Skip to content

Fix implementation of --dangerously-auto-approve-everything flag #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
blocksorg wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix implementation of --dangerously-auto-approve-everything flag #1

blocksorg wants to merge 1 commit into from

Conversation

@blocksorg
Copy link

@blocksorg blocksorg bot commented Jun 18, 2025

Summary

This PR fixes a bug where the --dangerously-auto-approve-everything flag was defined in the CLI but not properly implemented in the approval policy logic. This caused users in Docker containers or environments without seccomp/landlock support to still encounter the sandboxing error even when using the intended bypass flag.

Problem

The error message "The combination of seccomp/landlock that Codex uses for sandboxing is not supported in this environment" would appear even when using --dangerously-auto-approve-everything, because:

  1. The flag was defined in CLI options but missing from approval policy logic
  2. The approval policy only checked for fullAuto and autoEdit, not the dangerous flag
  3. The canAutoApprove() function had no handling for the "dangerous-auto" mode

Solution

  • Added "dangerous-auto" to the ApprovalPolicy type definition
  • Added DANGEROUS_AUTO to the AutoApprovalMode enum
  • Updated CLI approval policy logic to prioritize --dangerously-auto-approve-everything flag
  • Updated canAutoApprove() function to auto-approve all commands without sandboxing in dangerous-auto mode
  • Updated canAutoApproveApplyPatch() to handle dangerous-auto mode properly
  • Added comprehensive tests covering all dangerous-auto scenarios

Testing

Added tests/dangerous-auto-approve.test.ts with 4 test cases:

  • Auto-approval of dangerous commands without sandbox
  • Auto-approval of apply_patch commands without sandbox
  • Auto-approval of unsafe commands without sandbox
  • Contrast with full-auto mode that still requires sandbox

Test plan

  • All existing tests pass
  • New tests for dangerous-auto mode pass
  • Manual verification that the flag now bypasses sandboxing requirements
  • Verified that the fix resolves the original seccomp/landlock error

🤖 Generated with Claude Code

@claude
Fix implementation of --dangerously-auto-approve-everything flag
135580d 
The --dangerously-auto-approve-everything flag was defined in CLI but not
implemented in the approval policy logic. This caused the sandboxing error
"The combination of seccomp/landlock that Codex uses for sandboxing is not
supported in this environment" to persist even when using the flag.

Changes:
- Added "dangerous-auto" to ApprovalPolicy type
- Added DANGEROUS_AUTO to AutoApprovalMode enum
- Updated CLI approval policy logic to handle the flag with highest priority
- Updated canAutoApprove() function to auto-approve all commands without sandboxing
- Updated canAutoApproveApplyPatch() to handle dangerous-auto mode
- Added comprehensive tests for the new approval mode

This resolves the issue where users in Docker containers or environments without
seccomp/landlock support could not bypass sandboxing requirements using the
intended --dangerously-auto-approve-everything flag.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant