refactor: route zsh-fork through unified exec

codex-rs/app-server/tests/suite/v2/turn_start_zsh_fork.rs

@@ -11,7 +11,6 @@ use app_test_support::McpProcess;
 use app_test_support::create_final_assistant_message_sse_response;
 use app_test_support::create_mock_responses_server_sequence;
 use app_test_support::create_mock_responses_server_sequence_unchecked;
-use app_test_support::create_shell_command_sse_response;
 use app_test_support::to_response;
 use codex_app_server_protocol::CommandAction;
 use codex_app_server_protocol::CommandExecutionApprovalDecision;
@@ -35,9 +34,11 @@ use codex_core::features::Feature;
 use core_test_support::responses;
 use core_test_support::skip_if_no_network;
 use pretty_assertions::assert_eq;
+use serde_json::json;
 use std::collections::BTreeMap;
 use std::path::Path;
 use tempfile::TempDir;
+use tokio::time::sleep;
 use tokio::time::timeout;
 
 #[cfg(windows)]
@@ -62,19 +63,14 @@ async fn turn_start_shell_zsh_fork_executes_command_v2() -> Result<()> {
     };
     eprintln!("using zsh path for zsh-fork test: {}", zsh_path.display());
 
-    // Keep the shell command in flight until we interrupt it. A fast command
+    // Keep the exec command in flight until we interrupt it. A fast command
     // like `echo hi` can finish before the interrupt arrives on faster runners,
     // which turns this into a test for post-command follow-up behavior instead
     // of interrupting an active zsh-fork command.
     let release_marker_escaped = release_marker.to_string_lossy().replace('\'', r#"'\''"#);
     let wait_for_interrupt =
         format!("while [ ! -f '{release_marker_escaped}' ]; do sleep 0.01; done");
-    let response = create_shell_command_sse_response(
-        vec!["/bin/sh".to_string(), "-c".to_string(), wait_for_interrupt],
-        None,
-        Some(5000),
-        "call-zsh-fork",
-    )?;
+    let response = create_zsh_fork_exec_command_sse_response(&wait_for_interrupt, "call-zsh-fork")?;
     let no_op_response = responses::sse(vec![
         responses::ev_response_created("resp-2"),
         responses::ev_completed("resp-2"),
@@ -91,7 +87,7 @@ async fn turn_start_shell_zsh_fork_executes_command_v2() -> Result<()> {
         "never",
         &BTreeMap::from([
             (Feature::ShellZshFork, true),
-            (Feature::UnifiedExec, false),
+            (Feature::UnifiedExec, true),
             (Feature::ShellSnapshot, false),
         ]),
         &zsh_path,
@@ -163,7 +159,7 @@ async fn turn_start_shell_zsh_fork_executes_command_v2() -> Result<()> {
     assert_eq!(id, "call-zsh-fork");
     assert_eq!(status, CommandExecutionStatus::InProgress);
     assert!(command.starts_with(&zsh_path.display().to_string()));
-    assert!(command.contains("/bin/sh -c"));
+    assert!(command.contains(" -lc "));
     assert!(command.contains("sleep 0.01"));
     assert!(command.contains(&release_marker.display().to_string()));
     assert_eq!(cwd, workspace);
@@ -191,14 +187,8 @@ async fn turn_start_shell_zsh_fork_exec_approval_decline_v2() -> Result<()> {
     eprintln!("using zsh path for zsh-fork test: {}", zsh_path.display());
 
     let responses = vec![
-        create_shell_command_sse_response(
-            vec![
-                "python3".to_string(),
-                "-c".to_string(),
-                "print(42)".to_string(),
-            ],
-            None,
-            Some(5000),
+        create_zsh_fork_exec_command_sse_response(
+            "python3 -c 'print(42)'",
             "call-zsh-fork-decline",
         )?,
         create_final_assistant_message_sse_response("done")?,
@@ -210,7 +200,7 @@ async fn turn_start_shell_zsh_fork_exec_approval_decline_v2() -> Result<()> {
         "untrusted",
         &BTreeMap::from([
             (Feature::ShellZshFork, true),
-            (Feature::UnifiedExec, false),
+            (Feature::UnifiedExec, true),
             (Feature::ShellSnapshot, false),
         ]),
         &zsh_path,
@@ -326,14 +316,8 @@ async fn turn_start_shell_zsh_fork_exec_approval_cancel_v2() -> Result<()> {
     };
     eprintln!("using zsh path for zsh-fork test: {}", zsh_path.display());
 
-    let responses = vec![create_shell_command_sse_response(
-        vec![
-            "python3".to_string(),
-            "-c".to_string(),
-            "print(42)".to_string(),
-        ],
-        None,
-        Some(5000),
+    let responses = vec![create_zsh_fork_exec_command_sse_response(
+        "python3 -c 'print(42)'",
         "call-zsh-fork-cancel",
     )?];
     let server = create_mock_responses_server_sequence(responses).await;
@@ -343,7 +327,7 @@ async fn turn_start_shell_zsh_fork_exec_approval_cancel_v2() -> Result<()> {
         "untrusted",
         &BTreeMap::from([
             (Feature::ShellZshFork, true),
-            (Feature::UnifiedExec, false),
+            (Feature::UnifiedExec, true),
             (Feature::ShellSnapshot, false),
         ]),
         &zsh_path,
@@ -441,6 +425,204 @@ async fn turn_start_shell_zsh_fork_exec_approval_cancel_v2() -> Result<()> {
     Ok(())
 }
 
+#[tokio::test]
+async fn turn_start_shell_zsh_fork_interrupt_kills_approved_subcommand_v2() -> Result<()> {
+    skip_if_no_network!(Ok(()));
+
+    let tmp = TempDir::new()?;
+    let codex_home = tmp.path().join("codex_home");
+    std::fs::create_dir(&codex_home)?;
+    let workspace = tmp.path().join("workspace");
+    std::fs::create_dir(&workspace)?;
+    let launch_marker = workspace.join("approved-subcommand.started");
+    let leaked_marker = workspace.join("approved-subcommand.leaked");
+    let launch_marker_display = launch_marker.display().to_string();
+    assert!(
+        !launch_marker_display.contains('\''),
+        "test workspace path should not contain single quotes: {launch_marker_display}"
+    );
+    let leaked_marker_display = leaked_marker.display().to_string();
+    assert!(
+        !leaked_marker_display.contains('\''),
+        "test workspace path should not contain single quotes: {leaked_marker_display}"
+    );
+
+    let Some(zsh_path) = find_test_zsh_path()? else {
+        eprintln!("skipping zsh fork interrupt cleanup test: no zsh executable found");
+        return Ok(());
+    };
+    if !supports_exec_wrapper_intercept(&zsh_path) {
+        eprintln!(
+            "skipping zsh fork interrupt cleanup test: zsh does not support EXEC_WRAPPER intercepts ({})",
+            zsh_path.display()
+        );
+        return Ok(());
+    }
+    let zsh_path_display = zsh_path.display().to_string();
+    eprintln!("using zsh path for zsh-fork test: {zsh_path_display}");
+
+    let shell_command = format!(
+        "/bin/sh -c 'echo started > \"{launch_marker_display}\" && /bin/sleep 0.5 && echo leaked > \"{leaked_marker_display}\" && exec /bin/sleep 100'"
+    );
+    let tool_call_arguments = serde_json::to_string(&json!({
+        "cmd": shell_command,
+        "yield_time_ms": 30_000,
+    }))?;
+    let response = responses::sse(vec![
+        responses::ev_response_created("resp-1"),
+        responses::ev_function_call(
+            "call-zsh-fork-interrupt-cleanup",
+            "exec_command",
+            &tool_call_arguments,
+        ),
+        responses::ev_completed("resp-1"),
+    ]);
+    let no_op_response = responses::sse(vec![
+        responses::ev_response_created("resp-2"),
+        responses::ev_completed("resp-2"),
+    ]);
+    let server =
+        create_mock_responses_server_sequence_unchecked(vec![response, no_op_response]).await;
+    create_config_toml(
+        &codex_home,
+        &server.uri(),
+        "untrusted",
+        &BTreeMap::from([
+            (Feature::ShellZshFork, true),
+            (Feature::UnifiedExec, true),
+            (Feature::ShellSnapshot, false),
+        ]),
+        &zsh_path,
+    )?;
+
+    let mut mcp = create_zsh_test_mcp_process(&codex_home, &workspace).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    let start_id = mcp
+        .send_thread_start_request(ThreadStartParams {
+            model: Some("mock-model".to_string()),
+            cwd: Some(workspace.to_string_lossy().into_owned()),
+            ..Default::default()
+        })
+        .await?;
+    let start_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(start_id)),
+    )
+    .await??;
+    let ThreadStartResponse { thread, .. } = to_response::<ThreadStartResponse>(start_resp)?;
+
+    let turn_id = mcp
+        .send_turn_start_request(TurnStartParams {
+            thread_id: thread.id.clone(),
+            input: vec![V2UserInput::Text {
+                text: "run the long-lived command".to_string(),
+                text_elements: Vec::new(),
+            }],
+            cwd: Some(workspace.clone()),
+            approval_policy: Some(codex_app_server_protocol::AskForApproval::UnlessTrusted),
+            sandbox_policy: Some(codex_app_server_protocol::SandboxPolicy::WorkspaceWrite {
+                writable_roots: vec![workspace.clone().try_into()?],
+                read_only_access: codex_app_server_protocol::ReadOnlyAccess::FullAccess,
+                network_access: false,
+                exclude_tmpdir_env_var: false,
+                exclude_slash_tmp: false,
+            }),
+            model: Some("mock-model".to_string()),
+            effort: Some(codex_protocol::openai_models::ReasoningEffort::Medium),
+            summary: Some(codex_protocol::config_types::ReasoningSummary::Auto),
+            ..Default::default()
+        })
+        .await?;
+    let turn_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(turn_id)),
+    )
+    .await??;
+    let TurnStartResponse { turn } = to_response::<TurnStartResponse>(turn_resp)?;
+
+    let mut saw_target_approval = false;
+    while !saw_target_approval {
+        let server_req = timeout(
+            DEFAULT_READ_TIMEOUT,
+            mcp.read_stream_until_request_message(),
+        )
+        .await??;
+        let ServerRequest::CommandExecutionRequestApproval { request_id, params } = server_req
+        else {
+            panic!("expected CommandExecutionRequestApproval request");
+        };
+        let approval_command = params.command.clone().unwrap_or_default();
+        saw_target_approval = approval_command.contains("/bin/sh")
+            && approval_command.contains(&launch_marker_display)
+            && !approval_command.contains(&zsh_path_display);
+        mcp.send_response(
+            request_id,
+            serde_json::to_value(CommandExecutionRequestApprovalResponse {
+                decision: CommandExecutionApprovalDecision::Accept,
+            })?,
+        )
+        .await?;
+    }
+
+    let started_command = timeout(DEFAULT_READ_TIMEOUT, async {
+        loop {
+            let notif = mcp
+                .read_stream_until_notification_message("item/started")
+                .await?;
+            let started: ItemStartedNotification =
+                serde_json::from_value(notif.params.clone().expect("item/started params"))?;
+            if let ThreadItem::CommandExecution { .. } = started.item {
+                return Ok::<ThreadItem, anyhow::Error>(started.item);
+            }
+        }
+    })
+    .await??;
+    let ThreadItem::CommandExecution {
+        id,
+        process_id,
+        status,
+        command,
+        cwd,
+        ..
+    } = started_command
+    else {
+        unreachable!("loop ensures we break on command execution items");
+    };
+    assert_eq!(id, "call-zsh-fork-interrupt-cleanup");
+    assert_eq!(status, CommandExecutionStatus::InProgress);
+    assert!(command.starts_with(&zsh_path.display().to_string()));
+    assert!(command.contains(" -lc "));
+    assert!(command.contains(&launch_marker_display));
+    assert_eq!(cwd, workspace);
+    assert!(process_id.is_some(), "process id should be present");
+
+    timeout(DEFAULT_READ_TIMEOUT, async {
+        loop {
+            if launch_marker.exists() {
+                return Ok::<(), anyhow::Error>(());
+            }
+            sleep(std::time::Duration::from_millis(20)).await;
+        }
+    })
+    .await??;
+
+    mcp.interrupt_turn_and_wait_for_aborted(
+        thread.id.clone(),
+        turn.id.clone(),
+        DEFAULT_READ_TIMEOUT,
+    )
+    .await?;
+
+    sleep(std::time::Duration::from_millis(750)).await;
+    assert!(
+        !leaked_marker.exists(),
+        "expected interrupt to stop approved subcommand before it wrote {leaked_marker_display}"
+    );
+
+    Ok(())
+}
+
 #[tokio::test]
 async fn turn_start_shell_zsh_fork_subcommand_decline_marks_parent_declined_v2() -> Result<()> {
     skip_if_no_network!(Ok(()));
@@ -472,16 +654,15 @@ async fn turn_start_shell_zsh_fork_subcommand_decline_marks_parent_declined_v2()
         first_file.display(),
         second_file.display()
     );
-    let tool_call_arguments = serde_json::to_string(&serde_json::json!({
-        "command": shell_command,
-        "workdir": serde_json::Value::Null,
-        "timeout_ms": 5000
+    let tool_call_arguments = serde_json::to_string(&json!({
+        "cmd": shell_command,
+        "yield_time_ms": 5000,
     }))?;
     let response = responses::sse(vec![
         responses::ev_response_created("resp-1"),
         responses::ev_function_call(
             "call-zsh-fork-subcommand-decline",
-            "shell_command",
+            "exec_command",
             &tool_call_arguments,
         ),
         responses::ev_completed("resp-1"),
@@ -502,7 +683,7 @@ async fn turn_start_shell_zsh_fork_subcommand_decline_marks_parent_declined_v2()
         "untrusted",
         &BTreeMap::from([
             (Feature::ShellZshFork, true),
-            (Feature::UnifiedExec, false),
+            (Feature::UnifiedExec, true),
             (Feature::ShellSnapshot, false),
         ]),
         &zsh_path,
@@ -744,6 +925,21 @@ async fn create_zsh_test_mcp_process(codex_home: &Path, zdotdir: &Path) -> Resul
     McpProcess::new_with_env(codex_home, &[("ZDOTDIR", Some(zdotdir.as_str()))]).await
 }
 
