proposing execpolicy amendment when prompting due to sandbox denial

zhao-oai · zhao-oai · commit bd130e486ec1 · 2025-12-05T16:32:03.000-08:00
diff --git a/codex-rs/core/src/exec_policy.rs b/codex-rs/core/src/exec_policy.rs
@@ -147,41 +147,54 @@ pub(crate) async fn append_execpolicy_amendment_and_update(
     Ok(())
 }
 
-/// Returns a proposed execpolicy amendment only when heuristics caused
-/// the prompt decision, so we can offer to apply that amendment for future runs.
-///
-/// The amendment uses the first command heuristics marked as `Prompt`. If any explicit
-/// execpolicy rule also prompts, we return `None` because applying the amendment would not
-/// skip that policy requirement.
-///
-/// Examples:
-/// - execpolicy: empty. Command: `["python"]`. Heuristics prompt -> `Some(vec!["python"])`.
-/// - execpolicy: empty. Command: `["bash", "-c", "cd /some/folder && prog1 --option1 arg1 && prog2 --option2 arg2"]`.
-///   Parsed commands include `cd /some/folder`, `prog1 --option1 arg1`, and `prog2 --option2 arg2`. If heuristics allow `cd` but prompt
-///   on `prog1`, we return `Some(vec!["prog1", "--option1", "arg1"])`.
-/// - execpolicy: contains a `prompt for prefix ["prog2"]` rule. For the same command as above,
-///   we return `None` because an execpolicy prompt still applies even if we amend execpolicy to allow ["prog1", "--option1", "arg1"].
-fn proposed_execpolicy_amendment(evaluation: &Evaluation) -> Option<ExecPolicyAmendment> {
-    if evaluation.decision != Decision::Prompt {
+// - If any execpolicy rule prompts, return None, because an amendment would not skip that policy requirement.
+// - Otherwise return the first heuristics Prompt.
+// Examples:
+// - execpolicy: empty. Command: `["python"]`. Heuristics prompt -> `Some(vec!["python"])`.
+// - execpolicy: empty. Command: `["bash", "-c", "cd /some/folder && prog1 --option1 arg1 && prog2 --option2 arg2"]`.
+//   Parsed commands include `cd /some/folder`, `prog1 --option1 arg1`, and `prog2 --option2 arg2`. If heuristics allow `cd` but prompt
+//   on `prog1`, we return `Some(vec!["prog1", "--option1", "arg1"])`.
+// - execpolicy: contains a `prompt for prefix ["prog2"]` rule. For the same command as above,
+//   we return `None` because an execpolicy prompt still applies even if we amend execpolicy to allow ["prog1", "--option1", "arg1"].
+fn prompt_execpolicy_amendment(matched_rules: &[RuleMatch]) -> Option<ExecPolicyAmendment> {
+    if matched_rules.iter().any(|rule_match| {
+        !matches!(rule_match, RuleMatch::HeuristicsRuleMatch { .. })
+            && rule_match.decision() == Decision::Prompt
+    }) {
         return None;
     }
 
-    let mut first_prompt_from_heuristics: Option<Vec<String>> = None;
-    for rule_match in &evaluation.matched_rules {
-        match rule_match {
-            RuleMatch::HeuristicsRuleMatch { command, decision } => {
-                if *decision == Decision::Prompt && first_prompt_from_heuristics.is_none() {
-                    first_prompt_from_heuristics = Some(command.clone());
-                }
-            }
-            _ if rule_match.decision() == Decision::Prompt => {
-                return None;
-            }
-            _ => {}
-        }
+    matched_rules
+        .iter()
+        .find_map(|rule_match| match rule_match {
+            RuleMatch::HeuristicsRuleMatch {
+                command,
+                decision: Decision::Prompt,
+            } => Some(ExecPolicyAmendment::from(command.clone())),
+            _ => None,
+        })
+}
+
+// - Note: we only use this amendment when the command fails to run in sandbox and codex prompts the user to run outside the sandbox
+// - The purpose of this amendment is to bypass sandbox for similar commands in the future
+// - If any execpolicy rule matches, return None, because we would already be running command outside the sandbox
+fn allow_execpolicy_amendment(matched_rules: &[RuleMatch]) -> Option<ExecPolicyAmendment> {
+    if matched_rules
+        .iter()
+        .any(|rule_match| !matches!(rule_match, RuleMatch::HeuristicsRuleMatch { .. }))
+    {
+        return None;
     }
 
-    first_prompt_from_heuristics.map(ExecPolicyAmendment::from)
+    matched_rules
+        .iter()
+        .find_map(|rule_match| match rule_match {
+            RuleMatch::HeuristicsRuleMatch {
+                command,
+                decision: Decision::Allow,
+            } => Some(ExecPolicyAmendment::from(command.clone())),
+            _ => None,
+        })
 }
 
 /// Only return PROMPT_REASON when an execpolicy rule drove the prompt decision.
