feat: expose managed artifact requirements

[viyatb-oai]

Superseded by #21413. During a stack restack, GitHub marked this stacked PR merged once its head commit became contained in its base branch. Nothing from this PR landed on main.

Why

Once the lower stack adds the local contract and enforcement, the same requirements shape also needs to travel through cloud-managed requirements and app-server inspection APIs. Without that propagation layer, local requirements.toml would work but enterprise-managed surfaces would lag behind the runtime capability.

This PR is only the management/exposure layer on top of the lower stack. It does not add new enforcement behavior.

What changed

• Added cloud-requirements parsing coverage for:

  [skills]
  allowed_sources = ["system", "admin", "plugin"]
  
  [plugin_marketplaces]
  allowed_names = ["openai-curated", "arm-internal"]
  allow_user_additions = false

• Exposed the new managed requirements through configRequirements/read.

• Regenerated the app-server protocol JSON and TypeScript schemas for the new response fields.

• Updated the app-server README example to include the managed artifact requirements.

Verification

• Added cloud parsing coverage in codex-rs/cloud-requirements/src/lib.rs.
• Updated protocol coverage in codex-rs/app-server-protocol/src/protocol/v2/tests.rs.

Stack

• feat: let admins configure managed skill and marketplace controls #21413: managed artifact requirement schema
• feat: prepare managed controls for skills and marketplaces #21462: cloud/app-server exposure
• feat: restrict which skill sources Codex can load #21457: managed skill enforcement
• feat: restrict which plugin marketplaces Codex can use #21458: core plugin allowlist enforcement
• feat: enforce marketplace restrictions at plugin entry points #21459: plugin entrypoint enforcement

[chatgpt-codex-connector]

💡 Codex Review

codex/codex-rs/core-plugins/src/manager.rs

Lines 475 to 480 in 2e1d9c6

	let config_version = version_for_toml(&config.config_layer_stack.effective_config());
	if !force_reload
	&& let Some(outcome) =
	self.cached_enabled_outcome(&config_version, plugin_hooks_enabled)
	{
	return outcome;

Include marketplace requirements in plugin cache key

plugins_for_config reuses a cached outcome using only the effective config TOML and hooks flag. The new marketplace filtering is based on config_layer_stack.requirements(), which effective_config() explicitly excludes, so two configs with identical TOML but different managed allowlists will share a cache entry and can keep disallowed plugins effective until a manual reload.

---

codex/codex-rs/core-skills/src/manager.rs

Lines 149 to 153 in 2e1d9c6

	if use_cwd_cache
	&& !force_reload
	&& let Some(outcome) = self.cached_outcome_for_cwd(&input.cwd)
	{
	return outcome;

Key skill cwd cache by managed requirements

The cwd cache returns before the new retain_allowed_skill_roots filter runs. Because the key is only input.cwd, loading a cwd once without skill-source restrictions and then applying managed skills.allowed_sources for the same cwd returns the stale unrestricted outcome, leaving user/repo/plugin skills visible despite the new policy.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".