Load exec policy rules from requirements (#10190)

`requirements.toml` should be able to specify rules which always run. My intention here was that these rules could only ever be restrictive, which means the decision can be "prompt" or "forbidden" but never "allow". A requirement of "you must always allow this command" didn't make sense to me, but happy to be gaveled otherwise. Rules already applies the most restrictive decision, so we can safely merge these with rules found in other config folders.
2026-04-24 22:54:54 +00:00 · 2026-01-30 18:04:09 +00:00
parent 23db79fae2
commit 5662eb8b75
9 changed files with 398 additions and 71 deletions
--- a/codex-rs/app-server/src/config_api.rs
+++ b/codex-rs/app-server/src/config_api.rs
@@ -136,6 +136,7 @@ mod tests {
                CoreSandboxModeRequirement::ExternalSandbox,
            ]),
            mcp_servers: None,
+            rules: None,
        };

        let mapped = map_requirements_toml_to_api(requirements);