mirror of
https://github.com/openai/codex.git
synced 2026-04-24 06:35:50 +00:00
Fix sandbox extraction follow-ups
- trim leftover codex-core sandbox shims and retarget the remaining type plumbing - keep sandbox-related dependencies scoped to the crates and targets that actually use them Co-authored-by: Codex <noreply@openai.com>
This commit is contained in:
Ahmed Ibrahim
2
codex-rs/Cargo.lock
generated
2
codex-rs/Cargo.lock
generated
@@ -2159,6 +2159,7 @@ version = "0.0.0"
|
||||
dependencies = [
|
||||
"cc",
|
||||
"clap",
|
||||
"codex-core",
|
||||
"codex-protocol",
|
||||
"codex-sandbox",
|
||||
"codex-utils-absolute-path",
|
||||
@@ -2464,7 +2465,6 @@ dependencies = [
|
||||
"libc",
|
||||
"pretty_assertions",
|
||||
"seccompiler",
|
||||
"serde",
|
||||
"serde_json",
|
||||
"tempfile",
|
||||
"thiserror 2.0.18",
|
||||
|
||||
@@ -15,6 +15,7 @@ use codex_protocol::ThreadId;
|
||||
use codex_protocol::protocol::CodexErrorInfo;
|
||||
use codex_protocol::protocol::ErrorEvent;
|
||||
use codex_protocol::protocol::RateLimitSnapshot;
|
||||
use codex_sandbox::SandboxTransformError;
|
||||
use reqwest::StatusCode;
|
||||
use serde_json;
|
||||
use std::io;
|
||||
@@ -234,6 +235,20 @@ impl From<codex_sandbox::error::CodexErr> for CodexErr {
|
||||
}
|
||||
}
|
||||
|
||||
impl From<SandboxTransformError> for CodexErr {
|
||||
fn from(err: SandboxTransformError) -> Self {
|
||||
match err {
|
||||
SandboxTransformError::MissingLinuxSandboxExecutable => {
|
||||
CodexErr::LandlockSandboxExecutableNotProvided
|
||||
}
|
||||
#[cfg(not(target_os = "macos"))]
|
||||
SandboxTransformError::SeatbeltUnavailable => CodexErr::UnsupportedOperation(
|
||||
"seatbelt sandbox is only available on macOS".to_string(),
|
||||
),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl CodexErr {
|
||||
pub fn is_retryable(&self) -> bool {
|
||||
match self {
|
||||
|
||||
@@ -10,7 +10,6 @@ pub(crate) use codex_sandbox::ExecCapturePolicy;
|
||||
pub(crate) use codex_sandbox::ExecExpiration;
|
||||
pub(crate) use codex_sandbox::ExecParams;
|
||||
pub(crate) use codex_sandbox::ExecToolCallOutput;
|
||||
pub(crate) use codex_sandbox::IO_DRAIN_TIMEOUT_MS;
|
||||
pub(crate) use codex_sandbox::MAX_EXEC_OUTPUT_DELTAS_PER_CALL;
|
||||
pub(crate) use codex_sandbox::SandboxType;
|
||||
pub(crate) use codex_sandbox::StdoutStream;
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
use super::*;
|
||||
use codex_sandbox::IO_DRAIN_TIMEOUT_MS;
|
||||
use codex_protocol::config_types::WindowsSandboxLevel;
|
||||
use pretty_assertions::assert_eq;
|
||||
use std::collections::HashMap;
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
pub(crate) use codex_sandbox::allow_network_for_proxy;
|
||||
pub(crate) use codex_sandbox::create_linux_sandbox_command_args_for_policies;
|
||||
pub(crate) use codex_sandbox::spawn_command_under_linux_sandbox;
|
||||
@@ -45,7 +45,6 @@ pub mod git_info;
|
||||
mod guardian;
|
||||
mod hook_runtime;
|
||||
pub mod instructions;
|
||||
mod landlock;
|
||||
pub mod mcp;
|
||||
mod mcp_connection_manager;
|
||||
mod mcp_tool_approval_templates;
|
||||
@@ -78,8 +77,6 @@ mod text_encoding;
|
||||
pub use codex_login::token_data;