+fn create_zsh_fork_exec_command_sse_response(
+    command: &str,
+    call_id: &str,
+) -> anyhow::Result<String> {
+    let tool_call_arguments = serde_json::to_string(&json!({
+        "cmd": command,
+        "yield_time_ms": 5000,
+    }))?;
+    Ok(responses::sse(vec![
+        responses::ev_response_created("resp-1"),
+        responses::ev_function_call(call_id, "exec_command", &tool_call_arguments),
+        responses::ev_completed("resp-1"),
+    ]))
+}
+
 fn create_config_toml(
     codex_home: &Path,
     server_uri: &str,

codex-rs/core/src/memories/usage.rs

@@ -103,6 +103,7 @@ fn shell_command_for_invocation(invocation: &ToolInvocation) -> Option<(Vec<Stri
                     &params,
                     invocation.session.user_shell(),
                     invocation.turn.tools_config.allow_login_shell,
+                    invocation.turn.tools_config.unified_exec_backend,
                 )
                 .ok()?;
                 Some((command, invocation.turn.resolve_path(params.workdir)))

codex-rs/core/src/tools/handlers/unified_exec.rs

@@ -19,6 +19,7 @@ use crate::tools::handlers::parse_arguments_with_base_path;
 use crate::tools::handlers::resolve_workdir_base_path;
 use crate::tools::registry::ToolHandler;
 use crate::tools::registry::ToolKind;
+use crate::tools::spec::UnifiedExecBackendConfig;
 use crate::unified_exec::ExecCommandRequest;
 use crate::unified_exec::UnifiedExecContext;
 use crate::unified_exec::UnifiedExecProcessManager;
@@ -108,6 +109,7 @@ impl ToolHandler for UnifiedExecHandler {
             &params,
             invocation.session.user_shell(),
             invocation.turn.tools_config.allow_login_shell,
+            invocation.turn.tools_config.unified_exec_backend,
         ) {
             Ok(command) => command,
             Err(_) => return true,
@@ -155,6 +157,7 @@ impl ToolHandler for UnifiedExecHandler {
                     &args,
                     session.user_shell(),
                     turn.tools_config.allow_login_shell,
+                    turn.tools_config.unified_exec_backend,
                 )
                 .map_err(FunctionCallError::RespondToModel)?;
 
@@ -321,12 +324,23 @@ pub(crate) fn get_command(
     args: &ExecCommandArgs,
     session_shell: Arc<Shell>,
     allow_login_shell: bool,
+    unified_exec_backend: UnifiedExecBackendConfig,
 ) -> Result<Vec<String>, String> {
-    let model_shell = args.shell.as_ref().map(|shell_str| {
-        let mut shell = get_shell_by_model_provided_path(&PathBuf::from(shell_str));
-        shell.shell_snapshot = crate::shell::empty_shell_snapshot_receiver();
-        shell
-    });
+    if unified_exec_backend == UnifiedExecBackendConfig::ZshFork && args.shell.is_some() {
+        return Err(
+            "shell override is not supported when the zsh-fork backend is enabled.".to_string(),
+        );
+    }
+
+    let model_shell = if unified_exec_backend == UnifiedExecBackendConfig::ZshFork {
+        None
+    } else {
+        args.shell.as_ref().map(|shell_str| {
+            let mut shell = get_shell_by_model_provided_path(&PathBuf::from(shell_str));
+            shell.shell_snapshot = crate::shell::empty_shell_snapshot_receiver();
+            shell
+        })
+    };
 
     let shell = model_shell.as_ref().unwrap_or(session_shell.as_ref());
     let use_login_shell = match args.login {

codex-rs/core/src/tools/handlers/unified_exec_tests.rs

@@ -1,12 +1,16 @@
 use super::*;
+use crate::shell::ShellType;
 use crate::shell::default_user_shell;
+use crate::shell::empty_shell_snapshot_receiver;
 use crate::tools::handlers::parse_arguments_with_base_path;
 use crate::tools::handlers::resolve_workdir_base_path;
+use crate::tools::spec::UnifiedExecBackendConfig;
 use codex_protocol::models::FileSystemPermissions;
 use codex_protocol::models::PermissionProfile;
 use codex_utils_absolute_path::AbsolutePathBuf;
 use pretty_assertions::assert_eq;
 use std::fs;
+use std::path::PathBuf;
 use std::sync::Arc;
 use tempfile::tempdir;
 
@@ -18,8 +22,13 @@ fn test_get_command_uses_default_shell_when_unspecified() -> anyhow::Result<()>
 
     assert!(args.shell.is_none());
 
-    let command =
-        get_command(&args, Arc::new(default_user_shell()), true).map_err(anyhow::Error::msg)?;
+    let command = get_command(
+        &args,
+        Arc::new(default_user_shell()),
+        true,
+        UnifiedExecBackendConfig::Direct,
+    )
+    .map_err(anyhow::Error::msg)?;
 
     assert_eq!(command.len(), 3);
     assert_eq!(command[2], "echo hello");
@@ -34,8 +43,13 @@ fn test_get_command_respects_explicit_bash_shell() -> anyhow::Result<()> {
 
     assert_eq!(args.shell.as_deref(), Some("/bin/bash"));
 
-    let command =
-        get_command(&args, Arc::new(default_user_shell()), true).map_err(anyhow::Error::msg)?;
+    let command = get_command(
+        &args,
+        Arc::new(default_user_shell()),
+        true,
+        UnifiedExecBackendConfig::Direct,
+    )
+    .map_err(anyhow::Error::msg)?;
 
     assert_eq!(command.last(), Some(&"echo hello".to_string()));
     if command
@@ -55,8 +69,13 @@ fn test_get_command_respects_explicit_powershell_shell() -> anyhow::Result<()> {
 
     assert_eq!(args.shell.as_deref(), Some("powershell"));
 
-    let command =
-        get_command(&args, Arc::new(default_user_shell()), true).map_err(anyhow::Error::msg)?;
+    let command = get_command(
+        &args,
+        Arc::new(default_user_shell()),
+        true,
+        UnifiedExecBackendConfig::Direct,
+    )
+    .map_err(anyhow::Error::msg)?;
 
     assert_eq!(command[2], "echo hello");
     Ok(())
@@ -70,8 +89,13 @@ fn test_get_command_respects_explicit_cmd_shell() -> anyhow::Result<()> {
 
     assert_eq!(args.shell.as_deref(), Some("cmd"));
 
-    let command =
-        get_command(&args, Arc::new(default_user_shell()), true).map_err(anyhow::Error::msg)?;
+    let command = get_command(
+        &args,
+        Arc::new(default_user_shell()),
+        true,
+        UnifiedExecBackendConfig::Direct,
+    )
+    .map_err(anyhow::Error::msg)?;
 
     assert_eq!(command[2], "echo hello");
     Ok(())
@@ -82,8 +106,13 @@ fn test_get_command_rejects_explicit_login_when_disallowed() -> anyhow::Result<(
     let json = r#"{"cmd": "echo hello", "login": true}"#;
 
     let args: ExecCommandArgs = parse_arguments(json)?;
-    let err = get_command(&args, Arc::new(default_user_shell()), false)
-        .expect_err("explicit login should be rejected");
+    let err = get_command(
+        &args,
+        Arc::new(default_user_shell()),
+        false,
+        UnifiedExecBackendConfig::Direct,
+    )
+    .expect_err("explicit login should be rejected");
 
     assert!(
         err.contains("login shell is disabled by config"),
@@ -92,6 +121,30 @@ fn test_get_command_rejects_explicit_login_when_disallowed() -> anyhow::Result<(
     Ok(())
 }
 
+#[test]
+fn get_command_rejects_model_shell_override_for_zsh_fork_backend() -> anyhow::Result<()> {
+    let json = r#"{"cmd": "echo hello", "shell": "/bin/bash"}"#;
+    let args: ExecCommandArgs = parse_arguments(json)?;
+
+    let session_shell = Arc::new(Shell {
+        shell_type: ShellType::Zsh,
+        shell_path: PathBuf::from("/tmp/configured-zsh-fork-shell"),
+        shell_snapshot: empty_shell_snapshot_receiver(),
+    });
+    let err = get_command(
+        &args,
+        session_shell,
+        true,
+        UnifiedExecBackendConfig::ZshFork,
+    )
+    .expect_err("shell override should be rejected for zsh-fork backend");
+    assert!(
+        err.contains("shell override is not supported"),
+        "unexpected error: {err}"
+    );
+    Ok(())
+}
+
 #[test]
 fn exec_command_args_resolve_relative_additional_permissions_against_workdir() -> anyhow::Result<()>
 {

codex-rs/core/src/tools/runtimes/shell/unix_escalation.rs

@@ -50,10 +50,10 @@ use codex_shell_escalation::ShellCommandExecutor;
 use codex_shell_escalation::Stopwatch;
 use codex_utils_absolute_path::AbsolutePathBuf;
 use std::collections::HashMap;
+use std::path::Path;
 use std::path::PathBuf;
 use std::sync::Arc;
 use std::time::Duration;
-use tokio::sync::RwLock;
 use tokio_util::sync::CancellationToken;
 use uuid::Uuid;
 
@@ -91,7 +91,7 @@ pub(super) async fn try_run_zsh_fork(
     req: &ShellRequest,
     attempt: &SandboxAttempt<'_>,
     ctx: &ToolCtx,
-    command: &[String],
+    shell_command: &[String],
 ) -> Result<Option<ExecToolCallOutput>, ToolError> {
     let Some(shell_zsh_path) = ctx.session.services.shell_zsh_path.as_ref() else {
         tracing::warn!("ZshFork backend specified, but shell_zsh_path is not configured.");
@@ -106,8 +106,10 @@ pub(super) async fn try_run_zsh_fork(
         return Ok(None);
     }
 
