Add explicit prefix-approval decision and wire it through execpolicy/UI snapshots
update doc
mutating in memory policy instead of reloading
using RW locks
clippy
refactor: adding allow_prefix into ApprovedAllowPrefix
fmt
do not send allow_prefix if execpolicy is disabled
moving args around
cleanup exec_policy getters
undo diff
fixing rw lock bug causing tui to hang
updating phrasing
integration test
.
fix compile
fix flaky test
fix compile error
running test with single thread
fixup allow_prefix_if_applicable
fix formatting
fix approvals test
only cloning when needed
docs
add docstring
fix rebase bug
fixing rebase issues
Revert "fixing rebase issues"
This reverts commit 79ce7e1f2fc0378c2c0b362408e2e544566540fd.
fix rebase errors
I think this might help with https://github.com/openai/codex/pull/7033
because `create_approval_requirement_for_command()` will soon need
access to `Session.state`, which is a `tokio::sync::Mutex` that needs to
be accessed via `async`.
adding execpolicycheck tool onto codex cli
this is useful for validating policies (can be multiple) against
commands.
it will also surface errors in policy syntax:
<img width="1150" height="281" alt="Screenshot 2025-11-19 at 12 46
21 PM"
src="https://github.com/user-attachments/assets/8f99b403-564c-4172-acc9-6574a8d13dc3"
/>
this PR also changes output format when there's no match in the CLI.
instead of returning the raw string `noMatch`, we return
`{"noMatch":{}}`
this PR is a rewrite of: https://github.com/openai/codex/pull/6932 (due
to the numerous merge conflicts present in the original PR)
---------
Co-authored-by: Michael Bolin <mbolin@openai.com>
This PR threads execpolicy2 into codex-core.
activated via feature flag: exec_policy (on by default)
reads and parses all .codexpolicy files in `codex_home/codex`
refactored tool runtime API to integrate execpolicy logic
---------
Co-authored-by: Michael Bolin <mbolin@openai.com>
