docs: disclose codex isolation limits

2026-06-16 08:25:14 +02:00 · 2026-06-01 18:10:09 +02:00 · 2026-06-01 18:10:09 +02:00 · 27bedb2879
commit 27bedb2879
parent 5966a09c49
8 changed files with 68 additions and 2 deletions
--- a/packages/cli/src/context/llm/codex-isolation.ts
+++ b/packages/cli/src/context/llm/codex-isolation.ts
@ -0,0 +1,9 @@
+export const CODEX_ISOLATION_WARNING =
+  'Codex backend isolation is limited by the public Codex SDK/CLI surface: ktx restricts the runtime MCP server to the current ktx tool set, disables Codex web search, asks for a read-only sandbox, and sets approval_policy=never, but Codex may still load user Codex config and built-in command execution or read-only file capabilities.';
+
+export const CODEX_ISOLATION_WARNING_FIX =
+  'Use llm.provider.backend: claude-code when you need stricter Claude-Code-style runtime tool isolation, or remove host Codex MCP/tool config before running untrusted prompts through the codex backend.';
+
+export function formatCodexIsolationWarning(): string {
+  return `${CODEX_ISOLATION_WARNING} ${CODEX_ISOLATION_WARNING_FIX}`;
+}
--- a/packages/cli/src/setup-models.ts
+++ b/packages/cli/src/setup-models.ts
@ -2,6 +2,7 @@ import { execFile } from 'node:child_process';
 import { writeFile } from 'node:fs/promises';
 import { promisify } from 'node:util';
 import { runClaudeCodeAuthProbe } from './context/llm/claude-code-runtime.js';
+import { formatCodexIsolationWarning } from './context/llm/codex-isolation.js';
 import { runCodexAuthProbe } from './context/llm/codex-runtime.js';
 import { resolveLocalKtxLlmConfig } from './context/llm/local-config.js';
 import { resolveKtxConfigReference } from './context/core/config-reference.js';
@ -1113,6 +1114,7 @@ export async function runKtxSetupAnthropicModelStep(
        io.stderr.write(`${health.message}\n`);
        return { status: 'failed', projectDir: args.projectDir };
      }
+      io.stderr.write(`${formatCodexIsolationWarning()}\n`);
      await persistLlmConfig(args.projectDir, { backend: 'codex' }, model.model);
      io.stdout.write(`│  LLM ready: yes (codex, ${model.model})\n`);
      return { status: 'ready', projectDir: args.projectDir };
--- a/packages/cli/src/status-project.ts
+++ b/packages/cli/src/status-project.ts
@ -1,6 +1,10 @@
 import { stat as statAsync, readdir as readdirAsync } from 'node:fs/promises';
 import { basename, join } from 'node:path';
 import { runClaudeCodeAuthProbe } from './context/llm/claude-code-runtime.js';
+import {
+  CODEX_ISOLATION_WARNING,
+  CODEX_ISOLATION_WARNING_FIX,
+} from './context/llm/codex-isolation.js';
 import { runCodexAuthProbe } from './context/llm/codex-runtime.js';
 import type { KtxConfigIssue, KtxProjectConfig, KtxProjectConnectionConfig, KtxProjectEmbeddingConfig, KtxProjectLlmConfig } from './context/project/config.js';
 import type { KtxLocalProject } from './context/project/project.js';
@ -609,6 +613,13 @@ function buildWarnings(
    });
  }

+  if (llm.backend === 'codex') {
+    warnings.push({
+      message: CODEX_ISOLATION_WARNING,
+      fix: CODEX_ISOLATION_WARNING_FIX,
+    });
+  }
+
  return warnings;
 }