clone/codex
1
0
Fork 0
mirror of https://github.com/openai/codex.git synced 2026-04-24 06:35:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

update cli with new behavior

Browse Source
This commit is contained in:
kevin zhao
2025-12-02 23:03:22 +00:00
parent 59fd706deb
commit 06676fdaea
5 changed files with 54 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
codex-rs/cli/tests/execpolicy.rs
View File

@@ -40,17 +40,15 @@ prefix_rule(
assert_eq!(
result,
json!({
"match": {
"decision": "forbidden",
"matchedRules": [
{
"prefixRuleMatch": {
"matchedPrefix": ["git", "push"],
"decision": "forbidden"
}
"decision": "forbidden",
"matchedRules": [
{
"prefixRuleMatch": {
"matchedPrefix": ["git", "push"],
"decision": "forbidden"
}
]
}
}
]
})
);

32
codex-rs/execpolicy/README.md
View File

@@ -30,32 +30,24 @@ codex execpolicy check --policy path/to/policy.codexpolicy git status
cargo run -p codex-execpolicy -- check --policy path/to/policy.codexpolicy git status
```
- Example outcomes:
- Match: `{"match": { ... "decision": "allow" ... }}`
- No match: `{"noMatch": {}}`
- Match: `{"matchedRules":[{...}],"decision":"allow"}`
- No match: `{"matchedRules":[]}`
## Response shapes
- Match:
## Response shape
```json
{
"match": {
"decision": "allow|prompt|forbidden",
"matchedRules": [
{
"prefixRuleMatch": {
"matchedPrefix": ["<token>", "..."],
"decision": "allow|prompt|forbidden"
}
"matchedRules": [
{
"prefixRuleMatch": {
"matchedPrefix": ["<token>", "..."],
"decision": "allow|prompt|forbidden"
}
]
}
}
],
"decision": "allow|prompt|forbidden"
}
```
- No match:
```json
{"noMatch": {}}
```
- When no rules match, `matchedRules` is an empty array and `decision` is omitted.
- `matchedRules` lists every rule whose prefix matched the command; `matchedPrefix` is the exact prefix that matched.
- The effective `decision` is the strictest severity across all matches (`forbidden` > `prompt` > `allow`).

27
codex-rs/execpolicy/src/execpolicycheck.rs
View File

@@ -4,11 +4,12 @@ use std::path::PathBuf;
use anyhow::Context;
use anyhow::Result;
use clap::Parser;
use serde::Serialize;
use crate::Decision;
use crate::Evaluation;
use crate::Policy;
use crate::PolicyParser;
use crate::RuleMatch;
/// Arguments for evaluating a command against one or more execpolicy files.
#[derive(Debug, Parser, Clone)]
@@ -35,20 +36,25 @@ impl ExecPolicyCheckCommand {
/// Load the policies for this command, evaluate the command, and render JSON output.
pub fn run(&self) -> Result<()> {
let policy = load_policies(&self.policies)?;
let evaluation = policy.check(&self.command, &|_| Decision::Allow);
let matched_rules = policy.matches_for_command(&self.command, None);
let json = format_evaluation_json(&evaluation, self.pretty)?;
let json = format_matches_json(&matched_rules, self.pretty)?;
println!("{json}");
Ok(())
}
}
pub fn format_evaluation_json(evaluation: &Evaluation, pretty: bool) -> Result<String> {
pub fn format_matches_json(matched_rules: &[RuleMatch], pretty: bool) -> Result<String> {
let output = ExecPolicyCheckOutput {
matched_rules,
decision: matched_rules.iter().map(RuleMatch::decision).max(),
};
if pretty {
serde_json::to_string_pretty(evaluation).map_err(Into::into)
serde_json::to_string_pretty(&output).map_err(Into::into)
} else {
serde_json::to_string(evaluation).map_err(Into::into)
serde_json::to_string(&output).map_err(Into::into)
}
}
@@ -66,3 +72,12 @@ pub fn load_policies(policy_paths: &[PathBuf]) -> Result<Policy> {
Ok(parser.build())
}
#[derive(Serialize)]
#[serde(rename_all = "camelCase")]
struct ExecPolicyCheckOutput<'a> {
#[serde(rename = "matchedRules")]
matched_rules: &'a [RuleMatch],
#[serde(skip_serializing_if = "Option::is_none")]
decision: Option<Decision>,
}

10
codex-rs/execpolicy/src/main.rs
View File

@@ -4,8 +4,8 @@ use std::path::PathBuf;
use anyhow::Context;
use anyhow::Result;
use clap::Parser;
use codex_execpolicy::Decision;
use codex_execpolicy::PolicyParser;
use codex_execpolicy::execpolicycheck::format_matches_json;
/// CLI for evaluating exec policies
#[derive(Parser)]
@@ -45,12 +45,8 @@ fn main() -> Result<()> {
fn cmd_check(policy_paths: Vec<PathBuf>, args: Vec<String>, pretty: bool) -> Result<()> {
let policy = load_policies(&policy_paths)?;
let eval = policy.check(&args, &|_| Decision::Allow);
let json = if pretty {
serde_json::to_string_pretty(&eval)?
} else {
serde_json::to_string(&eval)?
};
let matched_rules = policy.matches_for_command(&args, None);
let json = format_matches_json(&matched_rules, pretty)?;
println!("{json}");
Ok(())
}

17
codex-rs/execpolicy/src/policy.rs
View File

@@ -54,7 +54,7 @@ impl Policy {
where
F: Fn(&[String]) -> Decision,
{
let matched_rules = self.matches_for_command(cmd, heuristics_fallback);
let matched_rules = self.matches_for_command(cmd, Some(heuristics_fallback));
Evaluation::from_matches(matched_rules)
}
@@ -70,16 +70,19 @@ impl Policy {
{
let matched_rules: Vec<RuleMatch> = commands
.into_iter()
.flat_map(|command| self.matches_for_command(command.as_ref(), heuristics_fallback))
.flat_map(|command| {
self.matches_for_command(command.as_ref(), Some(heuristics_fallback))
})
.collect();
Evaluation::from_matches(matched_rules)
}
fn matches_for_command<F>(&self, cmd: &[String], heuristics_fallback: &F) -> Vec<RuleMatch>
where
F: Fn(&[String]) -> Decision,
{
pub fn matches_for_command(
&self,
cmd: &[String],
heuristics_fallback: Option<&dyn Fn(&[String]) -> Decision>,
) -> Vec<RuleMatch> {
let mut matched_rules: Vec<RuleMatch> = match cmd.first() {
Some(first) => self
.rules_by_program
@@ -89,7 +92,7 @@ impl Policy {
None => Vec::new(),
};
if matched_rules.is_empty() {
if let (true, Some(heuristics_fallback)) = (matched_rules.is_empty(), heuristics_fallback) {
matched_rules.push(RuleMatch::HeuristicsRuleMatch {
command: cmd.to_vec(),
decision: heuristics_fallback(cmd),