feat: let admins configure managed skill and marketplace controls

[viyatb-oai]

Why

Enterprise admins need a managed contract for the extensibility surfaces they may restrict, but that public surface should become usable only after the enforcement path exists. The lower PRs in this stack add the internal model and runtime enforcement first; this final PR activates the managed config surface and exposes it through cloud/app-server APIs.

What changed

• Made the managed requirement sections parseable from local and cloud-managed requirements:

  [skills]
  allowed_sources = ["system", "admin", "plugin"]
  
  [plugin_marketplaces]
  allowed_names = ["openai-curated", "approved-marketplace"]
  allow_user_additions = false

• Threaded the new fields through the shared requirements TOML model and exhaustive config fixtures.

• Exposed the new managed requirements through configRequirements/read.

• Regenerated the app-server protocol JSON and TypeScript schemas for the new response fields.

• Updated the app-server README example to include the managed artifact requirements.

Example config.toml

With the managed requirements above, an approved marketplace can still appear in user config.toml like this:

[features]
plugins = true

[marketplaces.approved-marketplace]
source_type = "git"
source = "https://github.com/example/approved-marketplace.git"

There is intentionally no user-writable allowed_sources key in config.toml; skill-source restrictions are enforced only from managed requirements.

Verification

• Added parsing coverage for the new requirement sections in codex-rs/config/src/config_requirements.rs.
• Added cloud parsing coverage in codex-rs/cloud-requirements/src/lib.rs.
• Updated protocol coverage in codex-rs/app-server-protocol/src/protocol/v2/tests.rs.

Stack

• feat: prepare managed controls for skills and marketplaces #21462: internal managed artifact requirement plumbing
• feat: restrict which skill sources Codex can load #21457: managed skill enforcement
• feat: restrict which plugin marketplaces Codex can use #21458: core plugin allowlist enforcement
• feat: enforce marketplace restrictions at plugin entry points #21459: plugin entrypoint enforcement
  --> feat: let admins configure managed skill and marketplace controls #21413: managed artifact requirements activation

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: cc70905d44

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".