execpolicycheck command in codex cli (#7012)

adding execpolicycheck tool onto codex cli this is useful for validating policies (can be multiple) against commands. it will also surface errors in policy syntax: <img width="1150" height="281" alt="Screenshot 2025-11-19 at 12 46 21 PM" src="https://github.com/user-attachments/assets/8f99b403-564c-4172-acc9-6574a8d13dc3" /> this PR also changes output format when there's no match in the CLI. instead of returning the raw string `noMatch`, we return `{"noMatch":{}}` this PR is a rewrite of: https://github.com/openai/codex/pull/6932 (due to the numerous merge conflicts present in the original PR) --------- Co-authored-by: Michael Bolin <mbolin@openai.com>
2026-04-30 09:26:44 +00:00 · 2025-11-20 16:44:31 -05:00
parent c30ca0d5b6
commit fe7a3f0c2b
12 changed files with 183 additions and 71 deletions
--- a/codex-rs/execpolicy/src/policy.rs
+++ b/codex-rs/execpolicy/src/policy.rs
@@ -27,9 +27,9 @@ impl Policy {
        let rules = match cmd.first() {
            Some(first) => match self.rules_by_program.get_vec(first) {
                Some(rules) => rules,
-                None => return Evaluation::NoMatch,
+                None => return Evaluation::NoMatch {},
            },
-            None => return Evaluation::NoMatch,
+            None => return Evaluation::NoMatch {},
        };

        let matched_rules: Vec<RuleMatch> =
@@ -39,7 +39,7 @@ impl Policy {
                decision,
                matched_rules,
            },
-            None => Evaluation::NoMatch,
+            None => Evaluation::NoMatch {},
        }
    }

@@ -52,7 +52,7 @@ impl Policy {
            .into_iter()
            .flat_map(|command| match self.check(command.as_ref()) {
                Evaluation::Match { matched_rules, .. } => matched_rules,
-                Evaluation::NoMatch => Vec::new(),
+                Evaluation::NoMatch { .. } => Vec::new(),
            })
            .collect();

@@ -61,7 +61,7 @@ impl Policy {
                decision,
                matched_rules,
            },
-            None => Evaluation::NoMatch,
+            None => Evaluation::NoMatch {},
        }
    }
 }
@@ -69,7 +69,7 @@ impl Policy {
 #[derive(Clone, Debug, Eq, PartialEq, Serialize, Deserialize)]
 #[serde(rename_all = "camelCase")]
 pub enum Evaluation {
-    NoMatch,
+    NoMatch {},
    Match {
        decision: Decision,
        #[serde(rename = "matchedRules")]