✨ feat: ADR-011 local mode + credential source abstraction

apps/www/sidebar.generated.json

@@ -200,6 +200,13 @@
       {
         "label": "ADR-007: Phase C design alignment",
         "slug": "architecture/adr-007-phase-c-design-alignment"
+      },
+      {
+        "label": "ADR-011: Local Mode and Credential Source Abstraction",
+        "slug": "architecture/adr-011-local-mode-and-credential-sources",
+        "translations": {
+          "zh-CN": "ADR-011：本地模式与凭据来源抽象"
+        }
       }
     ]
   }

apps/www/src/content/docs/architecture/index.md

@@ -14,3 +14,4 @@ This section collects architecture decision records (ADRs) and longer-lived tech
 - [ADR-005: Unified Credential Agent Wiring](/architecture/adr-005-unified-credential-agent-wiring/)
 - [ADR-006: Workspace x Team x Project Domain Model](/architecture/adr-006-workspace-team-project-model/)
 - [ADR-007: Agent-Driven Workflow Automation](/architecture/adr-007-agent-driven-workflow-automation/)
+- [ADR-011: Local Mode and Credential Source Abstraction](/architecture/adr-011-local-mode-and-credential-sources/)

apps/www/src/content/docs/zh-cn/architecture/index.md

@@ -13,5 +13,7 @@ description: "这里收录长期有效的架构决策记录（ADR）和技术说
 - [ADR-004: Policy Engine and Accountable Role](/zh-cn/architecture/adr-004-policy-engine-and-accountable-role/)
 - [ADR-005: Unified Credential Agent Wiring](/zh-cn/architecture/adr-005-unified-credential-agent-wiring/)
 - [ADR-006: Workspace x Team x Project Domain Model](/zh-cn/architecture/adr-006-workspace-team-project-model/)
+- [ADR-007: Agent 驱动的工作流自动化](/zh-cn/architecture/adr-007-agent-driven-workflow-automation/)
+- [ADR-011：本地模式与凭据来源抽象](/zh-cn/architecture/adr-011-local-mode-and-credential-sources/)
 
 说明：目前 ADR 正文仍以英文为主，这个页面仅提供中文入口。

crates/oversight-agents/manifests/codex.toml

@@ -1,10 +1,40 @@
 id = "codex"
 display_name = "OpenAI Codex CLI"
 spec_version = 2
-embedded_revision = 4
+embedded_revision = 7
 is_builtin = true
 enabled = true
 
+# ── Host bubblewrap broken? (ADR-011 e2e finding) ─────────────────
+# Some Linux hosts (older kernels, restricted user-namespaces,
+# locked-down seccomp profiles) can't run codex's built-in bubblewrap
+# sandbox. The symptom is every shell / apply_patch op failing with
+#   `bwrap: loopback: Failed RTM_NEWADDR: Operation not permitted`
+# and the run terminating in seconds with no file edits.
+#
+# The shipped default below uses `sandbox_mode="workspace-write"`
+# which engages bwrap and is the right secure default for most hosts.
+# Operators on broken-bwrap hosts can override the full args via the
+# `CODEX_ACP_ARGS_JSON` env var, e.g.:
+#
+#   export CODEX_ACP_ARGS_JSON='[
+#     "-y", "@zed-industries/codex-acp@latest",
+#     "-c", "approval_policy=\"never\"",
+#     "-c", "sandbox_mode=\"danger-full-access\""
+#   ]'
+#
+# `danger-full-access` skips bwrap entirely. Only use on hosts where
+# you have OTHER process containment (container, VM, user-isolation)
+# — agent shell ops then run with the worker process's privileges.
+# The Claude adapter is a separate option; it uses a different
+# sandbox model and is unaffected by this bwrap issue.
+#
+# Contract: when `CODEX_ACP_ARGS_JSON` is set the operator has taken
+# full responsibility for launcher args, and `[runtime.forced_args]`
+# below are NOT re-applied. The override is whole-args, not key-wise.
+# Editing the env var to drop the safety pins is therefore equivalent
+# to editing the manifest in the vault; both require operator trust.
+
 [detect]
 kind = "command"
 exec = "codex --version"
@@ -63,7 +93,7 @@ model_env = "OVERSIGHT_CODEX_MODEL"
 # `model` field.
 default_model = ""
 max_concurrent = 4
-cleanup_files = [".codex-instructions.md"]
+cleanup_files = [".oversight/codex-instructions.md"]
 
 [[runtime.forced_args]]
 key = "approval_policy"
@@ -74,7 +104,7 @@ key = "sandbox_mode"
 value = "\"workspace-write\""
 
 [runtime.workspace]
-prompt_file = ".codex-instructions.md"
+prompt_file = ".oversight/codex-instructions.md"
 
 [runtime.workspace.prompt_assembly]
 kind = "append_skill_section"