@@ -233,7 +246,7 @@ pub(crate) async fn create_exec_approval_requirement_for_command(
                 ExecApprovalRequirement::NeedsApproval {
                     reason: derive_prompt_reason(&evaluation),
                     proposed_execpolicy_amendment: if features.enabled(Feature::ExecPolicy) {
-                        proposed_execpolicy_amendment(&evaluation)
+                        prompt_execpolicy_amendment(&evaluation.matched_rules)
                     } else {
                         None
                     },
@@ -242,6 +255,11 @@ pub(crate) async fn create_exec_approval_requirement_for_command(
         }
         Decision::Allow => ExecApprovalRequirement::Skip {
             bypass_sandbox: has_policy_allow,
+            proposed_execpolicy_amendment: if features.enabled(Feature::ExecPolicy) {
+                allow_execpolicy_amendment(&evaluation.matched_rules)
+            } else {
+                None
+            },
         },
     }
 }
@@ -730,4 +748,56 @@ prefix_rule(pattern=["rm"], decision="forbidden")
             }
         );
     }
+
+    #[tokio::test]
+    async fn proposed_execpolicy_amendment_is_present_when_heuristics_allow() {
+        let command = vec!["echo".to_string(), "safe".to_string()];
+
+        let requirement = create_exec_approval_requirement_for_command(
+            &Arc::new(RwLock::new(Policy::empty())),
+            &Features::with_defaults(),
+            &command,
+            AskForApproval::OnRequest,
+            &SandboxPolicy::ReadOnly,
+            SandboxPermissions::UseDefault,
+        )
+        .await;
+
+        assert_eq!(
+            requirement,
+            ExecApprovalRequirement::Skip {
+                bypass_sandbox: false,
+                proposed_execpolicy_amendment: Some(ExecPolicyAmendment::new(command)),
+            }
+        );
+    }
+
+    #[tokio::test]
+    async fn proposed_execpolicy_amendment_is_suppressed_when_policy_matches_allow() {
+        let policy_src = r#"prefix_rule(pattern=["echo"], decision="allow")"#;
+        let mut parser = PolicyParser::new();
+        parser
+            .parse("test.codexpolicy", policy_src)
+            .expect("parse policy");
+        let policy = Arc::new(RwLock::new(parser.build()));
+        let command = vec!["echo".to_string(), "safe".to_string()];
+
+        let requirement = create_exec_approval_requirement_for_command(
+            &policy,
+            &Features::with_defaults(),
+            &command,
+            AskForApproval::OnRequest,
+            &SandboxPolicy::ReadOnly,
+            SandboxPermissions::UseDefault,
+        )
+        .await;
+
+        assert_eq!(
+            requirement,
+            ExecApprovalRequirement::Skip {
+                bypass_sandbox: true,
+                proposed_execpolicy_amendment: None,
+            }
+        );
+    }
 }
diff --git a/codex-rs/core/src/tools/runtimes/shell.rs b/codex-rs/core/src/tools/runtimes/shell.rs
@@ -133,7 +133,8 @@ impl Approvable<ShellRequest> for ShellRuntime {
             || matches!(
                 req.exec_approval_requirement,
                 ExecApprovalRequirement::Skip {
-                    bypass_sandbox: true
+                    bypass_sandbox: true,
+                    ..