+    let ParsedShellCommand { script, login, .. } = extract_shell_script(shell_command)?;
+
     let spec = build_command_spec(
-        command,
+        shell_command,
         &req.cwd,
         &req.env,
         req.timeout_ms.into(),
@@ -119,14 +121,14 @@ pub(super) async fn try_run_zsh_fork(
         .env_for(spec, req.network.as_ref())
         .map_err(|err| ToolError::Codex(err.into()))?;
     let crate::sandboxing::ExecRequest {
-        command,
+        command: sandbox_command,
         cwd: sandbox_cwd,
         env: sandbox_env,
         network: sandbox_network,
         expiration: _sandbox_expiration,
         sandbox,
         windows_sandbox_level,
-        windows_sandbox_private_desktop: _windows_sandbox_private_desktop,
+        windows_sandbox_private_desktop,
         sandbox_permissions,
         sandbox_policy,
         file_system_sandbox_policy,
@@ -134,16 +136,14 @@ pub(super) async fn try_run_zsh_fork(
         justification,
         arg0,
     } = sandbox_exec_request;
-    let ParsedShellCommand { script, login, .. } = extract_shell_script(&command)?;
+    let host_zsh_path =
+        resolve_host_zsh_path(sandbox_env.get("PATH").map(String::as_str), &sandbox_cwd);
     let effective_timeout = Duration::from_millis(
         req.timeout_ms
             .unwrap_or(crate::exec::DEFAULT_EXEC_COMMAND_TIMEOUT_MS),
     );
-    let exec_policy = Arc::new(RwLock::new(
-        ctx.session.services.exec_policy.current().as_ref().clone(),
-    ));
     let command_executor = CoreShellCommandExecutor {
-        command,
+        command: sandbox_command,
         cwd: sandbox_cwd,
         sandbox_policy,
         file_system_sandbox_policy,
@@ -152,6 +152,7 @@ pub(super) async fn try_run_zsh_fork(
         env: sandbox_env,
         network: sandbox_network,
         windows_sandbox_level,
+        windows_sandbox_private_desktop,
         sandbox_permissions,
         justification,
         arg0,
@@ -164,6 +165,8 @@ pub(super) async fn try_run_zsh_fork(
             .clone(),
         codex_linux_sandbox_exe: ctx.turn.codex_linux_sandbox_exe.clone(),
         use_legacy_landlock: ctx.turn.features.use_legacy_landlock(),
+        shell_zsh_path: ctx.session.services.shell_zsh_path.clone(),
+        host_zsh_path: host_zsh_path.clone(),
     };
     let main_execve_wrapper_exe = ctx
         .session
@@ -192,7 +195,6 @@ pub(super) async fn try_run_zsh_fork(
         req.additional_permissions_preapproved,
     );
     let escalation_policy = CoreShellActionProvider {
-        policy: Arc::clone(&exec_policy),
         session: Arc::clone(&ctx.session),
         turn: Arc::clone(&ctx.turn),
         call_id: ctx.call_id.clone(),
@@ -205,6 +207,7 @@ pub(super) async fn try_run_zsh_fork(
         approval_sandbox_permissions,
         prompt_permissions: req.additional_permissions.clone(),
         stopwatch: stopwatch.clone(),
+        host_zsh_path,
     };
 
     let escalate_server = EscalateServer::new(
@@ -225,6 +228,7 @@ pub(crate) async fn prepare_unified_exec_zsh_fork(
     req: &crate::tools::runtimes::unified_exec::UnifiedExecRequest,
     _attempt: &SandboxAttempt<'_>,
     ctx: &ToolCtx,
+    shell_command: &[String],
     exec_request: ExecRequest,
 ) -> Result<Option<PreparedUnifiedExecZshFork>, ToolError> {
     let Some(shell_zsh_path) = ctx.session.services.shell_zsh_path.as_ref() else {
@@ -240,7 +244,7 @@ pub(crate) async fn prepare_unified_exec_zsh_fork(
         return Ok(None);
     }
 
-    let parsed = match extract_shell_script(&exec_request.command) {
+    let parsed = match extract_shell_script(shell_command) {
         Ok(parsed) => parsed,
         Err(err) => {
             tracing::warn!("ZshFork unified exec fallback: {err:?}");
@@ -256,22 +260,37 @@ pub(crate) async fn prepare_unified_exec_zsh_fork(
         return Ok(None);
     }
 
-    let exec_policy = Arc::new(RwLock::new(
-        ctx.session.services.exec_policy.current().as_ref().clone(),
-    ));
+    let ExecRequest {
+        command,
+        cwd,
+        env,
+        network,
+        expiration: _expiration,
+        sandbox,
+        windows_sandbox_level,
+        windows_sandbox_private_desktop,
+        sandbox_permissions,
+        sandbox_policy,
+        file_system_sandbox_policy,
+        network_sandbox_policy,
+        justification,
+        arg0,
+    } = &exec_request;
+    let host_zsh_path = resolve_host_zsh_path(env.get("PATH").map(String::as_str), cwd);
     let command_executor = CoreShellCommandExecutor {
-        command: exec_request.command.clone(),
-        cwd: exec_request.cwd.clone(),
-        sandbox_policy: exec_request.sandbox_policy.clone(),
-        file_system_sandbox_policy: exec_request.file_system_sandbox_policy.clone(),
-        network_sandbox_policy: exec_request.network_sandbox_policy,
-        sandbox: exec_request.sandbox,
-        env: exec_request.env.clone(),
-        network: exec_request.network.clone(),
-        windows_sandbox_level: exec_request.windows_sandbox_level,
-        sandbox_permissions: exec_request.sandbox_permissions,
-        justification: exec_request.justification.clone(),
-        arg0: exec_request.arg0.clone(),
+        command: command.clone(),
+        cwd: cwd.clone(),
+        sandbox_policy: sandbox_policy.clone(),
+        file_system_sandbox_policy: file_system_sandbox_policy.clone(),
+        network_sandbox_policy: *network_sandbox_policy,
+        sandbox: *sandbox,
+        env: env.clone(),
+        network: network.clone(),
+        windows_sandbox_level: *windows_sandbox_level,
+        windows_sandbox_private_desktop: *windows_sandbox_private_desktop,
+        sandbox_permissions: *sandbox_permissions,
+        justification: justification.clone(),
+        arg0: arg0.clone(),
         sandbox_policy_cwd: ctx.turn.cwd.clone(),
         macos_seatbelt_profile_extensions: ctx
             .turn
@@ -281,6 +300,8 @@ pub(crate) async fn prepare_unified_exec_zsh_fork(
             .clone(),
         codex_linux_sandbox_exe: ctx.turn.codex_linux_sandbox_exe.clone(),
         use_legacy_landlock: ctx.turn.features.use_legacy_landlock(),
+        shell_zsh_path: ctx.session.services.shell_zsh_path.clone(),
+        host_zsh_path: host_zsh_path.clone(),
     };
     let main_execve_wrapper_exe = ctx
         .session
@@ -293,7 +314,6 @@ pub(crate) async fn prepare_unified_exec_zsh_fork(
             )
         })?;
     let escalation_policy = CoreShellActionProvider {
-        policy: Arc::clone(&exec_policy),
         session: Arc::clone(&ctx.session),
         turn: Arc::clone(&ctx.turn),
         call_id: ctx.call_id.clone(),
@@ -309,6 +329,7 @@ pub(crate) async fn prepare_unified_exec_zsh_fork(
         ),
         prompt_permissions: req.additional_permissions.clone(),
         stopwatch: Stopwatch::unlimited(),
+        host_zsh_path,
     };
 
     let escalate_server = EscalateServer::new(
@@ -328,7 +349,6 @@ pub(crate) async fn prepare_unified_exec_zsh_fork(
 }
 
 struct CoreShellActionProvider {
-    policy: Arc<RwLock<Policy>>,
     session: Arc<crate::codex::Session>,
     turn: Arc<crate::codex::TurnContext>,
     call_id: String,
@@ -341,6 +361,7 @@ struct CoreShellActionProvider {
     approval_sandbox_permissions: SandboxPermissions,
     prompt_permissions: Option<PermissionProfile>,
     stopwatch: Stopwatch,
+    host_zsh_path: Option<PathBuf>,
 }
 
 #[allow(clippy::large_enum_variant)]
@@ -378,6 +399,66 @@ fn execve_prompt_is_rejected_by_policy(
     }
 }
 
+fn paths_match(lhs: &Path, rhs: &Path) -> bool {
+    lhs == rhs
+        || match (lhs.canonicalize(), rhs.canonicalize()) {
+            (Ok(lhs), Ok(rhs)) => lhs == rhs,
+            _ => false,
+        }
+}
+
+fn resolve_host_zsh_path(_path_env: Option<&str>, _cwd: &Path) -> Option<PathBuf> {
+    fn canonicalize_best_effort(path: PathBuf) -> PathBuf {
+        path.canonicalize().unwrap_or(path)
+    }
+
+    fn is_executable_file(path: &Path) -> bool {
+        std::fs::metadata(path).is_ok_and(|metadata| {
+            metadata.is_file() && {
+                #[cfg(unix)]
+                {
+                    use std::os::unix::fs::PermissionsExt;
+                    metadata.permissions().mode() & 0o111 != 0
+                }
+                #[cfg(not(unix))]
+                {
+                    true
+                }
+            }
+        })
+    }
+
+    fn find_zsh_in_dirs(dirs: impl IntoIterator<Item = PathBuf>) -> Option<PathBuf> {
+        dirs.into_iter().find_map(|dir| {
+            let candidate = dir.join("zsh");
+            is_executable_file(&candidate).then(|| canonicalize_best_effort(candidate))
+        })
+    }
+
+    // Keep nested-zsh rewrites limited to canonical host shell installations.
+    // PATH shadowing from repos, Nix environments, or tool shims should not be
+    // treated as the host shell.
+    find_zsh_in_dirs(
+        ["/bin", "/usr/bin", "/usr/local/bin", "/opt/homebrew/bin"]
+            .into_iter()
+            .map(PathBuf::from),
+    )
+}
+
+fn is_unconfigured_zsh_exec(
+    program: &AbsolutePathBuf,
+    shell_zsh_path: Option<&Path>,
+    host_zsh_path: Option<&Path>,
+) -> bool {
+    let Some(shell_zsh_path) = shell_zsh_path else {
+        return false;
+    };
+    let Some(host_zsh_path) = host_zsh_path else {
+        return false;
+    };
+    paths_match(program.as_path(), host_zsh_path) && !paths_match(program.as_path(), shell_zsh_path)
+}
+
 impl CoreShellActionProvider {
     fn decision_driven_by_policy(matched_rules: &[RuleMatch], decision: Decision) -> bool {
         matched_rules.iter().any(|rule_match| {
@@ -489,6 +570,10 @@ impl CoreShellActionProvider {
                         command,
                         workdir,
                         None,
+                        // Intercepted exec prompts happen after the original tool call has
+                        // started, so we do not attach an execpolicy amendment payload here.
+                        // Amendments are currently surfaced only from the top-level tool
+                        // request path.
                         None,
                         None,
                         additional_permissions,
@@ -713,28 +798,35 @@ impl EscalationPolicy for CoreShellActionProvider {
                 .await;
         }
 
