Refactor execpolicy fallback evaluation (#7544)

## Refactor of the `execpolicy` crate To illustrate why we need this refactor, consider an agent attempting to run `apple | rm -rf ./`. Suppose `apple` is allowed by `execpolicy`. Before this PR, `execpolicy` would consider `apple` and `pear` and only render one rule match: `Allow`. We would skip any heuristics checks on `rm -rf ./` and immediately approve `apple | rm -rf ./` to run. To fix this, we now thread a `fallback` evaluation function into `execpolicy` that runs when no `execpolicy` rules match a given command. In our example, we would run `fallback` on `rm -rf ./` and prevent `apple | rm -rf ./` from being run without approval.
2026-04-24 22:54:54 +00:00 · 2025-12-04 02:39:48 -05:00
parent e925a380dc
commit 3d35cb4619
27 changed files with 538 additions and 257 deletions
--- a/codex-rs/cli/tests/execpolicy.rs
+++ b/codex-rs/cli/tests/execpolicy.rs
@@ -40,17 +40,15 @@ prefix_rule(
    assert_eq!(
        result,
        json!({
-            "match": {
-                "decision": "forbidden",
-                "matchedRules": [
-                    {
-                        "prefixRuleMatch": {
-                            "matchedPrefix": ["git", "push"],
-                            "decision": "forbidden"
-                        }
+            "decision": "forbidden",
+            "matchedRules": [
+                {
+                    "prefixRuleMatch": {
+                        "matchedPrefix": ["git", "push"],
+                        "decision": "forbidden"
                    }
-                ]
-            }
+                }
+            ]
        })
    );