feat: add sandbox_mode, approval_policy, and network_access variables to Codex module

- Introduced new variables for sandbox configuration: sandbox_mode, approval_policy, and network_access.
- Updated README to reflect the new variables and their usage.
- Modified install and start scripts to utilize the new variables for better configuration management.

Author: DevelopmentCats

registry/coder-labs/modules/codex/README.md

@@ -65,12 +65,12 @@ module "coder-login" {
 }
 
 module "codex" {
-  source         = "registry.coder.com/coder-labs/codex/coder"
-  agent_id       = coder_agent.example.id
-  openai_api_key = "..."
-  ai_prompt      = data.coder_parameter.ai_prompt.value
-  folder         = "/home/coder/project"
-  full_auto      = true
+  source          = "registry.coder.com/coder-labs/codex/coder"
+  agent_id        = coder_agent.example.id
+  openai_api_key  = "..."
+  ai_prompt       = data.coder_parameter.ai_prompt.value
+  folder          = "/home/coder/project"
+  approval_policy = "never" # Full auto mode
 }
 ```
 
@@ -94,52 +94,45 @@ The module automatically configures Codex with a secure sandbox that allows AI t
 
 ### Customizing Sandbox Behavior
 
-You can override the default sandbox configuration using the `extra_codex_settings_toml` variable:
+You can customize the sandbox behavior using dedicated variables:
 
-#### **For Containerized Environments (Recommended)**
+#### **Using Dedicated Variables (Recommended)**
 
-If you encounter Landlock sandbox errors in containerized environments like Coder workspaces:
+For most use cases, use the dedicated sandbox variables:
 
 ```tf
 module "codex" {
   source = "registry.coder.com/coder-labs/codex/coder"
   # ... other variables ...
 
-  extra_codex_settings_toml = <<-EOT
-    # Disable sandbox for containerized environments (per Codex docs)
-    sandbox_mode = "danger-full-access"
-  EOT
-}
-```
+  # Containerized environments (fixes Landlock errors)
+  sandbox_mode = "danger-full-access"
 
-#### **For Read-Only Mode**
+  # Or for read-only mode
+  # sandbox_mode = "read-only"
 
-```tf
-extra_codex_settings_toml = <<-EOT
-  sandbox_mode = "read-only"
-EOT
-```
+  # Or for full auto mode
+  # approval_policy = "never"
 
-#### **For Full Auto Mode**
-
-```tf
-extra_codex_settings_toml = <<-EOT
-  approval_policy = "never"
-EOT
+  # Or disable network access
+  # network_access = false
+}
 ```
 
-#### **For Restricted Network Access**
+#### **Using extra_codex_settings_toml (Advanced)**
 
-If you want to disable network access for security reasons:
+For advanced configuration or when you need to override multiple settings:
 
 ```tf
 extra_codex_settings_toml = <<-EOT
-  network_access = false
+  # Any custom Codex configuration
+  model = "gpt-4"
+  disable_response_storage = true
 EOT
 ```
 
 > [!NOTE]
-> Custom settings completely override the base configuration, so you can change any sandbox behavior as needed.
+> The dedicated variables (`sandbox_mode`, `approval_policy`, `network_access`) are the recommended way to configure sandbox behavior. Use `extra_codex_settings_toml` only for advanced configuration that isn't covered by the dedicated variables.
 
 ## Troubleshooting
 

registry/coder-labs/modules/codex/main.tf

@@ -59,6 +59,32 @@ variable "extra_codex_settings_toml" {
   default     = ""
 }
 
+variable "sandbox_mode" {
+  type        = string
+  description = "The sandbox mode for Codex. Options: workspace-write, read-only, danger-full-access."
+  default     = "workspace-write"
+  validation {
+    condition     = contains(["workspace-write", "read-only", "danger-full-access"], var.sandbox_mode)
+    error_message = "sandbox_mode must be one of: workspace-write, read-only, danger-full-access."
+  }
+}
+
+variable "approval_policy" {
+  type        = string
+  description = "The approval policy for Codex. Options: on-request, never, untrusted."
+  default     = "on-request"
+  validation {
+    condition     = contains(["on-request", "never", "untrusted"], var.approval_policy)
+    error_message = "approval_policy must be one of: on-request, never, untrusted."
+  }
+}
+
+variable "network_access" {
+  type        = bool
+  description = "Whether to allow network access in workspace-write mode."
+  default     = true
+}
+
 variable "openai_api_key" {
   type        = string
   description = "Codex API Key"
@@ -113,11 +139,7 @@ variable "codex_system_prompt" {
   default     = ""
 }
 
-variable "full_auto" {
-  type        = bool
-  description = "Whether to run Codex in full-auto mode for automated task execution."
-  default     = false
-}
+
 
 resource "coder_env" "openai_api_key" {
   agent_id = var.agent_id
@@ -160,7 +182,6 @@ module "agentapi" {
      ARG_CODEX_MODEL='${var.codex_model}' \
      ARG_CODEX_START_DIRECTORY='${var.folder}' \
      ARG_CODEX_TASK_PROMPT='${base64encode(var.ai_prompt)}' \
-     ARG_CODEX_FULL_AUTO='${var.full_auto}' \
      /tmp/start.sh
    EOT
 
@@ -178,6 +199,9 @@ module "agentapi" {
     ARG_ADDITIONAL_EXTENSIONS='${base64encode(var.additional_extensions)}' \
     ARG_CODEX_START_DIRECTORY='${var.folder}' \
     ARG_CODEX_INSTRUCTION_PROMPT='${base64encode(var.codex_system_prompt)}' \
+    ARG_SANDBOX_MODE='${var.sandbox_mode}' \
+    ARG_APPROVAL_POLICY='${var.approval_policy}' \
+    ARG_NETWORK_ACCESS='${var.network_access}' \
     /tmp/install.sh
   EOT
 }

registry/coder-labs/modules/codex/scripts/install.sh

@@ -100,12 +100,12 @@ function populate_config_toml() {
     cat << EOF
 # Base sandbox configuration for Codex workspace access
 # This ensures Codex can read/write files in the specified folder for AI tasks
-sandbox_mode = "workspace-write"
-approval_policy = "on-request"
+sandbox_mode = "${ARG_SANDBOX_MODE}"
+approval_policy = "${ARG_APPROVAL_POLICY}"
 
 # Allow network access in workspace-write mode for package installation, API calls, etc.
 [sandbox_workspace_write]
-network_access = true
+network_access = ${ARG_NETWORK_ACCESS}
 EOF
   )
 

registry/coder-labs/modules/codex/scripts/start.sh

@@ -23,7 +23,6 @@ printf "openai_api_key: %s\n" "$ARG_OPENAI_API_KEY"
 printf "codex_model: %s\n" "$ARG_CODEX_MODEL"
 printf "start_directory: %s\n" "$ARG_CODEX_START_DIRECTORY"
 printf "task_prompt: %s\n" "$ARG_CODEX_TASK_PROMPT"
-printf "full_auto: %s\n" "$ARG_CODEX_FULL_AUTO"
 echo "--------------------------------"
 set +o nounset
 CODEX_ARGS=()
@@ -57,9 +56,7 @@ if [ -n "$ARG_CODEX_MODEL" ]; then
   CODEX_ARGS+=("--model" "$ARG_CODEX_MODEL")
 fi
 
-if [ "$ARG_CODEX_FULL_AUTO" = "true" ]; then
-  CODEX_ARGS+=("--full-auto")
-fi
+
 
 if [ -n "$ARG_CODEX_TASK_PROMPT" ]; then
   printf "Running the task prompt %s\n" "$ARG_CODEX_TASK_PROMPT"