-        let evaluation = {
-            let policy = self.policy.read().await;
-            evaluate_intercepted_exec_policy(
-                &policy,
-                program,
-                argv,
-                InterceptedExecPolicyContext {
-                    approval_policy: self.approval_policy,
-                    sandbox_policy: &self.sandbox_policy,
-                    file_system_sandbox_policy: &self.file_system_sandbox_policy,
-                    sandbox_permissions: self.approval_sandbox_permissions,
-                    enable_shell_wrapper_parsing:
-                        ENABLE_INTERCEPTED_EXEC_POLICY_SHELL_WRAPPER_PARSING,
-                },
-            )
-        };
+        let policy = self.session.services.exec_policy.current();
+        let evaluation = evaluate_intercepted_exec_policy(
+            policy.as_ref(),
+            program,
+            argv,
+            InterceptedExecPolicyContext {
+                approval_policy: self.approval_policy,
+                sandbox_policy: &self.sandbox_policy,
+                file_system_sandbox_policy: &self.file_system_sandbox_policy,
+                sandbox_permissions: self.approval_sandbox_permissions,
+                enable_shell_wrapper_parsing: ENABLE_INTERCEPTED_EXEC_POLICY_SHELL_WRAPPER_PARSING,
+            },
+        );
         // When true, means the Evaluation was due to *.rules, not the
         // fallback function.
         let decision_driven_by_policy =
             Self::decision_driven_by_policy(&evaluation.matched_rules, evaluation.decision);
-        let needs_escalation =
-            self.sandbox_permissions.requires_escalated_permissions() || decision_driven_by_policy;
+        // Keep zsh-fork interception alive across nested shells: if an
+        // intercepted exec targets the known host `zsh` path instead of the
+        // configured zsh-fork binary, force it through escalation so the
+        // executor can rewrite the program path back to the configured shell.
+        let force_zsh_fork_reexec = is_unconfigured_zsh_exec(
+            program,
+            self.session.services.shell_zsh_path.as_deref(),
+            self.host_zsh_path.as_deref(),
+        );
+        let needs_escalation = self.sandbox_permissions.requires_escalated_permissions()
+            || decision_driven_by_policy
+            || force_zsh_fork_reexec;
 
         let decision_source = if decision_driven_by_policy {
             DecisionSource::PrefixRule
@@ -875,6 +967,7 @@ struct CoreShellCommandExecutor {
     env: HashMap<String, String>,
     network: Option<codex_network_proxy::NetworkProxy>,
     windows_sandbox_level: WindowsSandboxLevel,
+    windows_sandbox_private_desktop: bool,
     sandbox_permissions: SandboxPermissions,
     justification: Option<String>,
     arg0: Option<String>,
@@ -883,6 +976,8 @@ struct CoreShellCommandExecutor {
     macos_seatbelt_profile_extensions: Option<MacOsSeatbeltProfileExtensions>,
     codex_linux_sandbox_exe: Option<PathBuf>,
     use_legacy_landlock: bool,
+    shell_zsh_path: Option<PathBuf>,
+    host_zsh_path: Option<PathBuf>,
 }
 
 struct PrepareSandboxedExecParams<'a> {
@@ -925,7 +1020,7 @@ impl ShellCommandExecutor for CoreShellCommandExecutor {
                 expiration: ExecExpiration::Cancellation(cancel_rx),
                 sandbox: self.sandbox,
                 windows_sandbox_level: self.windows_sandbox_level,
-                windows_sandbox_private_desktop: false,
+                windows_sandbox_private_desktop: self.windows_sandbox_private_desktop,
                 sandbox_permissions: self.sandbox_permissions,
                 sandbox_policy: self.sandbox_policy.clone(),
                 file_system_sandbox_policy: self.file_system_sandbox_policy.clone(),
@@ -956,7 +1051,8 @@ impl ShellCommandExecutor for CoreShellCommandExecutor {
         env: HashMap<String, String>,
         execution: EscalationExecution,
     ) -> anyhow::Result<PreparedExec> {
-        let command = join_program_and_argv(program, argv);
+        let program = self.rewrite_intercepted_program_for_zsh_fork(program);
+        let command = join_program_and_argv(&program, argv);
         let Some(first_arg) = argv.first() else {
             return Err(anyhow::anyhow!(
                 "intercepted exec request must contain argv[0]"
@@ -1027,7 +1123,33 @@ impl ShellCommandExecutor for CoreShellCommandExecutor {
 }
 
 impl CoreShellCommandExecutor {
-    #[allow(clippy::too_many_arguments)]
+    fn rewrite_intercepted_program_for_zsh_fork(
+        &self,
+        program: &AbsolutePathBuf,
+    ) -> AbsolutePathBuf {
+        let Some(shell_zsh_path) = self.shell_zsh_path.as_ref() else {
+            return program.clone();
+        };
+        if !is_unconfigured_zsh_exec(
+            program,
+            Some(shell_zsh_path.as_path()),
+            self.host_zsh_path.as_deref(),
+        ) {
+            return program.clone();
+        }
+        match AbsolutePathBuf::from_absolute_path(shell_zsh_path) {
+            Ok(rewritten) => rewritten,
+            Err(err) => {
+                tracing::warn!(
+                    "failed to rewrite intercepted zsh path {} to configured shell {}: {err}",
+                    program.display(),
+                    shell_zsh_path.display(),
+                );
+                program.clone()
+            }
+        }
+    }
+
     fn prepare_sandboxed_exec(
         &self,
         params: PrepareSandboxedExecParams<'_>,
@@ -1082,7 +1204,7 @@ impl CoreShellCommandExecutor {
                 codex_linux_sandbox_exe: self.codex_linux_sandbox_exe.as_ref(),
                 use_legacy_landlock: self.use_legacy_landlock,
                 windows_sandbox_level: self.windows_sandbox_level,
-                windows_sandbox_private_desktop: false,
+                windows_sandbox_private_desktop: self.windows_sandbox_private_desktop,
             })?;
         if let Some(network) = exec_request.network.as_ref() {
             network.apply_to_env(&mut exec_request.env);
@@ -1105,23 +1227,21 @@ struct ParsedShellCommand {
 }
 
 fn extract_shell_script(command: &[String]) -> Result<ParsedShellCommand, ToolError> {
-    // Commands reaching zsh-fork can be wrapped by environment/sandbox helpers, so
-    // we search for the first `-c`/`-lc` triple anywhere in the argv rather
-    // than assuming it is the first positional form.
-    if let Some((program, script, login)) = command.windows(3).find_map(|parts| match parts {
-        [program, flag, script] if flag == "-c" => {
-            Some((program.to_owned(), script.to_owned(), false))
+    if let [program, flag, script, ..] = command {
+        if flag == "-c" {
+            return Ok(ParsedShellCommand {
+                program: program.to_owned(),
+                script: script.to_owned(),
+                login: false,
+            });
         }
-        [program, flag, script] if flag == "-lc" => {
-            Some((program.to_owned(), script.to_owned(), true))
+        if flag == "-lc" {
+            return Ok(ParsedShellCommand {
+                program: program.to_owned(),
+                script: script.to_owned(),
+                login: true,
+            });
         }
-        _ => None,
-    }) {
-        return Ok(ParsedShellCommand {
-            program,
-            script,
-            login,
-        });
     }
 
     Err(ToolError::Rejected(

codex-rs/core/src/tools/runtimes/shell/unix_escalation_tests.rs

@@ -6,8 +6,10 @@ use super::ParsedShellCommand;
 use super::commands_for_intercepted_exec_policy;
 use super::evaluate_intercepted_exec_policy;
 use super::extract_shell_script;
+use super::is_unconfigured_zsh_exec;
 use super::join_program_and_argv;
 use super::map_exec_result;
+use super::resolve_host_zsh_path;
 #[cfg(target_os = "macos")]
 use crate::config::Constrained;
 #[cfg(target_os = "macos")]
@@ -50,6 +52,7 @@ use codex_utils_absolute_path::AbsolutePathBuf;
 use pretty_assertions::assert_eq;
 #[cfg(target_os = "macos")]
 use std::collections::HashMap;
+use std::path::Path;
 use std::path::PathBuf;
 use std::time::Duration;
 
@@ -203,39 +206,16 @@ fn extract_shell_script_preserves_login_flag() {
 }
 
 #[test]
-fn extract_shell_script_supports_wrapped_command_prefixes() {
-    assert_eq!(
-        extract_shell_script(&[
-            "/usr/bin/env".into(),
-            "CODEX_EXECVE_WRAPPER=1".into(),
-            "/bin/zsh".into(),
-            "-lc".into(),
-            "echo hello".into()
-        ])
-        .unwrap(),
-        ParsedShellCommand {
-            program: "/bin/zsh".to_string(),
-            script: "echo hello".to_string(),
-            login: true,
-        }
-    );
-
-    assert_eq!(
-        extract_shell_script(&[
-            "sandbox-exec".into(),
-            "-p".into(),
-            "sandbox_policy".into(),
-            "/bin/zsh".into(),
-            "-c".into(),
-            "pwd".into(),
-        ])
-        .unwrap(),
-        ParsedShellCommand {
-            program: "/bin/zsh".to_string(),
-            script: "pwd".to_string(),
-            login: false,
-        }
-    );
+fn extract_shell_script_rejects_wrapped_command_prefixes() {
+    let err = extract_shell_script(&[
+        "/usr/bin/env".into(),
+        "CODEX_EXECVE_WRAPPER=1".into(),
+        "/bin/zsh".into(),
+        "-lc".into(),
+        "echo hello".into(),
+    ])
+    .unwrap_err();
+    assert!(matches!(err, super::ToolError::Rejected(_)));
 }
 
 #[test]
@@ -274,6 +254,80 @@ fn join_program_and_argv_replaces_original_argv_zero() {
     );
 }
 
+#[test]
+fn is_unconfigured_zsh_exec_matches_non_configured_zsh_paths() {
+    let program = AbsolutePathBuf::try_from(host_absolute_path(&["bin", "zsh"])).unwrap();
+    let host = PathBuf::from(host_absolute_path(&["bin", "zsh"]));
+    let configured = PathBuf::from(host_absolute_path(&["tmp", "codex-zsh"]));
+    assert!(is_unconfigured_zsh_exec(
+        &program,
+        Some(configured.as_path()),
+        Some(host.as_path()),
+    ));
+}
+
+#[test]
+fn is_unconfigured_zsh_exec_ignores_non_zsh_or_configured_paths() {
+    let configured = PathBuf::from(host_absolute_path(&["tmp", "codex-zsh"]));
+    let host = PathBuf::from(host_absolute_path(&["bin", "zsh"]));
+    let configured_program = AbsolutePathBuf::try_from(configured.clone()).unwrap();
+    assert!(!is_unconfigured_zsh_exec(
+        &configured_program,
+        Some(configured.as_path()),
+        Some(host.as_path()),
+    ));
+
+    let non_zsh =
+        AbsolutePathBuf::try_from(host_absolute_path(&["usr", "bin", "python3"])).unwrap();
+    assert!(!is_unconfigured_zsh_exec(
+        &non_zsh,
+        Some(configured.as_path()),
+        Some(host.as_path()),
+    ));
+    assert!(!is_unconfigured_zsh_exec(
+        &non_zsh,
+        None,
+        Some(host.as_path()),
+    ));
+}
+
+#[test]
+fn is_unconfigured_zsh_exec_does_not_match_non_host_zsh_named_binaries() {
+    let program = AbsolutePathBuf::try_from(host_absolute_path(&["tmp", "repo", "zsh"])).unwrap();
+    let configured = PathBuf::from(host_absolute_path(&["tmp", "codex-zsh"]));
+    let host = PathBuf::from(host_absolute_path(&["bin", "zsh"]));
+    assert!(!is_unconfigured_zsh_exec(
+        &program,
+        Some(configured.as_path()),
+        Some(host.as_path()),
+    ));
+}
+
+#[test]
+fn resolve_host_zsh_path_ignores_repo_local_path_shadowing() {
+    let shadow_dir = tempfile::tempdir().expect("create shadow dir");
+    let cwd_dir = tempfile::tempdir().expect("create cwd dir");
+    let fake_zsh = shadow_dir.path().join("zsh");
+    std::fs::write(&fake_zsh, "#!/bin/sh\nexit 0\n").expect("write fake zsh");
+    #[cfg(unix)]
+    {
+        use std::os::unix::fs::PermissionsExt;
+        let mut permissions = std::fs::metadata(&fake_zsh)
+            .expect("metadata for fake zsh")
+            .permissions();
+        permissions.set_mode(0o755);
+        std::fs::set_permissions(&fake_zsh, permissions).expect("chmod fake zsh");
+    }
+
+    let path_env =
+        std::env::join_paths([shadow_dir.path(), Path::new("/usr/bin"), Path::new("/bin")])
+            .expect("join PATH")
+            .into_string()
+            .expect("PATH should be UTF-8");
+    let resolved = resolve_host_zsh_path(Some(&path_env), cwd_dir.path());
+    assert_ne!(resolved.as_deref(), Some(fake_zsh.as_path()));
+}
+
 #[test]
 fn commands_for_intercepted_exec_policy_parses_plain_shell_wrappers() {
     let program = AbsolutePathBuf::try_from(host_absolute_path(&["bin", "bash"])).unwrap();
@@ -660,6 +714,7 @@ async fn prepare_escalated_exec_turn_default_preserves_macos_seatbelt_extensions
         file_system_sandbox_policy: read_only_file_system_sandbox_policy(),
         network_sandbox_policy: NetworkSandboxPolicy::Restricted,
         windows_sandbox_level: WindowsSandboxLevel::Disabled,
+        windows_sandbox_private_desktop: false,
         sandbox_permissions: SandboxPermissions::UseDefault,
         justification: None,
         arg0: None,
@@ -670,6 +725,8 @@ async fn prepare_escalated_exec_turn_default_preserves_macos_seatbelt_extensions
         }),
         codex_linux_sandbox_exe: None,
         use_legacy_landlock: false,
+        shell_zsh_path: None,
+        host_zsh_path: None,
     };
 