|
||||
mod truncate;
|
||||
mod unified_exec;
|
||||
mod windows_sandbox;
|
||||
mod windows_sandbox_read_grants;
|
||||
pub use client::X_RESPONSESAPI_INCLUDE_TIMING_METRICS_HEADER;
|
||||
pub use model_provider_info::DEFAULT_LMSTUDIO_PORT;
|
||||
pub use model_provider_info::DEFAULT_OLLAMA_PORT;
|
||||
@@ -125,7 +122,6 @@ mod seatbelt;
|
||||
pub mod shell;
|
||||
pub mod shell_snapshot;
|
||||
pub mod skills;
|
||||
mod spawn;
|
||||
pub mod state_db;
|
||||
mod tools;
|
||||
pub mod turn_diff_tracker;
|
||||
|
||||
@@ -6,7 +6,6 @@ pub(crate) use codex_sandbox::CommandSpec;
|
||||
pub(crate) use codex_sandbox::ExecRequest;
|
||||
pub(crate) use codex_sandbox::SandboxManager;
|
||||
pub(crate) use codex_sandbox::SandboxPermissions;
|
||||
pub(crate) use codex_sandbox::SandboxPreference;
|
||||
pub(crate) use codex_sandbox::SandboxTransformError;
|
||||
pub(crate) use codex_sandbox::effective_file_system_sandbox_policy;
|
||||
pub(crate) use codex_sandbox::intersect_permission_profiles;
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
pub(crate) use codex_sandbox::CODEX_SANDBOX_ENV_VAR;
|
||||
pub(crate) use codex_sandbox::CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR;
|
||||
pub(crate) use codex_sandbox::StdioPolicy;
|
||||
@@ -23,6 +23,7 @@ use codex_protocol::permissions::FileSystemSandboxPolicy;
|
||||
use codex_protocol::permissions::NetworkSandboxPolicy;
|
||||
use codex_protocol::protocol::AskForApproval;
|
||||
use codex_protocol::protocol::ReviewDecision;
|
||||
use codex_sandbox::SandboxPreference;
|
||||
use futures::Future;
|
||||
use futures::future::BoxFuture;
|
||||
use serde::Serialize;
|
||||
@@ -280,14 +281,7 @@ pub(crate) trait Approvable<Req> {
|
||||
) -> BoxFuture<'a, ReviewDecision>;
|
||||
}
|
||||
|
||||
#[derive(Clone, Copy, Debug, PartialEq, Eq)]
|
||||
pub(crate) enum SandboxablePreference {
|
||||
Auto,
|
||||
#[allow(dead_code)] // Will be used by later tools.
|
||||
Require,
|
||||
#[allow(dead_code)] // Will be used by later tools.
|
||||
Forbid,
|
||||
}
|
||||
pub(crate) type SandboxablePreference = SandboxPreference;
|
||||
|
||||
pub(crate) trait Sandboxable {
|
||||
fn sandbox_preference(&self) -> SandboxablePreference;
|
||||
|
||||
@@ -1,17 +0,0 @@
|
||||
pub(crate) use codex_sandbox::ELEVATED_SANDBOX_NUX_ENABLED;
|
||||
pub(crate) use codex_sandbox::WindowsSandboxLevelExt;
|
||||
pub(crate) use codex_sandbox::WindowsSandboxMode;
|
||||
pub(crate) use codex_sandbox::WindowsSandboxSetupMode;
|
||||
pub(crate) use codex_sandbox::WindowsSandboxSetupRequest;
|
||||
pub(crate) use codex_sandbox::elevated_setup_failure_details;
|
||||
pub(crate) use codex_sandbox::elevated_setup_failure_metric_name;
|
||||
pub(crate) use codex_sandbox::legacy_windows_sandbox_mode;
|
||||
pub(crate) use codex_sandbox::legacy_windows_sandbox_mode_from_entries;
|
||||
pub(crate) use codex_sandbox::resolve_windows_sandbox_mode;
|
||||
pub(crate) use codex_sandbox::resolve_windows_sandbox_private_desktop;
|
||||
pub(crate) use codex_sandbox::run_elevated_setup;
|
||||
pub(crate) use codex_sandbox::run_legacy_setup_preflight;
|
||||
pub(crate) use codex_sandbox::run_setup_refresh_with_extra_read_roots;