                 }
             )
         {
diff --git a/codex-rs/core/src/tools/runtimes/unified_exec.rs b/codex-rs/core/src/tools/runtimes/unified_exec.rs
@@ -154,7 +154,8 @@ impl Approvable<UnifiedExecRequest> for UnifiedExecRuntime<'_> {
             || matches!(
                 req.exec_approval_requirement,
                 ExecApprovalRequirement::Skip {
-                    bypass_sandbox: true
+                    bypass_sandbox: true,
+                    ..
                 }
             )
         {
diff --git a/codex-rs/core/src/tools/sandboxing.rs b/codex-rs/core/src/tools/sandboxing.rs
@@ -95,6 +95,9 @@ pub(crate) enum ExecApprovalRequirement {
         /// The first attempt should skip sandboxing (e.g., when explicitly
         /// greenlit by policy).
         bypass_sandbox: bool,
+        /// Proposed execpolicy amendment to skip future approvals for similar commands
+        /// Only applies if the command fails to run in sandbox and codex prompts the user to run outside the sandbox.
+        proposed_execpolicy_amendment: Option<ExecPolicyAmendment>,
     },
     /// Approval required for this tool call.
     NeedsApproval {
@@ -114,6 +117,10 @@ impl ExecApprovalRequirement {
                 proposed_execpolicy_amendment: Some(prefix),
                 ..
             } => Some(prefix),
+            Self::Skip {
+                proposed_execpolicy_amendment: Some(prefix),
+                ..
+            } => Some(prefix),
             _ => None,
         }
     }
@@ -140,6 +147,7 @@ pub(crate) fn default_exec_approval_requirement(
     } else {
         ExecApprovalRequirement::Skip {
             bypass_sandbox: false,
+            proposed_execpolicy_amendment: None,
         }
     }
 }
diff --git a/codex-rs/core/tests/suite/approvals.rs b/codex-rs/core/tests/suite/approvals.rs
@@ -453,6 +453,7 @@ enum Outcome {
     ExecApproval {
         decision: ReviewDecision,
         expected_reason: Option<&'static str>,
+        expect_proposed_execpolicy_amendment: bool,
     },
     PatchApproval {
         decision: ReviewDecision,
@@ -773,6 +774,7 @@ fn scenarios() -> Vec<ScenarioSpec> {
             outcome: Outcome::ExecApproval {
                 decision: ReviewDecision::Approved,
                 expected_reason: None,
+                expect_proposed_execpolicy_amendment: false,
             },
             expectation: Expectation::FileCreated {
                 target: TargetPath::OutsideWorkspace("dfa_unless_trusted.txt"),
@@ -793,6 +795,7 @@ fn scenarios() -> Vec<ScenarioSpec> {
             outcome: Outcome::ExecApproval {
                 decision: ReviewDecision::Approved,
                 expected_reason: None,
+                expect_proposed_execpolicy_amendment: false,
             },
             expectation: Expectation::FileCreatedNoExitCode {
                 target: TargetPath::OutsideWorkspace("dfa_unless_trusted_5_1.txt"),
@@ -847,6 +850,7 @@ fn scenarios() -> Vec<ScenarioSpec> {
             outcome: Outcome::ExecApproval {
                 decision: ReviewDecision::Approved,
                 expected_reason: None,
+                expect_proposed_execpolicy_amendment: false,
             },
             expectation: Expectation::FileCreated {
                 target: TargetPath::Workspace("ro_on_request.txt"),
@@ -867,6 +871,7 @@ fn scenarios() -> Vec<ScenarioSpec> {
             outcome: Outcome::ExecApproval {
                 decision: ReviewDecision::Approved,
                 expected_reason: None,
+                expect_proposed_execpolicy_amendment: false,
             },
             expectation: Expectation::FileCreatedNoExitCode {
                 target: TargetPath::Workspace("ro_on_request_5_1.txt"),
@@ -931,6 +936,7 @@ fn scenarios() -> Vec<ScenarioSpec> {
             outcome: Outcome::ExecApproval {
                 decision: ReviewDecision::Denied,
                 expected_reason: None,