     let prepared = executor
@@ -712,6 +769,7 @@ async fn prepare_escalated_exec_permissions_preserve_macos_seatbelt_extensions()
         file_system_sandbox_policy: unrestricted_file_system_sandbox_policy(),
         network_sandbox_policy: NetworkSandboxPolicy::Enabled,
         windows_sandbox_level: WindowsSandboxLevel::Disabled,
+        windows_sandbox_private_desktop: false,
         sandbox_permissions: SandboxPermissions::UseDefault,
         justification: None,
         arg0: None,
@@ -719,6 +777,8 @@ async fn prepare_escalated_exec_permissions_preserve_macos_seatbelt_extensions()
         macos_seatbelt_profile_extensions: None,
         codex_linux_sandbox_exe: None,
         use_legacy_landlock: false,
+        shell_zsh_path: None,
+        host_zsh_path: None,
     };
 
     let permissions = Permissions {
@@ -787,6 +847,7 @@ async fn prepare_escalated_exec_permission_profile_unions_turn_and_requested_mac
         file_system_sandbox_policy: read_only_file_system_sandbox_policy(),
         network_sandbox_policy: NetworkSandboxPolicy::from(&sandbox_policy),
         windows_sandbox_level: WindowsSandboxLevel::Disabled,
+        windows_sandbox_private_desktop: false,
         sandbox_permissions: SandboxPermissions::UseDefault,
         justification: None,
         arg0: None,
@@ -797,6 +858,8 @@ async fn prepare_escalated_exec_permission_profile_unions_turn_and_requested_mac
         }),
         codex_linux_sandbox_exe: None,
         use_legacy_landlock: false,
+        shell_zsh_path: None,
+        host_zsh_path: None,
     };
 
     let prepared = executor

codex-rs/core/src/tools/runtimes/shell/zsh_fork_backend.rs

@@ -36,9 +36,10 @@ pub(crate) async fn maybe_prepare_unified_exec(
     req: &UnifiedExecRequest,
     attempt: &SandboxAttempt<'_>,
     ctx: &ToolCtx,
+    shell_command: &[String],
     exec_request: ExecRequest,
 ) -> Result<Option<PreparedUnifiedExecSpawn>, ToolError> {
-    imp::maybe_prepare_unified_exec(req, attempt, ctx, exec_request).await
+    imp::maybe_prepare_unified_exec(req, attempt, ctx, shell_command, exec_request).await
 }
 
 #[cfg(unix)]
@@ -51,21 +52,29 @@ mod imp {
 
     #[derive(Debug)]
     struct ZshForkSpawnLifecycle {
-        escalation_session: EscalationSession,
+        escalation_session: Option<EscalationSession>,
     }
 
     impl SpawnLifecycle for ZshForkSpawnLifecycle {
         fn inherited_fds(&self) -> Vec<i32> {
             self.escalation_session
-                .env()
-                .get(ESCALATE_SOCKET_ENV_VAR)
+                .as_ref()
+                .and_then(|escalation_session| {
+                    escalation_session.env().get(ESCALATE_SOCKET_ENV_VAR)
+                })
                 .and_then(|fd| fd.parse().ok())
                 .into_iter()
                 .collect()
         }
 
         fn after_spawn(&mut self) {
-            self.escalation_session.close_client_socket();
+            if let Some(escalation_session) = self.escalation_session.as_ref() {
+                escalation_session.close_client_socket();
+            }
+        }
+
+        fn after_exit(&mut self) {
+            self.escalation_session = None;
         }
     }
 
@@ -82,10 +91,17 @@ mod imp {
         req: &UnifiedExecRequest,
         attempt: &SandboxAttempt<'_>,
         ctx: &ToolCtx,
+        shell_command: &[String],
         exec_request: ExecRequest,
     ) -> Result<Option<PreparedUnifiedExecSpawn>, ToolError> {
-        let Some(prepared) =
-            unix_escalation::prepare_unified_exec_zsh_fork(req, attempt, ctx, exec_request).await?
+        let Some(prepared) = unix_escalation::prepare_unified_exec_zsh_fork(
+            req,
+            attempt,
+            ctx,
+            shell_command,
+            exec_request,
+        )
+        .await?
         else {
             return Ok(None);
         };
@@ -93,7 +109,7 @@ mod imp {
         Ok(Some(PreparedUnifiedExecSpawn {
             exec_request: prepared.exec_request,
             spawn_lifecycle: Box::new(ZshForkSpawnLifecycle {
-                escalation_session: prepared.escalation_session,
+                escalation_session: Some(prepared.escalation_session),
             }),
         }))
     }
@@ -117,9 +133,10 @@ mod imp {
         req: &UnifiedExecRequest,
         attempt: &SandboxAttempt<'_>,
         ctx: &ToolCtx,
+        shell_command: &[String],
         exec_request: ExecRequest,
     ) -> Result<Option<PreparedUnifiedExecSpawn>, ToolError> {
-        let _ = (req, attempt, ctx, exec_request);
+        let _ = (req, attempt, ctx, shell_command, exec_request);
         Ok(None)
     }
 }

codex-rs/core/src/tools/runtimes/unified_exec.rs

@@ -222,7 +222,11 @@ impl<'a> ToolRuntime<UnifiedExecRequest, UnifiedExecProcess> for UnifiedExecRunt
             let exec_env = attempt
                 .env_for(spec, req.network.as_ref())
                 .map_err(|err| ToolError::Codex(err.into()))?;
-            match zsh_fork_backend::maybe_prepare_unified_exec(req, attempt, ctx, exec_env).await? {
+            match zsh_fork_backend::maybe_prepare_unified_exec(
+                req, attempt, ctx, &command, exec_env,
+            )
+            .await?
+            {
                 Some(prepared) => {
                     return self
                         .manager

codex-rs/core/src/tools/spec.rs

@@ -314,8 +314,6 @@ impl ToolsConfig {
         );
         let shell_type = if !features.enabled(Feature::ShellTool) {
             ConfigShellToolType::Disabled
-        } else if features.enabled(Feature::ShellZshFork) {
-            ConfigShellToolType::ShellCommand
         } else if features.enabled(Feature::UnifiedExec) && unified_exec_allowed {
             // If ConPTY not supported (for old Windows versions), fallback on ShellCommand.
             if codex_utils_pty::conpty_supported() {
@@ -326,6 +324,8 @@ impl ToolsConfig {
         } else if model_info.shell_type == ConfigShellToolType::UnifiedExec && !unified_exec_allowed
         {
             ConfigShellToolType::ShellCommand
+        } else if features.enabled(Feature::ShellZshFork) {
+            ConfigShellToolType::ShellCommand
         } else {
             model_info.shell_type
         };
@@ -583,6 +583,7 @@ fn create_approval_parameters(
 fn create_exec_command_tool(
     allow_login_shell: bool,
     exec_permission_approvals_enabled: bool,
+    unified_exec_backend: UnifiedExecBackendConfig,
 ) -> ToolSpec {
     let mut properties = BTreeMap::from([
         (
@@ -600,12 +601,6 @@ fn create_exec_command_tool(
                 ),
             },
         ),
-        (
-            "shell".to_string(),
-            JsonSchema::String {
-                description: Some("Shell binary to launch. Defaults to the user's default shell.".to_string()),
-            },
-        ),
         (
             "tty".to_string(),
             JsonSchema::Boolean {
@@ -633,6 +628,16 @@ fn create_exec_command_tool(
             },
         ),
     ]);
+    if unified_exec_backend != UnifiedExecBackendConfig::ZshFork {
+        properties.insert(
+            "shell".to_string(),
+            JsonSchema::String {
+                description: Some(
+                    "Shell binary to launch. Defaults to the user's default shell.".to_string(),
+                ),
+            },
+        );
+    }
     if allow_login_shell {
         properties.insert(
             "login".to_string(),
@@ -2529,6 +2534,7 @@ pub(crate) fn build_specs_with_discoverable_tools(
                 create_exec_command_tool(
                     config.allow_login_shell,
                     exec_permission_approvals_enabled,
+                    config.unified_exec_backend,
                 ),
                 true,
                 config.code_mode_enabled,

codex-rs/core/src/tools/spec_tests.rs

@@ -446,7 +446,7 @@ fn test_full_toolset_specs_for_gpt5_codex_unified_exec_web_search() {
     // Build expected from the same helpers used by the builder.
     let mut expected: BTreeMap<String, ToolSpec> = BTreeMap::from([]);
     for spec in [
-        create_exec_command_tool(true, false),
+        create_exec_command_tool(true, false, UnifiedExecBackendConfig::Direct),
         create_write_stdin_tool(),
         PLAN_TOOL.clone(),
         create_request_user_input_tool(CollaborationModesConfig::default()),
@@ -1364,7 +1364,7 @@ fn test_build_specs_default_shell_present() {
 }
 
 #[test]
-fn shell_zsh_fork_prefers_shell_command_over_unified_exec() {
+fn shell_zsh_fork_uses_unified_exec_when_enabled() {
     let config = test_config();
     let model_info = ModelsManager::construct_model_info_offline_for_tests("o3", &config);
     let mut features = Features::with_defaults();
@@ -1382,7 +1382,7 @@ fn shell_zsh_fork_prefers_shell_command_over_unified_exec() {
         windows_sandbox_level: WindowsSandboxLevel::Disabled,
     });
 
-    assert_eq!(tools_config.shell_type, ConfigShellToolType::ShellCommand);
+    assert_eq!(tools_config.shell_type, ConfigShellToolType::UnifiedExec);
     assert_eq!(
         tools_config.shell_command_backend,
         ShellCommandBackendConfig::ZshFork
@@ -1391,6 +1391,19 @@ fn shell_zsh_fork_prefers_shell_command_over_unified_exec() {
         tools_config.unified_exec_backend,
         UnifiedExecBackendConfig::ZshFork
     );
+
+    let (tools, _) = build_specs(&tools_config, Some(HashMap::new()), None, &[]).build();
+    let exec_spec = find_tool(&tools, "exec_command");
+    let ToolSpec::Function(exec_tool) = &exec_spec.spec else {
+        panic!("exec_command should be a function tool spec");
+    };
+    let JsonSchema::Object { properties, .. } = &exec_tool.parameters else {
+        panic!("exec_command parameters should be an object schema");
+    };
+    assert!(
+        !properties.contains_key("shell"),
+        "exec_command should omit `shell` when zsh-fork backend forces the configured shell",
+    );
 }
 
