feat(tui): render structured network approval prompts in approval overlay#11674
Merged
viyatb-oai merged 62 commits intomainfrom Feb 14, 2026
Merged
feat(tui): render structured network approval prompts in approval overlay#11674viyatb-oai merged 62 commits intomainfrom
viyatb-oai merged 62 commits intomainfrom
Conversation
…elation hardening
Collaborator
dylan-hurd-oai
left a comment
dylan-hurd-oai
left a comment
There was a problem hiding this comment.
generally looks good once previous prs in the stack clear!
…atb/pr-c-network-core-orchestration
…x/viyatb/pr-d-network-tui-ux
…/pr-b-network-core-plumbing
Co-Authored-By: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
Co-Authored-By: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
Align PR-B callsites and structs with the branch's current network approval plumbing surface so workspace clippy passes cleanly. - Remove partially wired C-layer runtime/orchestrator fields from B-level code paths - Fill required protocol/error fields with compatibility defaults - Update remaining start_proxy callsites to current signature Co-Authored-By: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
viyatb-oai
force-pushed
the
codex/viyatb/pr-c-network-core-orchestration
branch
from
cdc3ccf to
b010edf
Compare
Update ExecApprovalRequestEvent test fixtures to include network_approval_context now that the protocol field is required on this branch. Co-Authored-By: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
…nd retry flow (#11673) ### Description #### Summary Integrates structured network approvals into the core orchestration path. #### What changed - Wired structured network approval handling into tool orchestration/retry paths. - Integrated approval outcomes into command execution lifecycle. - Added orchestration-level handling for allow-once/session approval behavior. - Connected core session/delegate surfaces required for end-to-end approval flow. - Updated related core test coverage for orchestration behavior. #### Why With plumbing in place from parent, this PR makes network approvals operational in core command execution flow. #### Notes - Gated behavior remains aligned with managed network requirements and sandbox policy. --------- Co-authored-by: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
Base automatically changed from
codex/viyatb/pr-c-network-core-orchestration
to
codex/viyatb/pr-b-network-core-plumbing
February 13, 2026 07:21
- only construct inline network policy decider when network proxy config is enabled - map proxy protocol tag "http-connect" to HTTPS approval context Co-Authored-By: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
Co-Authored-By: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
Reuse decision/source constants from codex-network-proxy in network policy parsing to avoid duplicated string literals and drift. Co-Authored-By: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
Parse network policy payload decision/source into typed proxy enums with custom deserializers, and remove string comparisons from approval gating logic. Also switch internal exec attempt IDs to UUID in ExecParams, converting to string only at proxy env boundaries. Co-Authored-By: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
…nfig When unified-exec sees delayed user denial, terminate the process and explicitly release process state + unregister the network attempt in the watcher path. Also inline policy-decider builder configuration in NetworkProxySpec::start_proxy and remove the separate builder-returning helper. Co-Authored-By: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
Inline the restricted-sandbox match at callsite and remove a single-use helper to keep start_proxy flow linear. Co-Authored-By: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
Use Self::stdout_stream(ctx) instead of ShellRuntime::stdout_stream(ctx) for consistency with impl-local helper calls. Co-Authored-By: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
Co-Authored-By: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
Co-Authored-By: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
Co-Authored-By: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
Co-Authored-By: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
Co-Authored-By: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
Co-Authored-By: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
Co-Authored-By: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
Move network approval attempt/session state into a dedicated service, wire structured blocked-request callbacks from the managed proxy, and route unified-exec cleanup through service APIs so approval flow no longer depends on proxy telemetry lookups. Co-Authored-By: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
Rename and centralize managed network decider/observer construction in network_approval to keep codex session startup wiring minimal, and remove the extra unified-exec delayed-denial debug log. Co-Authored-By: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
…dex/viyatb/pr-d-network-tui-ux
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 79a66635eb
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
…val types Regenerate app-server protocol JSON/TypeScript schema fixtures so they include the network approval context/protocol types referenced by approval events. Co-Authored-By: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
Co-Authored-By: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
- add Config::managed_network_requirements_enabled() and use it in core, app-server, and debug_sandbox - extract managed proxy startup flow in Session helper - move unified-exec delayed network denial watcher into async_watcher and gate it by managed requirements - simplify network policy protocol parsing by using serde enum aliases instead of a custom deserializer Co-Authored-By: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
- avoid consuming non-user network outcomes in the unified-exec denial watcher - add take_user_denial_outcome so policy denials remain available for deferred reporting - gate managed proxy startup outside the awaited helper call in Session setup Co-Authored-By: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
Use a chained if-let to make the early-return guard in unregister_network_attempt_for_entry more compact, matching reviewer suggestion. Co-Authored-By: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
…lumbing' into codex/viyatb/pr-d-network-tui-ux
Base automatically changed from
codex/viyatb/pr-b-network-core-plumbing
to
main
February 14, 2026 04:18
joshka-oai
approved these changes
Feb 14, 2026
Comment on lines
+467
to
+472
| fn exec_options( | ||
| proposed_execpolicy_amendment: Option<ExecPolicyAmendment>, | ||
| network_approval_context: Option<&NetworkApprovalContext>, | ||
| ) -> Vec<ApprovalOption> { | ||
| if network_approval_context.is_some() { | ||
| return vec
There was a problem hiding this comment.
nit: Given the pattern - fn (a, b) { if a.is_some() { return ... } ... }, you might find that in general, the code reads much nicer as:
fn_a(a) { ... }
fn_b(b) { ... }
let x = if a.is_some() { fn_a(a) } else { fn_b(b) }
(where a and b are network_approval_context and proposed_execpolicy_amendment)
You've got that pattern almost already below (exec_options, patch_options)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Summary
Adds the TUI UX layer for structured network approvals
What changed
Why
Core orchestration can now request structured network approvals; this ensures users see clear, contextual prompts in the TUI.
Notes