core-agent-ide/codex-rs/execpolicy2/src/policy.rs

use crate::decision::Decision;
use crate::rule::RuleMatch;
use crate::rule::RuleRef;
use multimap::MultiMap;
use serde::Deserialize;
use serde::Serialize;

#[derive(Clone, Debug)]
pub struct Policy {
    rules_by_program: MultiMap<String, RuleRef>,
}

impl Policy {
    pub fn new(rules_by_program: MultiMap<String, RuleRef>) -> Self {
        Self { rules_by_program }
    }

    pub fn rules(&self) -> &MultiMap<String, RuleRef> {
        &self.rules_by_program
    }

    pub fn check(&self, cmd: &[String]) -> Evaluation {
        let rules = match cmd.first() {
            Some(first) => match self.rules_by_program.get_vec(first) {
                Some(rules) => rules,
                None => return Evaluation::NoMatch,
            },
            None => return Evaluation::NoMatch,
        };

        let matched_rules: Vec<RuleMatch> =
            rules.iter().filter_map(|rule| rule.matches(cmd)).collect();
        match matched_rules.iter().map(RuleMatch::decision).max() {
            Some(decision) => Evaluation::Match {
                decision,
                matched_rules,
            },
            None => Evaluation::NoMatch,
        }
    }

    pub fn check_multiple<Commands>(&self, commands: Commands) -> Evaluation
    where
        Commands: IntoIterator,
        Commands::Item: AsRef<[String]>,
    {
        let matched_rules: Vec<RuleMatch> = commands
            .into_iter()
            .flat_map(|command| match self.check(command.as_ref()) {
                Evaluation::Match { matched_rules, .. } => matched_rules,
                Evaluation::NoMatch => Vec::new(),
            })
            .collect();

        match matched_rules.iter().map(RuleMatch::decision).max() {
            Some(decision) => Evaluation::Match {
                decision,
                matched_rules,
            },
            None => Evaluation::NoMatch,
        }
    }
}

#[derive(Clone, Debug, Eq, PartialEq, Serialize, Deserialize)]
#[serde(rename_all = "camelCase")]
pub enum Evaluation {
    NoMatch,
    Match {
        decision: Decision,
        #[serde(rename = "matchedRules")]
        matched_rules: Vec<RuleMatch>,
    },
}

impl Evaluation {
    pub fn is_match(&self) -> bool {
        matches!(self, Self::Match { .. })
    }
}
feat: execpolicy v2 (#6467) ## Summary - Introduces the `codex-execpolicy2` crate. - This PR covers only the prefix-rule subset of the planned execpolicy v2 language; a richer language will follow. ## Policy - Policy language centers on `prefix_rule(pattern=[...], decision?, match?, not_match?)`, where `pattern` is an ordered list of tokens; any element may be a list to denote alternatives. `decision` defaults to `allow`; valid values are `allow`, `prompt`, and `forbidden`. `match` / `not_match` hold example commands that are tokenized and validated at load time (think of these as unit tests). ## Policy shapes - Prefix rules use Starlark syntax: ```starlark prefix_rule( pattern = ["cmd", ["alt1", "alt2"]], # ordered tokens; list entries denote alternatives decision = "prompt", # allow \| prompt \| forbidden; defaults to allow match = [["cmd", "alt1"]], # examples that must match this rule (enforced at compile time) not_match = [["cmd", "oops"]], # examples that must not match this rule (enforced at compile time) ) ``` ## Response shapes - Match: ```json { "match": { "decision": "allow\|prompt\|forbidden", "matchedRules": [ { "prefixRuleMatch": { "matchedPrefix": ["<token>", "..."], "decision": "allow\|prompt\|forbidden" } } ] } } ``` - No match: ```json "noMatch" ``` - `matchedRules` lists every rule whose prefix matched the command; `matchedPrefix` is the exact prefix that matched. - The effective `decision` is the strictest severity across all matches (`forbidden` > `prompt` > `allow`). --------- Co-authored-by: Michael Bolin <mbolin@openai.com> 2025-11-17 10:15:45 -08:00			`use crate::decision::Decision;`
			`use crate::rule::RuleMatch;`
			`use crate::rule::RuleRef;`
			`use multimap::MultiMap;`
			`use serde::Deserialize;`
			`use serde::Serialize;`

			`#[derive(Clone, Debug)]`
			`pub struct Policy {`
			`rules_by_program: MultiMap<String, RuleRef>,`
			`}`