 #[test]

codex-rs/core/src/unified_exec/process.rs

@@ -1,6 +1,7 @@
 #![allow(clippy::module_inception)]
 
 use std::sync::Arc;
+use std::sync::Mutex as StdMutex;
 use std::sync::atomic::AtomicBool;
 use std::sync::atomic::Ordering;
 use tokio::sync::Mutex;
@@ -36,6 +37,13 @@ pub(crate) trait SpawnLifecycle: std::fmt::Debug + Send + Sync {
     }
 
     fn after_spawn(&mut self) {}
+
+    /// Releases resources that needed to stay alive until the child process was
+    /// fully launched or until the session was torn down.
+    ///
+    /// This hook must tolerate being called during normal process exit as well
+    /// as early termination paths, and it is guaranteed to run at most once.
+    fn after_exit(&mut self) {}
 }
 
 pub(crate) type SpawnLifecycleHandle = Box<dyn SpawnLifecycle>;
@@ -66,7 +74,8 @@ pub(crate) struct UnifiedExecProcess {
     output_drained: Arc<Notify>,
     output_task: JoinHandle<()>,
     sandbox_type: SandboxType,
-    _spawn_lifecycle: SpawnLifecycleHandle,
+    _spawn_lifecycle: Arc<StdMutex<SpawnLifecycleHandle>>,
+    spawn_lifecycle_released: Arc<AtomicBool>,
 }
 
 impl UnifiedExecProcess {
@@ -74,7 +83,7 @@ impl UnifiedExecProcess {
         process_handle: ExecCommandSession,
         initial_output_rx: tokio::sync::broadcast::Receiver<Vec<u8>>,
         sandbox_type: SandboxType,
-        spawn_lifecycle: SpawnLifecycleHandle,
+        spawn_lifecycle: Arc<StdMutex<SpawnLifecycleHandle>>,
     ) -> Self {
         let output_buffer = Arc::new(Mutex::new(HeadTailBuffer::default()));
         let output_notify = Arc::new(Notify::new());
@@ -119,6 +128,19 @@ impl UnifiedExecProcess {
             output_task,
             sandbox_type,
             _spawn_lifecycle: spawn_lifecycle,
+            spawn_lifecycle_released: Arc::new(AtomicBool::new(false)),
+        }
+    }
+
+    fn release_spawn_lifecycle(&self) {
+        if self
+            .spawn_lifecycle_released
+            .swap(true, std::sync::atomic::Ordering::AcqRel)
+        {
+            return;
+        }
+        if let Ok(mut lifecycle) = self._spawn_lifecycle.lock() {
+            lifecycle.after_exit();
         }
     }
 
@@ -157,6 +179,7 @@ impl UnifiedExecProcess {
     }
 
     pub(super) fn terminate(&self) {
+        self.release_spawn_lifecycle();
         self.output_closed.store(true, Ordering::Release);
         self.output_closed_notify.notify_waiters();
         self.process_handle.terminate();
@@ -232,12 +255,19 @@ impl UnifiedExecProcess {
             mut exit_rx,
         } = spawned;
         let output_rx = codex_utils_pty::combine_output_receivers(stdout_rx, stderr_rx);
-        let managed = Self::new(process_handle, output_rx, sandbox_type, spawn_lifecycle);
+        let spawn_lifecycle = Arc::new(StdMutex::new(spawn_lifecycle));
+        let managed = Self::new(
+            process_handle,
+            output_rx,
+            sandbox_type,
+            Arc::clone(&spawn_lifecycle),
+        );
 
         let exit_ready = matches!(exit_rx.try_recv(), Ok(_) | Err(TryRecvError::Closed));
 
         if exit_ready {
             managed.signal_exit();
+            managed.release_spawn_lifecycle();
             managed.check_for_sandbox_denial().await?;
             return Ok(managed);
         }
@@ -247,14 +277,22 @@ impl UnifiedExecProcess {
             .is_ok()
         {
             managed.signal_exit();
+            managed.release_spawn_lifecycle();
             managed.check_for_sandbox_denial().await?;
             return Ok(managed);
         }
 
         tokio::spawn({
             let cancellation_token = managed.cancellation_token.clone();
+            let spawn_lifecycle = Arc::clone(&spawn_lifecycle);
+            let spawn_lifecycle_released = Arc::clone(&managed.spawn_lifecycle_released);
             async move {
                 let _ = exit_rx.await;
+                if !spawn_lifecycle_released.swap(true, Ordering::AcqRel)
+                    && let Ok(mut lifecycle) = spawn_lifecycle.lock()
+                {
+                    lifecycle.after_exit();
+                }
                 cancellation_token.cancel();
             }
         });

codex-rs/core/tests/common/process.rs

@@ -1,6 +1,7 @@
 use anyhow::Context;
 use std::fs;
 use std::path::Path;
+use std::process::Stdio;
 use std::time::Duration;
 
 pub async fn wait_for_pid_file(path: &Path) -> anyhow::Result<String> {
@@ -24,6 +25,7 @@ pub async fn wait_for_pid_file(path: &Path) -> anyhow::Result<String> {
 pub fn process_is_alive(pid: &str) -> anyhow::Result<bool> {
     let status = std::process::Command::new("kill")
         .args(["-0", pid])
+        .stderr(Stdio::null())
         .status()
         .context("failed to probe process liveness with kill -0")?;
     Ok(status.success())

codex-rs/core/tests/common/zsh_fork.rs

@@ -18,6 +18,10 @@ pub struct ZshForkRuntime {
 }
 
 impl ZshForkRuntime {
+    pub fn zsh_path(&self) -> &Path {
+        &self.zsh_path
+    }
+
     fn apply_to_config(
         &self,
         config: &mut Config,
@@ -91,6 +95,29 @@ where
     builder.build(server).await
 }
 
+pub async fn build_unified_exec_zsh_fork_test<F>(
+    server: &wiremock::MockServer,
+    runtime: ZshForkRuntime,
+    approval_policy: AskForApproval,
+    sandbox_policy: SandboxPolicy,
+    pre_build_hook: F,
+) -> Result<TestCodex>
+where
+    F: FnOnce(&Path) + Send + 'static,
+{
+    let mut builder = test_codex()
+        .with_pre_build_hook(pre_build_hook)
+        .with_config(move |config| {
+            runtime.apply_to_config(config, approval_policy, sandbox_policy);
+            config.use_experimental_unified_exec_tool = true;
+            config
+                .features
+                .enable(Feature::UnifiedExec)
+                .expect("test config should allow feature update");
+        });
+    builder.build(server).await
+}
+
 fn find_test_zsh_path() -> Result<Option<PathBuf>> {
     let repo_root = codex_utils_cargo_bin::repo_root()?;
     let dotslash_zsh = repo_root.join("codex-rs/app-server/tests/suite/zsh");

codex-rs/core/tests/suite/approvals.rs

@@ -35,6 +35,7 @@ use core_test_support::test_codex::TestCodex;
 use core_test_support::test_codex::test_codex;
 use core_test_support::wait_for_event;
 use core_test_support::wait_for_event_with_timeout;
+use core_test_support::zsh_fork::build_unified_exec_zsh_fork_test;
 use core_test_support::zsh_fork::build_zsh_fork_test;
 use core_test_support::zsh_fork::restrictive_workspace_write_policy;
 use core_test_support::zsh_fork::zsh_fork_runtime;
@@ -1985,6 +1986,158 @@ async fn approving_execpolicy_amendment_persists_policy_and_skips_future_prompts
     Ok(())
 }
 
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+#[cfg(unix)]
+async fn unified_exec_zsh_fork_execpolicy_amendment_skips_later_subcommands() -> Result<()> {
+    skip_if_no_network!(Ok(()));
+
+    let Some(runtime) = zsh_fork_runtime("unified exec zsh-fork execpolicy amendment test")? else {
+        return Ok(());
+    };
+
+    let approval_policy = AskForApproval::UnlessTrusted;
+    let sandbox_policy = SandboxPolicy::new_read_only_policy();
+    let server = start_mock_server().await;
+    let test = build_unified_exec_zsh_fork_test(
+        &server,
+        runtime,
+        approval_policy,
+        sandbox_policy.clone(),
+        |_| {},
+    )
+    .await?;
+    let allow_prefix_path = test.cwd.path().join("allow-prefix-zsh-fork.txt");
+    let _ = fs::remove_file(&allow_prefix_path);
+
+    let call_id = "allow-prefix-zsh-fork";
+    let command = "touch allow-prefix-zsh-fork.txt && touch allow-prefix-zsh-fork.txt";
+    let event = exec_command_event(
+        call_id,
+        command,
+        Some(1_000),
+        SandboxPermissions::UseDefault,
+        None,
+    )?;
+    let _ = mount_sse_once(
+        &server,
+        sse(vec![
+            ev_response_created("resp-zsh-fork-allow-prefix-1"),
+            event,
+            ev_completed("resp-zsh-fork-allow-prefix-1"),
+        ]),
+    )
+    .await;
+    let results = mount_sse_once(
+        &server,
+        sse(vec![
+            ev_assistant_message("msg-zsh-fork-allow-prefix-1", "done"),
+            ev_completed("resp-zsh-fork-allow-prefix-2"),
+        ]),
+    )
+    .await;
+
+    submit_turn(
+        &test,
+        "allow-prefix-zsh-fork",
+        approval_policy,
+        sandbox_policy,
+    )
+    .await?;
+
+    let expected_execpolicy_amendment = ExecPolicyAmendment::new(vec![
+        "touch".to_string(),
+        "allow-prefix-zsh-fork.txt".to_string(),
+    ]);
+    let mut saw_parent_approval = false;
+    let mut saw_subcommand_approval = false;
+    loop {
+        let event = wait_for_event(&test.codex, |event| {
+            matches!(
+                event,
+                EventMsg::ExecApprovalRequest(_) | EventMsg::TurnComplete(_)
+            )
+        })
+        .await;
+
+        match event {
+            EventMsg::TurnComplete(_) => break,
+            EventMsg::ExecApprovalRequest(approval) => {
+                let command_parts = approval.command.clone();
+                let last_arg = command_parts.last().map(String::as_str).unwrap_or_default();
+                if last_arg == command {
+                    assert!(
+                        !saw_parent_approval,
+                        "unexpected duplicate parent approval: {command_parts:?}"
+                    );
+                    saw_parent_approval = true;
+                    test.codex
+                        .submit(Op::ExecApproval {
+                            id: approval.effective_approval_id(),
+                            turn_id: None,
+                            decision: ReviewDecision::Approved,
+                        })
+                        .await?;
+                    continue;
+                }
+
+                let is_touch_subcommand = command_parts
+                    .iter()
+                    .any(|part| part == "allow-prefix-zsh-fork.txt")
+                    && command_parts
+                        .first()
+                        .is_some_and(|part| part.ends_with("/touch") || part == "touch");
+                if is_touch_subcommand {
+                    assert!(
+                        !saw_subcommand_approval,
+                        "execpolicy amendment should suppress later matching subcommand approvals: {command_parts:?}"
+                    );
+                    saw_subcommand_approval = true;
+                    assert_eq!(
+                        approval.proposed_execpolicy_amendment,
+                        Some(expected_execpolicy_amendment.clone())
+                    );
+                    test.codex
+                        .submit(Op::ExecApproval {
+                            id: approval.effective_approval_id(),
+                            turn_id: None,
+                            decision: ReviewDecision::ApprovedExecpolicyAmendment {
+                                proposed_execpolicy_amendment: expected_execpolicy_amendment
+                                    .clone(),
+                            },
+                        })
+                        .await?;
+                    continue;
+                }
+
+                test.codex
+                    .submit(Op::ExecApproval {
+                        id: approval.effective_approval_id(),
+                        turn_id: None,
+                        decision: ReviewDecision::Approved,
+                    })
+                    .await?;
+            }
+            other => panic!("unexpected event: {other:?}"),
+        }
+    }
+
+    assert!(saw_parent_approval, "expected parent unified-exec approval");
+    assert!(
+        saw_subcommand_approval,
+        "expected at least one intercepted touch approval"
+    );
+
+    let result = parse_result(&results.single_request().function_call_output(call_id));
+    assert_eq!(result.exit_code.unwrap_or(0), 0);
+    assert!(
+        allow_prefix_path.exists(),
+        "expected touch command to complete after approving the first intercepted subcommand; output: {}",
+        result.stdout
+    );
+
+    Ok(())
+}
+
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
 #[cfg(unix)]
 async fn matched_prefix_rule_runs_unsandboxed_under_zsh_fork() -> Result<()> {

codex-rs/core/tests/suite/skill_approval.rs

@@ -20,6 +20,7 @@ use core_test_support::skip_if_no_network;
 use core_test_support::test_codex::TestCodex;
 use core_test_support::wait_for_event;
 use core_test_support::wait_for_event_match;
+use core_test_support::zsh_fork::build_unified_exec_zsh_fork_test;
 use core_test_support::zsh_fork::build_zsh_fork_test;
 use core_test_support::zsh_fork::restrictive_workspace_write_policy;
 use core_test_support::zsh_fork::zsh_fork_runtime;
@@ -50,6 +51,13 @@ fn shell_command_arguments(command: &str) -> Result<String> {
     }))?)
 }
 
