
 export { main as setupMain } from './setup.js';
+export { mapCanonApprovalResultToCodexDecision, mapCodexAppServerApprovalRequest, } from './app-server-approval.js';

package/dist/permission-mode.d.ts

@@ -2,15 +2,19 @@ import type { CodexSandboxMode } from './adapter.js';
 export declare const CODEX_PERMISSION_OPTIONS: readonly [{
     readonly value: "readonly";
     readonly label: "Read-only";
+    readonly description: "Inspect files and project state without making changes.";
 }, {
     readonly value: "workspace";
     readonly label: "Workspace-write";
+    readonly description: "Edit inside the selected workspace using Codex CLI sandboxing.";
 }, {
     readonly value: "full-auto";
     readonly label: "Full auto";
+    readonly description: "Automatically run workspace-write actions with lower-friction approvals.";
 }, {
     readonly value: "bypass";
     readonly label: "Bypass (dangerous)";
+    readonly description: "Skip Codex approval and sandbox protection. Use only in an externally sandboxed environment.";
 }];
 export type CodexPermissionMode = (typeof CODEX_PERMISSION_OPTIONS)[number]['value'];
 export type CodexApprovalShape = {

package/dist/permission-mode.js

@@ -1,8 +1,8 @@
 export const CODEX_PERMISSION_OPTIONS = [
-    { value: 'readonly', label: 'Read-only' },
-    { value: 'workspace', label: 'Workspace-write' },
-    { value: 'full-auto', label: 'Full auto' },
-    { value: 'bypass', label: 'Bypass (dangerous)' },
+    { value: 'readonly', label: 'Read-only', description: 'Inspect files and project state without making changes.' },
+    { value: 'workspace', label: 'Workspace-write', description: 'Edit inside the selected workspace using Codex CLI sandboxing.' },
+    { value: 'full-auto', label: 'Full auto', description: 'Automatically run workspace-write actions with lower-friction approvals.' },
+    { value: 'bypass', label: 'Bypass (dangerous)', description: 'Skip Codex approval and sandbox protection. Use only in an externally sandboxed environment.' },
 ];
 export function mapCanonPermissionToCodex(mode) {
     switch (mode) {
@@ -29,12 +29,8 @@ export function deriveCodexPermissionEnvelope(args) {
             availablePermissionModes: codexOptionsThrough('readonly'),
         };
     }
-    if (args.sandbox === 'danger-full-access') {
-        return {
-            availablePermissionModes: args['dangerously-bypass-approvals-and-sandbox']
-                ? [...CODEX_PERMISSION_OPTIONS]
-                : codexOptionsThrough('full-auto'),
-        };
+    if (args.sandbox === 'danger-full-access' && !args['dangerously-bypass-approvals-and-sandbox']) {
+        throw new Error('Codex sandbox danger-full-access cannot be used as an unlabeled Canon default. Use --dangerously-bypass-approvals-and-sandbox if you intentionally want the Bypass policy.');
     }
     if (args['dangerously-bypass-approvals-and-sandbox']) {
         return {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@canonmsg/codex-plugin",
-  "version": "0.11.2",
+  "version": "0.11.4",
   "description": "Canon host integration for Codex CLI",
   "type": "module",
   "main": "dist/index.js",
@@ -29,8 +29,8 @@
     "prepack": "npm run build"
   },
   "dependencies": {
-    "@canonmsg/agent-sdk": "^1.4.0",
-    "@canonmsg/core": "^0.18.0"
+    "@canonmsg/agent-sdk": "^1.5.0",
+    "@canonmsg/core": "^0.19.0"
   },
   "engines": {
     "node": ">=18.0.0"