mirror of
https://github.com/Kaelio/ktx.git
synced 2026-07-01 08:59:39 +02:00
docs: disclose codex isolation limits
This commit is contained in:
parent
5966a09c49
commit
27bedb2879
8 changed files with 68 additions and 2 deletions
|
|
@ -74,8 +74,15 @@ enrichment, memory, and other LLM-backed work through Codex.
|
|||
|
||||
During runtime loops, **ktx** starts a temporary loopback MCP server for the
|
||||
current run, exposes only the tools passed to that run, asks Codex to use a
|
||||
read-only sandbox with approval disabled, auto-approves only those run-scoped
|
||||
MCP tools, and disables Codex web search.
|
||||
read-only sandbox, sets `approval_policy=never`, auto-approves only those
|
||||
run-scoped MCP tools, and disables Codex web search.
|
||||
|
||||
Codex backend isolation is currently limited by the public Codex SDK and CLI
|
||||
surface. Codex may still load user Codex config and built-in command execution
|
||||
or read-only file capabilities. Use `llm.provider.backend: claude-code` when
|
||||
you need stricter Claude-Code-style runtime tool isolation, or remove host
|
||||
Codex MCP and tool config before running untrusted prompts through the `codex`
|
||||
backend.
|
||||
|
||||
## Prompt caching
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue