Harden CodexClaw default runtime permissions

.env.example

@@ -14,10 +14,10 @@ WORKSPACE_ROOT=.
 CODEX_WORKDIR=.
 CODEX_SDK_CONFIG={}
 CODEX_SDK_SKIP_GIT_REPO_CHECK=true
-CODEX_SDK_SANDBOX_MODE=danger-full-access
-CODEX_SDK_APPROVAL_POLICY=never
+CODEX_SDK_SANDBOX_MODE=workspace-write
+CODEX_SDK_APPROVAL_POLICY=on-request
 CODEX_SDK_REASONING_EFFORT=
-CODEX_SDK_NETWORK_ACCESS_ENABLED=
+CODEX_SDK_NETWORK_ACCESS_ENABLED=false
 CODEX_SDK_WEB_SEARCH_MODE=
 CODEX_SDK_ADDITIONAL_DIRECTORIES=[]
 SHELL_ENABLED=false
@@ -35,7 +35,7 @@ CRON_TIMEZONE=Asia/Shanghai
 
 MCP_SERVERS=[]
 
-GITHUB_TOKEN=ghp_xxxxxxxxxxxxxxxxxxxx
+GITHUB_TOKEN=github-token-with-minimal-scope
 GITHUB_DEFAULT_WORKDIR=.
 GITHUB_DEFAULT_BRANCH=main
 E2E_TEST_COMMAND=npx playwright test --reporter=line

README.md

@@ -6,7 +6,6 @@
 A Telegram bot that gives you remote access to `@openai/codex` through a Node.js runtime with two Codex backends: the Codex SDK and the legacy CLI/PTy path.  
 It is strictly inspired by `RichardAtCT/claude-code-telegram`, but this project is implemented for CodeX SDK/CLI + MCP + Subagent routing.
 
-
 ## What Is This?
 
 This bot connects Telegram to Codex and routes tasks to the right execution surface:
@@ -22,7 +21,6 @@ Key design goals:
 - Avoid duplicate MCP calls by separating Codex MCP vs Bot MCP responsibilities
 - Prefer the SDK backend for new installs, while keeping the CLI backend as a fallback
 
-
 ## Use This Like A Skill
 
 ### What It Does
@@ -70,7 +68,6 @@ npm run start
 
 For agent-oriented setup, see [SKILL.md](/Users/ding/Documents/Code/Github/CodexClaw/SKILL.md).
 
-
 ## Quick Start
 
 ### Prerequisites
@@ -79,7 +76,6 @@ For agent-oriented setup, see [SKILL.md](/Users/ding/Documents/Code/Github/Codex
 - Codex CLI -- https://github.com/openai/codex
 - Telegram Bot Token -- from `@BotFather`
 
-
 ## Development Commands
 
 - `npm run start` - start the bot
@@ -492,18 +488,17 @@ Telegram can manage runtime usage of Bot-side MCP and skills, but not install ar
 - Codex SDK reference: https://github.com/coleam00/codex-telegram-coding-assistant
 - This implementation: Codex-first Node.js stack (`@openai/codex-sdk`, `telegraf`, `node-pty`, `node-cron`, MCP SDK)
 
-
 ---
 
-## 🦞 OPC Ecosystem
+## ?? OPC Ecosystem
 
-> Built by [@MackDing](https://github.com/MackDing) — One-Person Company infrastructure powered by AI agents.
+> Built by [@MackDing](https://github.com/MackDing) ? One-Person Company infrastructure powered by AI agents.
 
-| Project | What it does |
-|---------|-------------|
-| [**opc.ren**](https://opc.ren) | OPC founder hub — tools, signals, community |
-| [**CodexClaw**](https://github.com/MackDing/CodexClaw) | Telegram bot for remote Codex access with MCP + subagent routing |
-| [**awesome-ai-api**](https://github.com/MackDing/awesome-ai-api) | Leaderboard of 200+ AI API gateways & relays |
-| [**claude-context-health**](https://github.com/MackDing/claude-context-health) | Diagnose & fix Claude Code session degradation |
-| [**opc-daily-signal**](https://github.com/MackDing/opc-daily-signal) | AI-powered daily decision intelligence for OPC founders |
-| [**doc-preprocess-hub**](https://github.com/MackDing/doc-preprocess-hub) | Enterprise document preprocessing — MinerU + docling |
+| Project                                                                        | What it does                                                     |
+| ------------------------------------------------------------------------------ | ---------------------------------------------------------------- |
+| [**opc.ren**](https://opc.ren)                                                 | OPC founder hub ? tools, signals, community                      |
+| [**CodexClaw**](https://github.com/MackDing/CodexClaw)                         | Telegram bot for remote Codex access with MCP + subagent routing |
+| [**awesome-ai-api**](https://github.com/MackDing/awesome-ai-api)               | Leaderboard of 200+ AI API gateways & relays                     |
+| [**claude-context-health**](https://github.com/MackDing/claude-context-health) | Diagnose & fix Claude Code session degradation                   |
+| [**opc-daily-signal**](https://github.com/MackDing/opc-daily-signal)           | AI-powered daily decision intelligence for OPC founders          |
+| [**doc-preprocess-hub**](https://github.com/MackDing/doc-preprocess-hub)       | Enterprise document preprocessing ? MinerU + docling             |

src/config.ts

@@ -339,14 +339,14 @@ export function loadConfig(): AppConfig {
         "read-only",
         "workspace-write",
         "danger-full-access"
-      ]) || (runnerBackend === "sdk" ? "danger-full-access" : undefined),
+      ]) || (runnerBackend === "sdk" ? "workspace-write" : undefined),
     approvalPolicy:
       parseEnum<CodexApprovalPolicy>(process.env.CODEX_SDK_APPROVAL_POLICY, [
         "never",
         "on-request",
         "on-failure",
         "untrusted"
-      ]) || (runnerBackend === "sdk" ? "never" : undefined),
+      ]) || (runnerBackend === "sdk" ? "on-request" : undefined),
     modelReasoningEffort: parseEnum<CodexReasoningEffort>(
       process.env.CODEX_SDK_REASONING_EFFORT,
       ["minimal", "low", "medium", "high", "xhigh"]

tests/config.test.ts

@@ -227,7 +227,7 @@ test("loadConfig falls back to the current working directory when configured pat
   assert.equal(config.mcp.servers[0].cwd, cwd);
 });
 
-test("loadConfig defaults the sdk runtime to full access when unset", () => {
+test("loadConfig defaults the sdk runtime to least-privilege settings when unset", () => {
   const config = withEnv(
     {
       BOT_TOKEN: "telegram-token",
@@ -238,11 +238,8 @@ test("loadConfig defaults the sdk runtime to full access when unset", () => {
   );
 
   assert.equal(config.runner.backend, "sdk");
-  assert.equal(
-    config.runner.sdkThreadOptions.sandboxMode,
-    "danger-full-access"
-  );
-  assert.equal(config.runner.sdkThreadOptions.approvalPolicy, "never");
+  assert.equal(config.runner.sdkThreadOptions.sandboxMode, "workspace-write");
+  assert.equal(config.runner.sdkThreadOptions.approvalPolicy, "on-request");
 });
 
 test("loadConfig requires shell allowlist when safe shell is enabled", () => {