feat: let admins configure managed skill and marketplace controls

codex-rs/app-server-protocol/src/protocol/v2/config.rs

@@ -360,11 +360,41 @@ pub struct ConfigRequirements {
     pub feature_requirements: Option<BTreeMap<String, bool>>,
     #[experimental("configRequirements/read.hooks")]
     pub hooks: Option<ManagedHooksRequirements>,
+    #[experimental("configRequirements/read.skills")]
+    pub skills: Option<SkillsRequirements>,
+    #[experimental("configRequirements/read.pluginMarketplaces")]
+    pub plugin_marketplaces: Option<PluginMarketplaceRequirements>,
     pub enforce_residency: Option<ResidencyRequirement>,
     #[experimental("configRequirements/read.network")]
     pub network: Option<NetworkRequirements>,
 }
 
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct SkillsRequirements {
+    pub allowed_sources: Option<Vec<SkillSourceRequirement>>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, Copy, PartialEq, Eq, JsonSchema, TS)]
+#[serde(rename_all = "lowercase")]
+#[ts(export_to = "v2/")]
+pub enum SkillSourceRequirement {
+    User,
+    Repo,
+    System,
+    Admin,
+    Plugin,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct PluginMarketplaceRequirements {
+    pub allowed_names: Option<Vec<String>>,
+    pub allow_user_additions: Option<bool>,
+}
+
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]

codex-rs/app-server-protocol/src/protocol/v2/tests.rs

@@ -1809,6 +1809,8 @@ fn config_requirements_granular_allowed_approval_policy_is_marked_experimental()
             allowed_web_search_modes: None,
             feature_requirements: None,
             hooks: None,
+            skills: None,
+            plugin_marketplaces: None,
             enforce_residency: None,
             network: None,
         });

codex-rs/app-server/README.md

@@ -232,7 +232,7 @@ Example with notification opt-out:
 - `externalAgentConfig/import` — apply selected external-agent migration items by passing explicit `migrationItems` with `cwd` (`null` for home) and any plugin/session `details` returned by detect. When a request includes migration items, the server emits `externalAgentConfig/import/completed` once after the full import finishes (immediately after the response when everything completed synchronously, or after background imports finish).
 - `config/value/write` — write a single config key/value to the user's config.toml on disk.
 - `config/batchWrite` — apply multiple config edits atomically to the user's config.toml on disk, with optional `reloadUserConfig: true` to hot-reload loaded threads.
-- `configRequirements/read` — fetch loaded requirements constraints from `requirements.toml` and/or MDM (or `null` if none are configured), including allow-lists (`allowedApprovalPolicies`, `allowedSandboxModes`, `allowedWebSearchModes`), pinned feature values (`featureRequirements`), managed lifecycle hooks (`hooks`), `enforceResidency`, and `network` constraints such as canonical domain/socket permissions plus `managedAllowedDomainsOnly` and `dangerFullAccessDenylistOnly`.
+- `configRequirements/read` — fetch loaded requirements constraints from `requirements.toml`, cloud requirements, and/or MDM (or `null` if none are configured), including allow-lists (`allowedApprovalPolicies`, `allowedSandboxModes`, `allowedWebSearchModes`), pinned feature values (`featureRequirements`), managed lifecycle hooks (`hooks`), skill source restrictions (`skills`), plugin marketplace restrictions (`pluginMarketplaces`), `enforceResidency`, and `network` constraints such as canonical domain/socket permissions plus `managedAllowedDomainsOnly` and `dangerFullAccessDenylistOnly`.
 
 ### Example: Start or resume a thread
 

codex-rs/app-server/src/request_processors/config_processor.rs

@@ -28,16 +28,22 @@ use codex_app_server_protocol::ModelProviderCapabilitiesReadResponse;
 use codex_app_server_protocol::NetworkDomainPermission;
 use codex_app_server_protocol::NetworkRequirements;
 use codex_app_server_protocol::NetworkUnixSocketPermission;
+use codex_app_server_protocol::PluginMarketplaceRequirements;
 use codex_app_server_protocol::SandboxMode;
 use codex_app_server_protocol::ServerNotification;
+use codex_app_server_protocol::SkillSourceRequirement;
+use codex_app_server_protocol::SkillsRequirements;
 use codex_chatgpt::connectors;
 use codex_config::ConfigRequirementsToml;
 use codex_config::HookEventsToml;
 use codex_config::HookHandlerConfig as CoreHookHandlerConfig;
 use codex_config::ManagedHooksRequirementsToml;
 use codex_config::MatcherGroup as CoreMatcherGroup;
+use codex_config::PluginMarketplaceRequirementsToml;
 use codex_config::ResidencyRequirement as CoreResidencyRequirement;
 use codex_config::SandboxModeRequirement as CoreSandboxModeRequirement;
+use codex_config::SkillSourceRequirement as CoreSkillSourceRequirement;
+use codex_config::SkillsRequirementsToml;
 use codex_core::ThreadManager;
 use codex_features::Feature;
 use codex_features::canonical_feature_for_key;
@@ -445,13 +451,49 @@ fn map_requirements_toml_to_api(requirements: ConfigRequirementsToml) -> ConfigR
             .feature_requirements
             .map(|requirements| requirements.entries),
         hooks: requirements.hooks.map(map_hooks_requirements_to_api),
+        skills: requirements.skills.map(map_skills_requirements_to_api),
+        plugin_marketplaces: requirements
+            .plugin_marketplaces
+            .map(map_plugin_marketplace_requirements_to_api),
         enforce_residency: requirements
             .enforce_residency
             .map(map_residency_requirement_to_api),
         network: requirements.network.map(map_network_requirements_to_api),
     }
 }
 
+fn map_skills_requirements_to_api(requirements: SkillsRequirementsToml) -> SkillsRequirements {
+    SkillsRequirements {
+        allowed_sources: requirements.allowed_sources.map(|sources| {
+            sources
+                .into_iter()
+                .map(map_skill_source_requirement_to_api)
+                .collect()
+        }),
+    }
+}
+
+fn map_skill_source_requirement_to_api(
+    source: CoreSkillSourceRequirement,
+) -> SkillSourceRequirement {
+    match source {
+        CoreSkillSourceRequirement::User => SkillSourceRequirement::User,
+        CoreSkillSourceRequirement::Repo => SkillSourceRequirement::Repo,
+        CoreSkillSourceRequirement::System => SkillSourceRequirement::System,
+        CoreSkillSourceRequirement::Admin => SkillSourceRequirement::Admin,
+        CoreSkillSourceRequirement::Plugin => SkillSourceRequirement::Plugin,
+    }
+}
+
+fn map_plugin_marketplace_requirements_to_api(
+    requirements: PluginMarketplaceRequirementsToml,
+) -> PluginMarketplaceRequirements {
+    PluginMarketplaceRequirements {
+        allowed_names: requirements.allowed_names,
+        allow_user_additions: requirements.allow_user_additions,
+    }
+}
+
 fn map_hooks_requirements_to_api(hooks: ManagedHooksRequirementsToml) -> ManagedHooksRequirements {
     let ManagedHooksRequirementsToml {
         managed_dir,