Run exec-server fs operations through sandbox helper (#17294)

## Summary - run exec-server filesystem RPCs requiring sandboxing through a `codex-fs` arg0 helper over stdin/stdout - keep direct local filesystem execution for `DangerFullAccess` and external sandbox policies - remove the standalone exec-server binary path in favor of top-level arg0 dispatch/runtime paths - add sandbox escape regression coverage for local and remote filesystem paths ## Validation - `just fmt` - `git diff --check` - remote devbox: `cd codex-rs && bazel test --bes_backend= --bes_results_url= //codex-rs/exec-server:all` (6/6 passed) --------- Co-authored-by: Codex <noreply@openai.com>
2026-04-29 08:56:38 +00:00 · 2026-04-12 18:36:03 -07:00
parent 7c1e41c8b6
commit d626dc3895
52 changed files with 2313 additions and 895 deletions
--- a/codex-rs/core/tests/suite/agents_md.rs
+++ b/codex-rs/core/tests/suite/agents_md.rs
@@ -33,9 +33,14 @@ async fn agents_override_is_preferred_over_agents_md() -> Result<()> {
        agents_instructions(test_codex().with_workspace_setup(|cwd, fs| async move {
            let agents_md = cwd.join("AGENTS.md");
            let override_md = cwd.join("AGENTS.override.md");
-            fs.write_file(&agents_md, b"base doc".to_vec()).await?;
-            fs.write_file(&override_md, b"override doc".to_vec())
+            fs.write_file(&agents_md, b"base doc".to_vec(), /*sandbox*/ None)
                .await?;
+            fs.write_file(
+                &override_md,
+                b"override doc".to_vec(),
+                /*sandbox*/ None,
+            )
+            .await?;
            Ok::<(), anyhow::Error>(())
        }))
        .await?;
@@ -62,9 +67,14 @@ async fn configured_fallback_is_used_when_agents_candidate_is_directory() -> Res
            .with_workspace_setup(|cwd, fs| async move {
                let agents_dir = cwd.join("AGENTS.md");
                let fallback = cwd.join("WORKFLOW.md");
-                fs.create_directory(&agents_dir, CreateDirectoryOptions { recursive: true })
+                fs.create_directory(
+                    &agents_dir,
+                    CreateDirectoryOptions { recursive: true },
+                    /*sandbox*/ None,
+                )
+                .await?;
+                fs.write_file(&fallback, b"fallback doc".to_vec(), /*sandbox*/ None)
                    .await?;
-                fs.write_file(&fallback, b"fallback doc".to_vec()).await?;
                Ok::<(), anyhow::Error>(())
            }),
    )
@@ -95,12 +105,22 @@ async fn agents_docs_are_concatenated_from_project_root_to_cwd() -> Result<()> {
                let git_marker = root.join(".git");
                let nested_agents = nested.join("AGENTS.md");

-                fs.create_directory(&nested, CreateDirectoryOptions { recursive: true })
+                fs.create_directory(
+                    &nested,
+                    CreateDirectoryOptions { recursive: true },
+                    /*sandbox*/ None,
+                )
+                .await?;
+                fs.write_file(&root_agents, b"root doc".to_vec(), /*sandbox*/ None)
                    .await?;
-                fs.write_file(&root_agents, b"root doc".to_vec()).await?;
-                fs.write_file(&git_marker, b"gitdir: /tmp/mock-git-dir\n".to_vec())
+                fs.write_file(
+                    &git_marker,
+                    b"gitdir: /tmp/mock-git-dir\n".to_vec(),
+                    /*sandbox*/ None,
+                )
+                .await?;
+                fs.write_file(&nested_agents, b"child doc".to_vec(), /*sandbox*/ None)
                    .await?;
-                fs.write_file(&nested_agents, b"child doc".to_vec()).await?;
                Ok::<(), anyhow::Error>(())
            }),
    )
--- a/codex-rs/core/tests/suite/hierarchical_agents.rs
+++ b/codex-rs/core/tests/suite/hierarchical_agents.rs
@@ -27,7 +27,8 @@ async fn hierarchical_agents_appends_to_project_doc_in_user_instructions() {
        })
        .with_workspace_setup(|cwd, fs| async move {
            let agents_md = cwd.join("AGENTS.md");
-            fs.write_file(&agents_md, b"be nice".to_vec()).await?;
+            fs.write_file(&agents_md, b"be nice".to_vec(), /*sandbox*/ None)
+                .await?;
            Ok::<(), anyhow::Error>(())
        });
    let test = builder
--- a/codex-rs/core/tests/suite/mod.rs
+++ b/codex-rs/core/tests/suite/mod.rs
@@ -30,9 +30,14 @@ pub static CODEX_ALIASES_TEMP_DIR: Option<TestCodexAliasesGuard> = {
        .and_then(|name| name.to_str())
        .unwrap_or("");
    let argv1 = args.next().unwrap_or_default();
+    if argv1 == CODEX_CORE_APPLY_PATCH_ARG1 {
+        let _ = arg0_dispatch();
+        return None;
+    }
+
    // Helper re-execs inherit this ctor too, but they may run inside a sandbox
    // where creating another CODEX_HOME tempdir under /tmp is not allowed.
-    if exe_name == CODEX_LINUX_SANDBOX_ARG0 || argv1 == CODEX_CORE_APPLY_PATCH_ARG1 {
+    if exe_name == CODEX_LINUX_SANDBOX_ARG0 {
        return None;
    }