+                expect_proposed_execpolicy_amendment: false,
             },
             expectation: Expectation::FileNotCreated {
                 target: TargetPath::Workspace("ro_on_request_denied.txt"),
@@ -952,6 +958,7 @@ fn scenarios() -> Vec<ScenarioSpec> {
             outcome: Outcome::ExecApproval {
                 decision: ReviewDecision::Approved,
                 expected_reason: Some("command failed; retry without sandbox?"),
+                expect_proposed_execpolicy_amendment: true,
             },
             expectation: Expectation::FileCreated {
                 target: TargetPath::Workspace("ro_on_failure.txt"),
@@ -973,6 +980,7 @@ fn scenarios() -> Vec<ScenarioSpec> {
             outcome: Outcome::ExecApproval {
                 decision: ReviewDecision::Approved,
                 expected_reason: Some("command failed; retry without sandbox?"),
+                expect_proposed_execpolicy_amendment: true,
             },
             expectation: Expectation::FileCreatedNoExitCode {
                 target: TargetPath::Workspace("ro_on_failure_5_1.txt"),
@@ -993,6 +1001,7 @@ fn scenarios() -> Vec<ScenarioSpec> {
             outcome: Outcome::ExecApproval {
                 decision: ReviewDecision::Approved,
                 expected_reason: None,
+                expect_proposed_execpolicy_amendment: false,
             },
             expectation: Expectation::NetworkSuccess {
                 body_contains: "read-only-network-ok",
@@ -1012,6 +1021,7 @@ fn scenarios() -> Vec<ScenarioSpec> {
             outcome: Outcome::ExecApproval {
                 decision: ReviewDecision::Approved,
                 expected_reason: None,
+                expect_proposed_execpolicy_amendment: false,
             },
             expectation: Expectation::NetworkSuccessNoExitCode {
                 body_contains: "read-only-network-ok",
@@ -1184,6 +1194,7 @@ fn scenarios() -> Vec<ScenarioSpec> {
             outcome: Outcome::ExecApproval {
                 decision: ReviewDecision::Approved,
                 expected_reason: None,
+                expect_proposed_execpolicy_amendment: false,
             },
             expectation: Expectation::FileCreated {
                 target: TargetPath::Workspace("ro_unless_trusted.txt"),
@@ -1204,6 +1215,7 @@ fn scenarios() -> Vec<ScenarioSpec> {
             outcome: Outcome::ExecApproval {
                 decision: ReviewDecision::Approved,
                 expected_reason: None,
+                expect_proposed_execpolicy_amendment: false,
             },
             expectation: Expectation::FileCreatedNoExitCode {
                 target: TargetPath::Workspace("ro_unless_trusted_5_1.txt"),
@@ -1294,6 +1306,7 @@ fn scenarios() -> Vec<ScenarioSpec> {
             outcome: Outcome::ExecApproval {
                 decision: ReviewDecision::Approved,
                 expected_reason: None,
+                expect_proposed_execpolicy_amendment: false,
             },
             expectation: Expectation::FileCreated {
                 target: TargetPath::OutsideWorkspace("ww_on_request_outside.txt"),
@@ -1331,6 +1344,7 @@ fn scenarios() -> Vec<ScenarioSpec> {
             outcome: Outcome::ExecApproval {
                 decision: ReviewDecision::Approved,
                 expected_reason: Some("command failed; retry without sandbox?"),
+                expect_proposed_execpolicy_amendment: false,
             },
             expectation: Expectation::FileCreated {
                 target: TargetPath::OutsideWorkspace("ww_on_failure.txt"),
@@ -1351,6 +1365,7 @@ fn scenarios() -> Vec<ScenarioSpec> {
             outcome: Outcome::ExecApproval {
                 decision: ReviewDecision::Approved,
                 expected_reason: None,
+                expect_proposed_execpolicy_amendment: false,
             },
             expectation: Expectation::FileCreated {
                 target: TargetPath::OutsideWorkspace("ww_unless_trusted.txt"),
