clone/codex
1
0
Fork 0
mirror of https://github.com/openai/codex.git synced 2026-04-24 14:45:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

execpolicy2 -> execpolicy

Browse Source
This commit is contained in:
kevin zhao
2025-11-18 09:30:51 -08:00
parent 8f9ad7e509
commit f712e0a4a0
6 changed files with 20 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
codex-rs/core/src/codex.rs
View File

@@ -121,7 +121,7 @@ use crate::user_instructions::UserInstructions;
use crate::user_notification::UserNotification;
use crate::util::backoff;
use codex_async_utils::OrCancelExt;
use codex_execpolicy2::Policy as ExecPolicyV2;
use codex_execpolicy2::Policy as ExecPolicy;
use codex_otel::otel_event_manager::OtelEventManager;
use codex_protocol::config_types::ReasoningEffort as ReasoningEffortConfig;
use codex_protocol::config_types::ReasoningSummary as ReasoningSummaryConfig;
@@ -168,9 +168,8 @@ impl Codex {
let user_instructions = get_user_instructions(&config).await;
let exec_policy_v2 =
crate::exec_policy::exec_policy_for(&config.features, &config.codex_home)
.map_err(|err| CodexErr::Fatal(format!("failed to load execpolicy2: {err}")))?;
let exec_policy = crate::exec_policy::exec_policy_for(&config.features, &config.codex_home)
.map_err(|err| CodexErr::Fatal(format!("failed to load execpolicy2: {err}")))?;
let config = Arc::new(config);
@@ -188,7 +187,7 @@ impl Codex {
cwd: config.cwd.clone(),
original_config_do_not_use: Arc::clone(&config),
features: config.features.clone(),
exec_policy_v2,
exec_policy,
session_source,
};
@@ -286,7 +285,7 @@ pub(crate) struct TurnContext {
pub(crate) final_output_json_schema: Option<Value>,
pub(crate) codex_linux_sandbox_exe: Option<PathBuf>,
pub(crate) tool_call_gate: Arc<ReadinessFlag>,
pub(crate) exec_policy_v2: Option<Arc<ExecPolicyV2>>,
pub(crate) exec_policy: Option<Arc<ExecPolicy>>,
pub(crate) truncation_policy: TruncationPolicy,
}
@@ -343,8 +342,8 @@ pub(crate) struct SessionConfiguration {
/// Set of feature flags for this session
features: Features,
/// Optional execpolicy2 policy, applied only when enabled by feature flag.
exec_policy_v2: Option<Arc<ExecPolicyV2>>,
/// Optional execpolicy policy, applied only when enabled by feature flag.
exec_policy: Option<Arc<ExecPolicy>>,
// TODO(pakrym): Remove config from here
original_config_do_not_use: Arc<Config>,
@@ -445,7 +444,7 @@ impl Session {
final_output_json_schema: None,
codex_linux_sandbox_exe: config.codex_linux_sandbox_exe.clone(),
tool_call_gate: Arc::new(ReadinessFlag::new()),
exec_policy_v2: session_configuration.exec_policy_v2.clone(),
exec_policy: session_configuration.exec_policy.clone(),
truncation_policy: TruncationPolicy::new(&per_turn_config),
}
}
@@ -1799,7 +1798,7 @@ async fn spawn_review_thread(
final_output_json_schema: None,
codex_linux_sandbox_exe: parent_turn_context.codex_linux_sandbox_exe.clone(),
tool_call_gate: Arc::new(ReadinessFlag::new()),
exec_policy_v2: parent_turn_context.exec_policy_v2.clone(),
exec_policy: parent_turn_context.exec_policy.clone(),
truncation_policy: TruncationPolicy::new(&per_turn_config),
};
@@ -2619,7 +2618,7 @@ mod tests {
cwd: config.cwd.clone(),
original_config_do_not_use: Arc::clone(&config),
features: Features::default(),
exec_policy_v2: None,
exec_policy: None,
session_source: SessionSource::Exec,
};
@@ -2697,7 +2696,7 @@ mod tests {
cwd: config.cwd.clone(),
original_config_do_not_use: Arc::clone(&config),
features: Features::default(),
exec_policy_v2: None,
exec_policy: None,
session_source: SessionSource::Exec,
};

4
codex-rs/core/src/exec_policy.rs
View File

@@ -45,7 +45,7 @@ pub(crate) fn exec_policy_for(
features: &Features,
codex_home: &Path,
) -> Result<Option<Arc<Policy>>, ExecPolicyError> {
if !features.enabled(Feature::ExecPolicyV2) {
if !features.enabled(Feature::ExecPolicy) {
return Ok(None);
}
@@ -183,7 +183,7 @@ mod tests {
#[test]
fn returns_none_when_policy_dir_is_missing() {
let mut features = Features::with_defaults();
features.enable(Feature::ExecPolicyV2);
features.enable(Feature::ExecPolicy);
let temp_dir = tempdir().expect("create temp dir");
let missing_dir = temp_dir.path().join("missing");

8
codex-rs/core/src/features.rs
View File

@@ -42,8 +42,8 @@ pub enum Feature {
ViewImageTool,
/// Allow the model to request web searches.
WebSearchRequest,
/// Gate the execpolicy2 enforcement for shell/unified exec.
ExecPolicyV2,
/// Gate the execpolicy enforcement for shell/unified exec.
ExecPolicy,
/// Enable the model-based risk assessments for sandboxed commands.
SandboxCommandAssessment,
/// Enable Windows sandbox (restricted token) on Windows.
@@ -300,8 +300,8 @@ pub const FEATURES: &[FeatureSpec] = &[
default_enabled: false,
},
FeatureSpec {
id: Feature::ExecPolicyV2,
key: "exec_policy_v2",
id: Feature::ExecPolicy,
key: "exec_policy",
stage: Stage::Experimental,
default_enabled: false,
},

2
codex-rs/core/src/tools/handlers/shell.rs
View File

@@ -308,7 +308,7 @@ impl ShellHandler {
ApprovalRequirement::Skip
} else {
approval_requirement_for_command(
turn.exec_policy_v2.as_deref(),
turn.exec_policy.as_deref(),
&exec_params.command,
turn.approval_policy,
&turn.sandbox_policy,

2
codex-rs/core/src/unified_exec/session_manager.rs
View File

@@ -451,7 +451,7 @@ impl UnifiedExecSessionManager {
with_escalated_permissions,
justification,
approval_requirement_for_command(
context.turn.exec_policy_v2.as_deref(),
context.turn.exec_policy.as_deref(),
command,
context.turn.approval_policy,
&context.turn.sandbox_policy,

2
codex-rs/core/tests/suite/execpolicy2.rs
View File

@@ -23,7 +23,7 @@ use std::fs;
#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
async fn execpolicy2_blocks_shell_invocation() -> Result<()> {
let mut builder = test_codex().with_config(|config| {
config.features.enable(Feature::ExecPolicyV2);
config.features.enable(Feature::ExecPolicy);
let policy_path = config.codex_home.join("policy.codexpolicy");
fs::write(
&policy_path,