			`impl Policy {`
			`pub fn new(rules_by_program: MultiMap<String, RuleRef>) -> Self {`
			`Self { rules_by_program }`
			`}`

			`pub fn rules(&self) -> &MultiMap<String, RuleRef> {`
			`&self.rules_by_program`
			`}`

			`pub fn check(&self, cmd: &[String]) -> Evaluation {`
			`let rules = match cmd.first() {`
			`Some(first) => match self.rules_by_program.get_vec(first) {`
			`Some(rules) => rules,`
			`None => return Evaluation::NoMatch,`
			`},`
			`None => return Evaluation::NoMatch,`
			`};`

			`let matched_rules: Vec<RuleMatch> =`
			`rules.iter().filter_map(\|rule\| rule.matches(cmd)).collect();`
			`match matched_rules.iter().map(RuleMatch::decision).max() {`
			`Some(decision) => Evaluation::Match {`
			`decision,`
			`matched_rules,`
			`},`
			`None => Evaluation::NoMatch,`
			`}`
			`}`
execpolicy2 extension (#6627) - enabling execpolicy2 parser to parse multiple policy files to build a combined `Policy` (useful if codex detects many `.codexpolicy` files) - adding functionality to `Policy` to allow evaluation of multiple cmds at once (useful when we have chained commands) 2025-11-17 16:44:41 -08:00
			`pub fn check_multiple<Commands>(&self, commands: Commands) -> Evaluation`
			`where`
			`Commands: IntoIterator,`
			`Commands::Item: AsRef<[String]>,`
			`{`
			`let matched_rules: Vec<RuleMatch> = commands`
			`.into_iter()`
			`.flat_map(\|command\| match self.check(command.as_ref()) {`
			`Evaluation::Match { matched_rules, .. } => matched_rules,`
			`Evaluation::NoMatch => Vec::new(),`
			`})`
			`.collect();`

			`match matched_rules.iter().map(RuleMatch::decision).max() {`
			`Some(decision) => Evaluation::Match {`
			`decision,`
			`matched_rules,`
			`},`
			`None => Evaluation::NoMatch,`
			`}`
			`}`
feat: execpolicy v2 (#6467) ## Summary - Introduces the `codex-execpolicy2` crate. - This PR covers only the prefix-rule subset of the planned execpolicy v2 language; a richer language will follow. ## Policy - Policy language centers on `prefix_rule(pattern=[...], decision?, match?, not_match?)`, where `pattern` is an ordered list of tokens; any element may be a list to denote alternatives. `decision` defaults to `allow`; valid values are `allow`, `prompt`, and `forbidden`. `match` / `not_match` hold example commands that are tokenized and validated at load time (think of these as unit tests). ## Policy shapes - Prefix rules use Starlark syntax: ```starlark prefix_rule( pattern = ["cmd", ["alt1", "alt2"]], # ordered tokens; list entries denote alternatives decision = "prompt", # allow \| prompt \| forbidden; defaults to allow match = [["cmd", "alt1"]], # examples that must match this rule (enforced at compile time) not_match = [["cmd", "oops"]], # examples that must not match this rule (enforced at compile time) ) ``` ## Response shapes - Match: ```json { "match": { "decision": "allow\|prompt\|forbidden", "matchedRules": [ { "prefixRuleMatch": { "matchedPrefix": ["<token>", "..."], "decision": "allow\|prompt\|forbidden" } } ] } } ``` - No match: ```json "noMatch" ``` - `matchedRules` lists every rule whose prefix matched the command; `matchedPrefix` is the exact prefix that matched. - The effective `decision` is the strictest severity across all matches (`forbidden` > `prompt` > `allow`). --------- Co-authored-by: Michael Bolin <mbolin@openai.com> 2025-11-17 10:15:45 -08:00			`}`

			`#[derive(Clone, Debug, Eq, PartialEq, Serialize, Deserialize)]`
			`#[serde(rename_all = "camelCase")]`
			`pub enum Evaluation {`
			`NoMatch,`
			`Match {`
			`decision: Decision,`
			`#[serde(rename = "matchedRules")]`
			`matched_rules: Vec<RuleMatch>,`
			`},`
			`}`

			`impl Evaluation {`
			`pub fn is_match(&self) -> bool {`
			`matches!(self, Self::Match { .. })`
			`}`
			`}`