clone/codex
1
0
Fork 0
mirror of https://github.com/openai/codex.git synced 2026-04-24 14:45:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add PR description file for execpolicy refactor

Browse Source
This commit is contained in:
kevin zhao
2025-12-03 19:08:26 +00:00
parent dfc8a837fd
commit 210d0a3cf5
1 changed files with 11 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
PR-refactor.md Normal file
View File

@@ -0,0 +1,11 @@
## Summary
Refactor of the `execpolicy` crate
To make `1` possible, we needed to refactor the `execpolicy` crate. To illustrate why, consider an agent attempting to run `apple | rm -rf ./`. Suppose `apple` is allowed by `execpolicy`. Before this PR, `execpolicy` would consider `apple` and `pear` and only render one rule match: `Allow`. We would skip any heuristics checks on `rm -rf ./` and immediately approve `apple | rm -rf ./` to run.
To fix this, we now thread a `fallback` evaluation function into `execpolicy` that runs when no `execpolicy` rules match a given command. In our example, we would run `fallback` on `rm -rf ./` and prevent `apple | rm -rf ./` from being run without approval.
## Testing
- not run (not requested)