From 857f3d9efa88702845e4e23373f5e7db2fd8ce8a Mon Sep 17 00:00:00 2001 From: Matt Van Horn <455140+mvanhorn@users.noreply.github.com> Date: Tue, 24 Mar 2026 07:55:31 -0700 Subject: [PATCH 1/2] fix(ce-work-beta): add explicit sandbox and approval flags to Codex delegation The delegate step told the agent to "run the delegate CLI" without specifying sandbox mode or approval policy. Users without global yolo config in ~/.codex/config.toml hit the network sandbox wall when Codex tried to install dependencies in non-interactive exec mode. Now specifies -s workspace-write (network + workspace disk access) and -a never (no approval prompts in non-interactive mode). Co-Authored-By: Claude Opus 4.6 (1M context) --- plugins/compound-engineering/skills/ce-work-beta/SKILL.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/compound-engineering/skills/ce-work-beta/SKILL.md b/plugins/compound-engineering/skills/ce-work-beta/SKILL.md index f0f698269..5b42844da 100644 --- a/plugins/compound-engineering/skills/ce-work-beta/SKILL.md +++ b/plugins/compound-engineering/skills/ce-work-beta/SKILL.md @@ -474,7 +474,7 @@ When external delegation is active, follow this workflow for each tagged task. D 3. **Write prompt to file** — Save the assembled prompt to a unique temporary file to avoid shell quoting issues and cross-task races. Use a unique filename per task. -4. **Delegate** — Run the delegate CLI, piping the prompt file via stdin (not argv expansion, which hits `ARG_MAX` on large prompts). Omit the model flag to use the delegate's default model, which stays current without manual updates. +4. **Delegate** — Run the delegate CLI with `-s workspace-write -a never`, piping the prompt file via stdin (not argv expansion, which hits `ARG_MAX` on large prompts). The `-s workspace-write` flag grants workspace disk writes and network access (needed for `npm install`, `pip install`, dependency fetches). The `-a never` flag disables approval prompts, which is required because `exec` mode is non-interactive and has no user to prompt. Without these flags, users whose global Codex config does not set `approval_policy` and `sandbox_mode` will see delegation fail on any network operation. Omit the model flag to use the delegate's default model, which stays current without manual updates. 5. **Review diff** — After the delegate finishes, verify the diff is non-empty and in-scope. Run the project's test/lint commands. If the diff is empty or out-of-scope, fall back to standard mode for that task. From fa01f0343e3e06c08d5ad4d0b3c562c94aa7f9c3 Mon Sep 17 00:00:00 2001 From: Matt Van Horn <455140+mvanhorn@users.noreply.github.com> Date: Thu, 26 Mar 2026 19:43:13 -0700 Subject: [PATCH 2/2] fix(ce-work-beta): use danger-full-access for reliable network in delegation workspace-write does not guarantee outbound network access across all Codex versions and configurations. Delegation tasks often need npm install, pip install, or other dependency fetches. Switch to danger-full-access to ensure network operations succeed regardless of the user's Codex config. Co-Authored-By: Claude Opus 4.6 --- plugins/compound-engineering/skills/ce-work-beta/SKILL.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/compound-engineering/skills/ce-work-beta/SKILL.md b/plugins/compound-engineering/skills/ce-work-beta/SKILL.md index 5b42844da..de1e3cda1 100644 --- a/plugins/compound-engineering/skills/ce-work-beta/SKILL.md +++ b/plugins/compound-engineering/skills/ce-work-beta/SKILL.md @@ -474,7 +474,7 @@ When external delegation is active, follow this workflow for each tagged task. D 3. **Write prompt to file** — Save the assembled prompt to a unique temporary file to avoid shell quoting issues and cross-task races. Use a unique filename per task. -4. **Delegate** — Run the delegate CLI with `-s workspace-write -a never`, piping the prompt file via stdin (not argv expansion, which hits `ARG_MAX` on large prompts). The `-s workspace-write` flag grants workspace disk writes and network access (needed for `npm install`, `pip install`, dependency fetches). The `-a never` flag disables approval prompts, which is required because `exec` mode is non-interactive and has no user to prompt. Without these flags, users whose global Codex config does not set `approval_policy` and `sandbox_mode` will see delegation fail on any network operation. Omit the model flag to use the delegate's default model, which stays current without manual updates. +4. **Delegate** — Run the delegate CLI with `-s danger-full-access -a never`, piping the prompt file via stdin (not argv expansion, which hits `ARG_MAX` on large prompts). The `-s danger-full-access` flag grants full filesystem and network access, which is needed because delegated tasks often run `npm install`, `pip install`, or other dependency-fetching commands that require outbound network. The `workspace-write` sandbox does not guarantee network access across all Codex versions and configurations. The `-a never` flag disables approval prompts, which is required because `exec` mode is non-interactive and has no user to prompt. Without these flags, users whose global Codex config does not set `approval_policy` and `sandbox_mode` will see delegation fail on any network operation. Omit the model flag to use the delegate's default model, which stays current without manual updates. 5. **Review diff** — After the delegate finishes, verify the diff is non-empty and in-scope. Run the project's test/lint commands. If the diff is empty or out-of-scope, fall back to standard mode for that task.