@@ -1413,6 +1428,7 @@ fn scenarios() -> Vec<ScenarioSpec> {
             outcome: Outcome::ExecApproval {
                 decision: ReviewDecision::Approved,
                 expected_reason: Some(DEFAULT_UNIFIED_EXEC_JUSTIFICATION),
+                expect_proposed_execpolicy_amendment: false,
             },
             expectation: Expectation::CommandSuccess {
                 stdout_contains: "escalated unified exec",
@@ -1432,6 +1448,7 @@ fn scenarios() -> Vec<ScenarioSpec> {
             outcome: Outcome::ExecApproval {
                 decision: ReviewDecision::Denied,
                 expected_reason: None,
+                expect_proposed_execpolicy_amendment: false,
             },
             expectation: Expectation::CommandFailure {
                 output_contains: "rejected by user",
@@ -1508,6 +1525,7 @@ async fn run_scenario(scenario: &ScenarioSpec) -> Result<()> {
         Outcome::ExecApproval {
             decision,
             expected_reason,
+            expect_proposed_execpolicy_amendment,
         } => {
             let command = expected_command
                 .as_deref()
@@ -1521,6 +1539,17 @@ async fn run_scenario(scenario: &ScenarioSpec) -> Result<()> {
                     scenario.name
                 );
             }
+            if *expect_proposed_execpolicy_amendment {
+                let amendment = approval
+                    .proposed_execpolicy_amendment
+                    .as_ref()
+                    .expect("expected proposed execpolicy amendment in approval request");
+                assert_eq!(
+                    amendment.command().last(),
+                    approval.command.last(),
+                    "expected proposed amendment to match the first heuristics command"
+                );
+            }
             test.codex
                 .submit(Op::ExecApproval {
                     id: "0".into(),

Original file line number	Diff line number	Diff line change
`@@ -133,7 +133,8 @@ impl Approvable<ShellRequest> for ShellRuntime {`
`133`	`133`	`\|\| matches!(`
`134`	`134`	`req.exec_approval_requirement,`
`135`	`135`	`ExecApprovalRequirement::Skip {`
`136`		`- bypass_sandbox: true`
	`136`	`+ bypass_sandbox: true,`
	`137`	`+ ..`
`137`	`138`	`}`
`138`	`139`	`)`
`139`	`140`	`{`
Original file line number	Diff line number	Diff line change
`@@ -154,7 +154,8 @@ impl Approvable<UnifiedExecRequest> for UnifiedExecRuntime<'_> {`
`154`	`154`	`\|\| matches!(`
`155`	`155`	`req.exec_approval_requirement,`
`156`	`156`	`ExecApprovalRequirement::Skip {`
`157`		`- bypass_sandbox: true`
	`157`	`+ bypass_sandbox: true,`
	`158`	`+ ..`
`158`	`159`	`}`
`159`	`160`	`)`
`160`	`161`	`{`
Original file line number	Diff line number	Diff line change
`@@ -95,6 +95,9 @@ pub(crate) enum ExecApprovalRequirement {`
`95`	`95`	`/// The first attempt should skip sandboxing (e.g., when explicitly`
`96`	`96`	`/// greenlit by policy).`
`97`	`97`	`bypass_sandbox: bool,`
	`98`	`+ /// Proposed execpolicy amendment to skip future approvals for similar commands`
	`99`	`+ /// Only applies if the command fails to run in sandbox and codex prompts the user to run outside the sandbox.`
	`100`	`+ proposed_execpolicy_amendment: Option<ExecPolicyAmendment>,`
`98`	`101`	`},`
`99`	`102`	`/// Approval required for this tool call.`
`100`	`103`	`NeedsApproval {`
`@@ -114,6 +117,10 @@ impl ExecApprovalRequirement {`
`114`	`117`	`proposed_execpolicy_amendment: Some(prefix),`
`115`	`118`	`..`
`116`	`119`	`} => Some(prefix),`
	`120`	`+ Self::Skip {`
	`121`	`+ proposed_execpolicy_amendment: Some(prefix),`
	`122`	`+ ..`
	`123`	`+ } => Some(prefix),`
`117`	`124`	`_ => None,`
`118`	`125`	`}`
`119`	`126`	`}`
`@@ -140,6 +147,7 @@ pub(crate) fn default_exec_approval_requirement(`
`140`	`147`	`} else {`
`141`	`148`	`ExecApprovalRequirement::Skip {`
`142`	`149`	`bypass_sandbox: false,`
	`150`	`+ proposed_execpolicy_amendment: None,`
`143`	`151`	`}`
`144`	`152`	`}`
`145`	`153`	`}`