--- a/codex-rs/core/tests/suite/remote_env.rs
+++ b/codex-rs/core/tests/suite/remote_env.rs
@@ -21,9 +21,11 @@ async fn remote_test_env_can_connect_and_use_filesystem() -> Result<()> {
    let payload = b"remote-test-env-ok".to_vec();

    file_system
-        .write_file(&file_path_abs, payload.clone())
+        .write_file(&file_path_abs, payload.clone(), /*sandbox*/ None)
+        .await?;
+    let actual = file_system
+        .read_file(&file_path_abs, /*sandbox*/ None)
        .await?;
-    let actual = file_system.read_file(&file_path_abs).await?;
    assert_eq!(actual, payload);

    file_system
@@ -33,6 +35,7 @@ async fn remote_test_env_can_connect_and_use_filesystem() -> Result<()> {
                recursive: false,
                force: true,
            },
+            /*sandbox*/ None,
        )
        .await?;

--- a/codex-rs/core/tests/suite/unified_exec.rs
+++ b/codex-rs/core/tests/suite/unified_exec.rs
@@ -191,7 +191,11 @@ async fn create_workspace_directory(
 ) -> Result<std::path::PathBuf> {
    let abs_path = test.config.cwd.join(rel_path.as_ref());
    test.fs()
-        .create_directory(&abs_path, CreateDirectoryOptions { recursive: true })
+        .create_directory(
+            &abs_path,
+            CreateDirectoryOptions { recursive: true },
+            /*sandbox*/ None,
+        )
        .await?;
    Ok(abs_path.into_path_buf())
 }
--- a/codex-rs/core/tests/suite/view_image.rs
+++ b/codex-rs/core/tests/suite/view_image.rs
@@ -87,7 +87,11 @@ fn png_bytes(width: u32, height: u32, rgba: [u8; 4]) -> anyhow::Result<Vec<u8>>
 async fn create_workspace_directory(test: &TestCodex, rel_path: &str) -> anyhow::Result<PathBuf> {
    let abs_path = test.config.cwd.join(rel_path);
    test.fs()
-        .create_directory(&abs_path, CreateDirectoryOptions { recursive: true })
+        .create_directory(
+            &abs_path,
+            CreateDirectoryOptions { recursive: true },
+            /*sandbox*/ None,
+        )
        .await?;
    Ok(abs_path.into_path_buf())
 }
@@ -100,10 +104,16 @@ async fn write_workspace_file(
    let abs_path = test.config.cwd.join(rel_path);
    if let Some(parent) = abs_path.parent() {
        test.fs()
-            .create_directory(&parent, CreateDirectoryOptions { recursive: true })
+            .create_directory(
+                &parent,
+                CreateDirectoryOptions { recursive: true },
+                /*sandbox*/ None,
+            )
            .await?;
    }
-    test.fs().write_file(&abs_path, contents).await?;
+    test.fs()
+        .write_file(&abs_path, contents, /*sandbox*/ None)
+        .await?;
    Ok(abs_path.into_path_buf())
 }