+fn exec_command_arguments(command: &str) -> Result<String> {
+    Ok(serde_json::to_string(&json!({
+        "cmd": command,
+        "yield_time_ms": 500,
+    }))?)
+}
+
 async fn submit_turn_with_policies(
     test: &TestCodex,
     prompt: &str,
@@ -89,6 +97,38 @@ echo 'zsh-fork-stderr' >&2
     )
 }
 
+#[cfg(unix)]
+fn write_repo_skill_with_shell_script_contents(
+    repo_root: &Path,
+    name: &str,
+    script_name: &str,
+    script_contents: &str,
+) -> Result<PathBuf> {
+    use std::os::unix::fs::PermissionsExt;
+
+    let skill_dir = repo_root.join(".agents").join("skills").join(name);
+    let scripts_dir = skill_dir.join("scripts");
+    fs::create_dir_all(&scripts_dir)?;
+    fs::write(repo_root.join(".git"), "gitdir: here")?;
+    fs::write(
+        skill_dir.join("SKILL.md"),
+        format!(
+            r#"---
+name: {name}
+description: {name} skill
+---
+"#
+        ),
+    )?;
+
+    let script_path = scripts_dir.join(script_name);
+    fs::write(&script_path, script_contents)?;
+    let mut permissions = fs::metadata(&script_path)?.permissions();
+    permissions.set_mode(0o755);
+    fs::set_permissions(&script_path, permissions)?;
+    Ok(script_path)
+}
+
 #[cfg(unix)]
 fn write_skill_with_shell_script_contents(
     home: &Path,
@@ -541,6 +581,168 @@ permissions:
     Ok(())
 }
 
+#[cfg(unix)]
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn unified_exec_zsh_fork_prompts_for_skill_script_execution() -> Result<()> {
+    skip_if_no_network!(Ok(()));
+
+    let Some(runtime) = zsh_fork_runtime("unified exec zsh-fork skill prompt test")? else {
+        return Ok(());
+    };
+
+    let server = start_mock_server().await;
+    let tool_call_id = "uexec-zsh-fork-skill-call";
+    let test = build_unified_exec_zsh_fork_test(
+        &server,
+        runtime,
+        AskForApproval::OnRequest,
+        SandboxPolicy::new_workspace_write_policy(),
+        |home| {
+            write_skill_with_shell_script(home, "mbolin-test-skill", "hello-mbolin.sh").unwrap();
+            write_skill_metadata(
+                home,
+                "mbolin-test-skill",
+                r#"
+permissions:
+  file_system:
+    read:
+      - "./data"
+    write:
+      - "./output"
+"#,
+            )
+            .unwrap();
+        },
+    )
+    .await?;
+
+    let (script_path_str, command) = skill_script_command(&test, "hello-mbolin.sh")?;
+    let arguments = exec_command_arguments(&command)?;
+    let mocks =
+        mount_function_call_agent_response(&server, tool_call_id, &arguments, "exec_command").await;
+
+    submit_turn_with_policies(
+        &test,
+        "use $mbolin-test-skill",
+        AskForApproval::OnRequest,
+        SandboxPolicy::new_workspace_write_policy(),
+    )
+    .await?;
+
+    let approval = wait_for_exec_approval_request(&test)
+        .await
+        .expect("expected exec approval request before completion");
+    assert_eq!(approval.call_id, tool_call_id);
+    assert_eq!(approval.command, vec![script_path_str.clone()]);
+    assert_eq!(
+        approval.available_decisions,
+        Some(vec![
+            ReviewDecision::Approved,
+            ReviewDecision::ApprovedForSession,
+            ReviewDecision::Abort,
+        ])
+    );
+    assert_eq!(
+        approval.additional_permissions,
+        Some(PermissionProfile {
+            file_system: Some(FileSystemPermissions {
+                read: Some(vec![absolute_path(
+                    &test.codex_home_path().join("skills/mbolin-test-skill/data"),
+                )]),
+                write: Some(vec![absolute_path(
+                    &test
+                        .codex_home_path()
+                        .join("skills/mbolin-test-skill/output"),
+                )]),
+            }),
+            ..Default::default()
+        })
+    );
+
+    test.codex
+        .submit(Op::ExecApproval {
+            id: approval.effective_approval_id(),
+            turn_id: None,
+            decision: ReviewDecision::Denied,
+        })
+        .await?;
+
+    wait_for_turn_complete(&test).await;
+
+    let call_output = mocks
+        .completion
+        .single_request()
+        .function_call_output(tool_call_id);
+    let output = call_output["output"].as_str().unwrap_or_default();
+    assert!(
+        output.contains("Execution denied: User denied execution"),
+        "expected rejection marker in function_call_output: {output:?}"
+    );
+
+    Ok(())
+}
+
+#[cfg(unix)]
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn unified_exec_zsh_fork_keeps_skill_loading_pinned_to_turn_cwd() -> Result<()> {
+    skip_if_no_network!(Ok(()));
+
+    let Some(runtime) = zsh_fork_runtime("unified exec zsh-fork turn cwd skill test")? else {
+        return Ok(());
+    };
+
+    let server = start_mock_server().await;
+    let tool_call_id = "uexec-zsh-fork-repo-skill-call";
+    let test = build_unified_exec_zsh_fork_test(
+        &server,
+        runtime,
+        AskForApproval::OnRequest,
+        SandboxPolicy::new_workspace_write_policy(),
+        |_| {},
+    )
+    .await?;
+
+    let repo_root = test.cwd_path().join("repo");
+    let script_path = write_repo_skill_with_shell_script_contents(
+        &repo_root,
+        "repo-skill",
+        "repo-skill.sh",
+        "#!/bin/sh\necho 'repo-skill-output'\n",
+    )?;
+    let script_path_quoted = shlex::try_join([script_path.to_string_lossy().as_ref()])?;
+    let repo_root_quoted = shlex::try_join([repo_root.to_string_lossy().as_ref()])?;
+    let command = format!("cd {repo_root_quoted} && {script_path_quoted}");
+    let arguments = exec_command_arguments(&command)?;
+    let mocks =
+        mount_function_call_agent_response(&server, tool_call_id, &arguments, "exec_command").await;
+
+    submit_turn_with_policies(
+        &test,
+        "run the repo skill after changing directories",
+        AskForApproval::OnRequest,
+        SandboxPolicy::new_workspace_write_policy(),
+    )
+    .await?;
+
+    let approval = wait_for_exec_approval_request(&test).await;
+    assert!(
+        approval.is_none(),
+        "changing directories inside unified exec should not load repo-local skills from the shell cwd",
+    );
+
+    let call_output = mocks
+        .completion
+        .single_request()
+        .function_call_output(tool_call_id);
+    let output = call_output["output"].as_str().unwrap_or_default();
+    assert!(
+        output.contains("repo-skill-output"),
+        "expected repo skill script to run without skill-specific approval when only the shell cwd changes: {output:?}"
+    );
+
+    Ok(())
+}
+
 /// Permissionless skills should inherit the turn sandbox without prompting.
 #[cfg(unix)]
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]

codex-rs/core/tests/suite/unified_exec.rs

@@ -1,6 +1,8 @@
 use std::collections::HashMap;
 use std::ffi::OsStr;
 use std::fs;
+#[cfg(unix)]
+use std::path::PathBuf;
 use std::sync::OnceLock;
 
 use anyhow::Context;
@@ -32,6 +34,10 @@ use core_test_support::test_codex::test_codex;
 use core_test_support::wait_for_event;
 use core_test_support::wait_for_event_match;
 use core_test_support::wait_for_event_with_timeout;
+#[cfg(unix)]
+use core_test_support::zsh_fork::build_unified_exec_zsh_fork_test;
+#[cfg(unix)]
+use core_test_support::zsh_fork::zsh_fork_runtime;
 use pretty_assertions::assert_eq;
 use regex_lite::Regex;
 use serde_json::Value;
@@ -155,6 +161,27 @@ fn collect_tool_outputs(bodies: &[Value]) -> Result<HashMap<String, ParsedUnifie
     Ok(outputs)
 }
 
+#[cfg(unix)]
+fn process_text_binary_path(pid: &str) -> Result<PathBuf> {
+    let output = std::process::Command::new("lsof")
+        .args(["-Fn", "-a", "-p", pid, "-d", "txt"])
+        .output()
+        .with_context(|| format!("failed to inspect process {pid} executable mapping with lsof"))?;
+    if !output.status.success() {
+        return Err(anyhow::anyhow!(
+            "lsof failed for pid {pid} with status {:?}",
+            output.status.code()
+        ));
+    }
+
+    let stdout = String::from_utf8(output.stdout).context("lsof output was not UTF-8")?;
+    let path = stdout
+        .lines()
+        .find_map(|line| line.strip_prefix('n'))
+        .ok_or_else(|| anyhow::anyhow!("lsof did not report a text binary path for pid {pid}"))?;
+    Ok(PathBuf::from(path))
+}
+
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
 async fn unified_exec_intercepts_apply_patch_exec_command() -> Result<()> {
     skip_if_no_network!(Ok(()));
@@ -1323,7 +1350,6 @@ async fn exec_command_reports_chunk_and_exit_metadata() -> Result<()> {
         .into_iter()
         .map(|request| request.body_json())
         .collect::<Vec<_>>();
-
     let outputs = collect_tool_outputs(&bodies)?;
     let metadata = outputs
         .get(call_id)
@@ -1445,7 +1471,6 @@ async fn unified_exec_defaults_to_pipe() -> Result<()> {
         .into_iter()
         .map(|request| request.body_json())
         .collect::<Vec<_>>();
-
     let outputs = collect_tool_outputs(&bodies)?;
     let output = outputs
         .get(call_id)
@@ -1539,7 +1564,6 @@ async fn unified_exec_can_enable_tty() -> Result<()> {
         .into_iter()
         .map(|request| request.body_json())
         .collect::<Vec<_>>();
-
     let outputs = collect_tool_outputs(&bodies)?;
     let output = outputs
         .get(call_id)
@@ -1624,7 +1648,6 @@ async fn unified_exec_respects_early_exit_notifications() -> Result<()> {
         .into_iter()
         .map(|request| request.body_json())
         .collect::<Vec<_>>();
-
     let outputs = collect_tool_outputs(&bodies)?;
     let output = outputs
         .get(call_id)
@@ -1823,6 +1846,350 @@ async fn write_stdin_returns_exit_metadata_and_clears_session() -> Result<()> {
     Ok(())
 }
 