|
||||
pub(crate) use codex_sandbox::run_windows_sandbox_setup;
|
||||
pub(crate) use codex_sandbox::sandbox_setup_is_complete;
|
||||
pub(crate) use codex_sandbox::windows_sandbox_mode_tag;
|
||||
@@ -1 +0,0 @@
|
||||
pub(crate) use codex_sandbox::grant_read_root_non_elevated;
|
||||
@@ -26,7 +26,6 @@ codex-core = { workspace = true }
|
||||
codex-feedback = { workspace = true }
|
||||
codex-otel = { workspace = true }
|
||||
codex-protocol = { workspace = true }
|
||||
codex-sandbox = { workspace = true }
|
||||
codex-utils-absolute-path = { workspace = true }
|
||||
codex-utils-cli = { workspace = true }
|
||||
codex-utils-elapsed = { workspace = true }
|
||||
@@ -57,6 +56,7 @@ uuid = { workspace = true }
|
||||
[dev-dependencies]
|
||||
assert_cmd = { workspace = true }
|
||||
codex-apply-patch = { workspace = true }
|
||||
codex-sandbox = { workspace = true }
|
||||
codex-utils-cargo-bin = { workspace = true }
|
||||
core_test_support = { workspace = true }
|
||||
libc = { workspace = true }
|
||||
|
||||
@@ -28,6 +28,7 @@ serde_json = { workspace = true }
|
||||
url = { workspace = true }
|
||||
|
||||
[target.'cfg(target_os = "linux")'.dev-dependencies]
|
||||
codex-core = { workspace = true }
|
||||
pretty_assertions = { workspace = true }
|
||||
tempfile = { workspace = true }
|
||||
tokio = { workspace = true, features = [
|
||||
|
||||
@@ -21,8 +21,6 @@ codex-arg0 = { workspace = true }
|
||||
codex-core = { workspace = true }
|
||||
codex-features = { workspace = true }
|
||||
codex-protocol = { workspace = true }
|
||||
codex-sandbox = { workspace = true }
|
||||
codex-shell-command = { workspace = true }
|
||||
codex-utils-cli = { workspace = true }
|
||||
codex-utils-json-to-toml = { workspace = true }
|
||||
rmcp = { workspace = true }
|
||||
@@ -41,6 +39,8 @@ tracing = { workspace = true, features = ["log"] }
|
||||
tracing-subscriber = { workspace = true, features = ["env-filter", "fmt"] }
|
||||
|
||||
[dev-dependencies]
|
||||
codex-sandbox = { workspace = true }
|
||||
codex-shell-command = { workspace = true }
|
||||
core_test_support = { workspace = true }
|
||||
mcp_test_support = { workspace = true }
|
||||
os_info = { workspace = true }
|
||||
|
||||
@@ -28,7 +28,6 @@ dirs = { workspace = true }
|
||||
dunce = { workspace = true }
|
||||
encoding_rs = { workspace = true }
|
||||
libc = { workspace = true }
|
||||
serde = { workspace = true, features = ["derive"] }
|
||||
serde_json = { workspace = true }
|
||||
thiserror = { workspace = true }
|
||||
tokio = { workspace = true, features = [
|
||||
|
||||
@@ -192,6 +192,17 @@ pub enum SandboxType {
|
||||
WindowsRestrictedToken,
|
||||
}
|
||||
|
||||
impl SandboxType {
|
||||
pub fn as_metric_tag(self) -> &'static str {
|
||||
match self {
|
||||
SandboxType::None => "none",
|
||||
SandboxType::MacosSeatbelt => "seatbelt",
|
||||
SandboxType::LinuxSeccomp => "seccomp",
|
||||
SandboxType::WindowsRestrictedToken => "windows_restricted_token",
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Clone)]
|
||||
pub struct StdoutStream {
|
||||
pub sub_id: String,
|
||||
|
||||
Reference in New Issue
Block a user