From 7cbc9c6a791decfff3d7931d81d4f1fec3119a30 Mon Sep 17 00:00:00 2001
From: starr-openai <starr@openai.com>
Date: Wed, 8 Apr 2026 12:29:48 -0700
Subject: [PATCH] codex: fix exec-server sandbox rebase build

Validate exec-server cwd values into AbsolutePathBuf before sandbox transforms, pass the helper executable as Option<&Path>, and keep the Linux helper alias cfg-specific so non-Linux builds typecheck.

Co-authored-by: Codex <noreply@openai.com>
---
 codex-rs/exec-server/src/bin/codex-exec-server.rs | 9 +++++++--
 codex-rs/exec-server/src/local_process.rs         | 6 ++++--
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/codex-rs/exec-server/src/bin/codex-exec-server.rs b/codex-rs/exec-server/src/bin/codex-exec-server.rs
index 67ee0db18c..cbf34abc47 100644
--- a/codex-rs/exec-server/src/bin/codex-exec-server.rs
+++ b/codex-rs/exec-server/src/bin/codex-exec-server.rs
@@ -20,8 +20,13 @@ struct ExecServerArgs {
 fn main() -> anyhow::Result<()> {
     dispatch_linux_sandbox_arg0();
 
-    let linux_sandbox_alias = LinuxSandboxAlias::create();
-    let codex_linux_sandbox_exe = linux_sandbox_alias.as_ref().map(|alias| alias.path.clone());
+    let _linux_sandbox_alias = LinuxSandboxAlias::create();
+    #[cfg(target_os = "linux")]
+    let codex_linux_sandbox_exe = _linux_sandbox_alias
+        .as_ref()
+        .map(|alias| alias.path.clone());
+    #[cfg(not(target_os = "linux"))]
+    let codex_linux_sandbox_exe = None;
 
     let runtime = tokio::runtime::Builder::new_multi_thread()
         .enable_all()
diff --git a/codex-rs/exec-server/src/local_process.rs b/codex-rs/exec-server/src/local_process.rs
index b9943327a3..66b743bf8c 100644
--- a/codex-rs/exec-server/src/local_process.rs
+++ b/codex-rs/exec-server/src/local_process.rs
@@ -12,6 +12,7 @@ use codex_app_server_protocol::JSONRPCErrorError;
 use codex_sandboxing::SandboxCommand;
 use codex_sandboxing::SandboxExecRequest;
 use codex_sandboxing::SandboxType;
+use codex_utils_absolute_path::AbsolutePathBuf;
 use codex_utils_pty::ExecCommandSession;
 use codex_utils_pty::TerminalSize;
 use tokio::sync::Mutex;
@@ -513,7 +514,8 @@ fn build_sandbox_command(
     Ok(SandboxCommand {
         program: program.clone().into(),
         args: args.to_vec(),
-        cwd: cwd.to_path_buf(),
+        cwd: AbsolutePathBuf::try_from(cwd)
+            .map_err(|err| invalid_params(format!("cwd must be absolute: {err}")))?,
         env: env.clone(),
         additional_permissions,
     })
@@ -537,7 +539,7 @@ fn prepare_exec_launch(
             // sandbox profile generation preserves proxy-specific allowances.
             /*network*/
             None,
-            runtime.codex_linux_sandbox_exe.as_ref(),
+            runtime.codex_linux_sandbox_exe.as_deref(),
         )
         .map_err(|err| internal_error(format!("failed to build sandbox launch: {err}")))?;
     launch.prepare_env_for_spawn();