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+#[cfg(unix)]
+async fn unified_exec_zsh_fork_keeps_python_repl_attached_to_zsh_session() -> Result<()> {
+    skip_if_no_network!(Ok(()));
+
+    let Some(runtime) = zsh_fork_runtime("unified exec zsh-fork tty session test")? else {
+        return Ok(());
+    };
+    let configured_zsh_path =
+        fs::canonicalize(runtime.zsh_path()).unwrap_or_else(|_| runtime.zsh_path().to_path_buf());
+
+    let python = match which("python3") {
+        Ok(path) => path,
+        Err(_) => {
+            eprintln!("python3 not found in PATH, skipping zsh-fork python repl test.");
+            return Ok(());
+        }
+    };
+
+    let server = start_mock_server().await;
+    let test = build_unified_exec_zsh_fork_test(
+        &server,
+        runtime,
+        AskForApproval::Never,
+        SandboxPolicy::new_workspace_write_policy(),
+        |_| {},
+    )
+    .await?;
+
+    let start_call_id = "uexec-zsh-fork-python-start";
+    let send_call_id = "uexec-zsh-fork-python-pid";
+    let exit_call_id = "uexec-zsh-fork-python-exit";
+
+    let start_command = format!("{}; :", python.display());
+    let start_args = serde_json::json!({
+        "cmd": start_command,
+        "yield_time_ms": 500,
+        "tty": true,
+    });
+    let send_args = serde_json::json!({
+        "chars": "import os; print('CODEX_PY_PID=' + str(os.getpid()))\r\n",
+        "session_id": 1000,
+        "yield_time_ms": 500,
+    });
+    let exit_args = serde_json::json!({
+        "chars": "import sys; sys.exit(0)\r\n",
+        "session_id": 1000,
+        "yield_time_ms": 500,
+    });
+
+    let responses = vec![
+        sse(vec![
+            ev_response_created("resp-1"),
+            ev_function_call(
+                start_call_id,
+                "exec_command",
+                &serde_json::to_string(&start_args)?,
+            ),
+            ev_completed("resp-1"),
+        ]),
+        sse(vec![
+            ev_response_created("resp-2"),
+            ev_function_call(
+                send_call_id,
+                "write_stdin",
+                &serde_json::to_string(&send_args)?,
+            ),
+            ev_completed("resp-2"),
+        ]),
+        sse(vec![
+            ev_assistant_message("msg-1", "python is running"),
+            ev_completed("resp-3"),
+        ]),
+        sse(vec![
+            ev_response_created("resp-4"),
+            ev_function_call(
+                exit_call_id,
+                "write_stdin",
+                &serde_json::to_string(&exit_args)?,
+            ),
+            ev_completed("resp-4"),
+        ]),
+        sse(vec![
+            ev_assistant_message("msg-2", "all done"),
+            ev_completed("resp-5"),
+        ]),
+    ];
+    let request_log = mount_sse_sequence(&server, responses).await;
+
+    test.codex
+        .submit(Op::UserTurn {
+            items: vec![UserInput::Text {
+                text: "test unified exec zsh-fork tty behavior".into(),
+                text_elements: Vec::new(),
+            }],
+            final_output_json_schema: None,
+            cwd: test.cwd_path().to_path_buf(),
+            approval_policy: AskForApproval::Never,
+            sandbox_policy: SandboxPolicy::new_workspace_write_policy(),
+            model: test.session_configured.model.clone(),
+            effort: None,
+            summary: None,
+            service_tier: None,
+            collaboration_mode: None,
+            personality: None,
+        })
+        .await?;
+
+    wait_for_event(&test.codex, |event| {
+        matches!(event, EventMsg::TurnComplete(_))
+    })
+    .await;
+
+    let requests = request_log.requests();
+    assert!(!requests.is_empty(), "expected at least one POST request");
+    let bodies = requests
+        .into_iter()
+        .map(|request| request.body_json())
+        .collect::<Vec<_>>();
+    let outputs = collect_tool_outputs(&bodies)?;
+
+    let start_output = outputs
+        .get(start_call_id)
+        .expect("missing start output for exec_command");
+    let process_id = start_output
+        .process_id
+        .clone()
+        .expect("expected process id from exec_command");
+    assert!(
+        start_output.exit_code.is_none(),
+        "initial exec_command should leave the PTY session running"
+    );
+
+    let send_output = outputs
+        .get(send_call_id)
+        .expect("missing write_stdin output");
+    let normalized = send_output.output.replace("\r\n", "\n");
+    let python_pid = Regex::new(r"CODEX_PY_PID=(\d+)")
+        .expect("valid python pid marker regex")
+        .captures(&normalized)
+        .and_then(|captures| captures.get(1))
+        .map(|value| value.as_str().to_string())
+        .with_context(|| format!("missing python pid in output {normalized:?}"))?;
+    assert!(
+        process_is_alive(&python_pid)?,
+        "python process should still be alive after printing its pid, got output {normalized:?}"
+    );
+    assert_eq!(send_output.process_id.as_deref(), Some(process_id.as_str()));
+    assert!(
+        send_output.exit_code.is_none(),
+        "write_stdin should not report an exit code while the process is still running"
+    );
+
+    let zsh_pid = std::process::Command::new("ps")
+        .args(["-o", "ppid=", "-p", &python_pid])
+        .output()
+        .context("failed to look up python parent pid")?;
+    let zsh_pid = String::from_utf8(zsh_pid.stdout)
+        .context("python parent pid output is not UTF-8")?
+        .trim()
+        .to_string();
+    assert!(
+        !zsh_pid.is_empty(),
+        "expected python parent pid to identify the zsh session"
+    );
+    assert!(
+        process_is_alive(&zsh_pid)?,
+        "expected zsh parent process {zsh_pid} to still be alive"
+    );
+
+    let zsh_command = std::process::Command::new("ps")
+        .args(["-o", "command=", "-p", &zsh_pid])
+        .output()
+        .context("failed to look up zsh parent command")?;
+    let zsh_command =
+        String::from_utf8(zsh_command.stdout).context("zsh parent command output is not UTF-8")?;
+    assert!(
+        zsh_command.contains("zsh"),
+        "expected python parent command to be zsh, got {zsh_command:?}"
+    );
+    let zsh_text_binary = process_text_binary_path(&zsh_pid)?;
+    let zsh_text_binary = fs::canonicalize(&zsh_text_binary).unwrap_or(zsh_text_binary);
+    assert_eq!(
+        zsh_text_binary, configured_zsh_path,
+        "python parent shell should run with configured zsh-fork binary, got {:?} ({zsh_command:?})",
+        zsh_text_binary,
+    );
+
+    test.codex
+        .submit(Op::UserTurn {
+            items: vec![UserInput::Text {
+                text: "shut down the python repl".into(),
+                text_elements: Vec::new(),
+            }],
+            final_output_json_schema: None,
+            cwd: test.cwd_path().to_path_buf(),
+            approval_policy: AskForApproval::Never,
+            sandbox_policy: SandboxPolicy::new_workspace_write_policy(),
+            model: test.session_configured.model.clone(),
+            effort: None,
+            summary: None,
+            service_tier: None,
+            collaboration_mode: None,
+            personality: None,
+        })
+        .await?;
+
+    wait_for_event(&test.codex, |event| {
+        matches!(event, EventMsg::TurnComplete(_))
+    })
+    .await;
+
+    let requests = request_log.requests();
+    assert!(!requests.is_empty(), "expected at least one POST request");
+    let bodies = requests
+        .into_iter()
+        .map(|request| request.body_json())
+        .collect::<Vec<_>>();
+    let outputs = collect_tool_outputs(&bodies)?;
+    let exit_output = outputs
+        .get(exit_call_id)
+        .expect("missing exit output after requesting python shutdown");
+    assert!(
+        exit_output.exit_code.is_none() || exit_output.exit_code == Some(0),
+        "exit request should either leave cleanup to the background watcher or report success directly, got {exit_output:?}"
+    );
+    wait_for_process_exit(&python_pid).await?;
+
+    Ok(())
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+#[cfg(unix)]
+async fn unified_exec_zsh_fork_rewrites_nested_zsh_exec_to_configured_binary() -> Result<()> {
+    skip_if_no_network!(Ok(()));
+
+    let Some(runtime) = zsh_fork_runtime("unified exec zsh-fork nested zsh rewrite test")? else {
+        return Ok(());
+    };
+    let configured_zsh_path =
+        fs::canonicalize(runtime.zsh_path()).unwrap_or_else(|_| runtime.zsh_path().to_path_buf());
+    let host_zsh = match which("zsh") {
+        Ok(path) => path,
+        Err(_) => {
+            eprintln!("zsh not found in PATH, skipping nested zsh rewrite test.");
+            return Ok(());
+        }
+    };
+
+    let server = start_mock_server().await;
+    let test = build_unified_exec_zsh_fork_test(
+        &server,
+        runtime,
+        AskForApproval::Never,
+        SandboxPolicy::new_workspace_write_policy(),
+        |_| {},
+    )
+    .await?;
+
+    let start_call_id = "uexec-zsh-fork-nested-start";
+    let nested_command = format!(
+        "exec {} -lc 'echo CODEX_NESTED_ZSH_PID=$$; sleep 3; :'",
+        host_zsh.display(),
+    );
+    let start_args = serde_json::json!({
+        "cmd": nested_command,
+        "yield_time_ms": 500,
+        "tty": true,
+    });
+
+    let responses = vec![
+        sse(vec![
+            ev_response_created("resp-nested-1"),
+            ev_function_call(
+                start_call_id,
+                "exec_command",
+                &serde_json::to_string(&start_args)?,
+            ),
+            ev_completed("resp-nested-1"),
+        ]),
+        sse(vec![
+            ev_assistant_message("msg-nested-1", "done"),
+            ev_completed("resp-nested-2"),
+        ]),
+    ];
+    let request_log = mount_sse_sequence(&server, responses).await;
+
+    test.codex
+        .submit(Op::UserTurn {
+            items: vec![UserInput::Text {
+                text: "test nested zsh rewrite behavior".into(),
+                text_elements: Vec::new(),
+            }],
+            final_output_json_schema: None,
+            cwd: test.cwd_path().to_path_buf(),
+            approval_policy: AskForApproval::Never,
+            sandbox_policy: SandboxPolicy::new_workspace_write_policy(),
+            model: test.session_configured.model.clone(),
+            effort: None,
+            summary: None,
+            service_tier: None,
+            collaboration_mode: None,
+            personality: None,
+        })
+        .await?;
+
+    wait_for_event(&test.codex, |event| {
+        matches!(event, EventMsg::TurnComplete(_))
+    })
+    .await;
+
+    let requests = request_log.requests();
+    let bodies = requests
+        .into_iter()
+        .map(|request| request.body_json())
+        .collect::<Vec<_>>();
+    let outputs = collect_tool_outputs(&bodies)?;
+
+    let start_output = outputs
+        .get(start_call_id)
+        .expect("missing start output for nested zsh exec_command");
+    let normalized = start_output.output.replace("\r\n", "\n");
+    let nested_zsh_pid = Regex::new(r"CODEX_NESTED_ZSH_PID=(\d+)")
+        .expect("valid nested zsh pid regex")
+        .captures(&normalized)
+        .and_then(|captures| captures.get(1))
+        .map(|value| value.as_str().to_string())
+        .with_context(|| format!("missing nested zsh pid marker in output {normalized:?}"))?;
+    assert!(
+        process_is_alive(&nested_zsh_pid)?,
+        "nested zsh process should be running before release, got output {normalized:?}"
+    );
+
+    let nested_text_binary = process_text_binary_path(&nested_zsh_pid)?;
+    let nested_text_binary = fs::canonicalize(&nested_text_binary).unwrap_or(nested_text_binary);
+    assert_eq!(
+        nested_text_binary, configured_zsh_path,
+        "nested zsh exec should be rewritten to configured zsh-fork binary, got {:?}",
+        nested_text_binary,
+    );
+
+    Ok(())
+}
+
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
 async fn unified_exec_emits_end_event_when_session_dies_via_stdin() -> Result<()> {
     skip_if_no_network!(Ok(()));