Skip to content

feat(hooks): add managed hooks#15937

Open
viyatb-oai wants to merge 7 commits intocodex/viyatb/hooks-trust-precedencefrom
codex/viyatb/hook-safety-controls
Open

feat(hooks): add managed hooks#15937
viyatb-oai wants to merge 7 commits intocodex/viyatb/hooks-trust-precedencefrom
codex/viyatb/hook-safety-controls

Conversation

@viyatb-oai
Copy link
Copy Markdown
Collaborator

@viyatb-oai viyatb-oai commented Mar 27, 2026
edited
Loading

Summary

Adds a managed-policy control for lifecycle hooks and surfaces a startup warning when hooks are loaded.

Changes

  • Add allow_managed_hooks_only / allowManagedHooksOnly to config requirements and app-server protocol surfaces.
  • Apply the new requirement to requirements.toml, MDM-managed requirements_toml_base64, and cloud requirements; legacy managed_config.toml remains limited to approval_policy and sandbox_mode.
  • Skip non-managed hooks.json files when the managed-only requirement is enabled.
  • Emit a startup warning that hooks run arbitrary shell commands outside the sandbox and list the loaded hooks.json files.
  • Show the new requirement in TUI debug config output and document it in docs/config.md.

Why

Hooks are privileged by design and run outside the sandbox. This makes that behavior explicit at startup and gives admins a lockdown option that still allows managed hooks.

@viyatb-oai viyatb-oai changed the title [codex] add managed hooks lockdown feat(hooks): add managed hooks Mar 27, 2026
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/hook-safety-controls branch from f29a621 to a16d990 Compare March 27, 2026 19:49
@viyatb-oai viyatb-oai changed the base branch from main to codex/viyatb/hooks-trust-precedence March 27, 2026 19:50
@eternal-openai
Copy link
Copy Markdown
Contributor

eternal-openai commented Mar 27, 2026

Thanks for this, looks very directionally correct and spec adherent -- will review again later when you think it's out of draft mode

@viyatb-oai viyatb-oai marked this pull request as ready for review March 30, 2026 17:21
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/hooks-trust-precedence branch from 9401e5f to f0f222a Compare March 31, 2026 04:39
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/hook-safety-controls branch from a16d990 to 6c5ea83 Compare March 31, 2026 04:40
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/hooks-trust-precedence branch from f0f222a to 456697a Compare April 6, 2026 19:40
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/hook-safety-controls branch from 6c5ea83 to b7976a4 Compare April 6, 2026 19:40
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/hooks-trust-precedence branch from 456697a to c564cda Compare April 7, 2026 03:04
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/hook-safety-controls branch from b7976a4 to 4f8689d Compare April 7, 2026 03:06
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/hooks-trust-precedence branch from c564cda to 647f61a Compare April 7, 2026 03:41
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/hook-safety-controls branch from 4f8689d to 36587f3 Compare April 7, 2026 03:42
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/hooks-trust-precedence branch from 647f61a to c22dec5 Compare April 7, 2026 03:53
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/hook-safety-controls branch 2 times, most recently from 1a06341 to 85609af Compare April 7, 2026 04:09
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/hooks-trust-precedence branch from 15872f2 to 6b3ef89 Compare April 7, 2026 04:45
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/hook-safety-controls branch from 85609af to e00bbff Compare April 7, 2026 04:45
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/hooks-trust-precedence branch from 6b3ef89 to d22f07a Compare April 7, 2026 17:59
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/hook-safety-controls branch from e00bbff to b7f9332 Compare April 7, 2026 18:00
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/hooks-trust-precedence branch from d22f07a to 8110afa Compare April 7, 2026 19:25
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/hook-safety-controls branch 2 times, most recently from 50ae0cd to 513683c Compare April 7, 2026 21:05
viyatb-oai and others added 4 commits April 7, 2026 14:48
@viyatb-oai
feat: add managed hooks lockdown
b04edb1
@viyatb-oai @codex
style: format hook safety imports
de886c5 
Co-authored-by: Codex <noreply@openai.com>
@viyatb-oai @codex
fix: annotate managed hook test literal
c5decba 
Co-authored-by: Codex <noreply@openai.com>
@viyatb-oai @codex
fix: complete managed hooks requirements tests
5ab034b 
Co-authored-by: Codex <noreply@openai.com>
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/hook-safety-controls branch from 513683c to 5ab034b Compare April 7, 2026 21:49
eternal-openai
eternal-openai approved these changes Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@eternal-openai eternal-openai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Amazing work !

@github-actions github-actions bot mentioned this pull request Apr 17, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eternal-openai eternal-openai eternal-openai approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@viyatb-oai @eternal-openai