core-agent-ide/codex-rs/cli/tests/execpolicy.rs

use std::fs;

use assert_cmd::Command;
use pretty_assertions::assert_eq;
use serde_json::json;
use tempfile::TempDir;

#[test]
fn execpolicy_check_matches_expected_json() -> Result<(), Box<dyn std::error::Error>> {
    let codex_home = TempDir::new()?;
    let policy_path = codex_home.path().join("policy.codexpolicy");
    fs::write(
        &policy_path,
        r#"
prefix_rule(
    pattern = ["git", "push"],
    decision = "forbidden",
)
"#,
    )?;

    let output = Command::cargo_bin("codex")?
        .env("CODEX_HOME", codex_home.path())
        .args([
            "execpolicy",
            "check",
            "--policy",
            policy_path
                .to_str()
                .expect("policy path should be valid UTF-8"),
            "git",
            "push",
            "origin",
            "main",
        ])
        .output()?;

    assert!(output.status.success());
    let result: serde_json::Value = serde_json::from_slice(&output.stdout)?;
    assert_eq!(
        result,
        json!({
            "match": {
                "decision": "forbidden",
                "matchedRules": [
                    {
                        "prefixRuleMatch": {
                            "matchedPrefix": ["git", "push"],
                            "decision": "forbidden"
                        }
                    }
                ]
            }
        })
    );

    Ok(())
}
execpolicycheck command in codex cli (#7012) adding execpolicycheck tool onto codex cli this is useful for validating policies (can be multiple) against commands. it will also surface errors in policy syntax: <img width="1150" height="281" alt="Screenshot 2025-11-19 at 12 46 21 PM" src="https://github.com/user-attachments/assets/8f99b403-564c-4172-acc9-6574a8d13dc3" /> this PR also changes output format when there's no match in the CLI. instead of returning the raw string `noMatch`, we return `{"noMatch":{}}` this PR is a rewrite of: https://github.com/openai/codex/pull/6932 (due to the numerous merge conflicts present in the original PR) --------- Co-authored-by: Michael Bolin <mbolin@openai.com> 2025-11-20 16:44:31 -05:00			`use std::fs;`

			`use assert_cmd::Command;`
			`use pretty_assertions::assert_eq;`
			`use serde_json::json;`
			`use tempfile::TempDir;`

			`#[test]`
			`fn execpolicy_check_matches_expected_json() -> Result<(), Box<dyn std::error::Error>> {`
			`let codex_home = TempDir::new()?;`
			`let policy_path = codex_home.path().join("policy.codexpolicy");`
			`fs::write(`
			`&policy_path,`
			`r#"`
			`prefix_rule(`
			`pattern = ["git", "push"],`
			`decision = "forbidden",`
			`)`
			`"#,`
			`)?;`

			`let output = Command::cargo_bin("codex")?`
			`.env("CODEX_HOME", codex_home.path())`
			`.args([`
			`"execpolicy",`
			`"check",`
			`"--policy",`
			`policy_path`
			`.to_str()`
			`.expect("policy path should be valid UTF-8"),`
			`"git",`
			`"push",`
			`"origin",`
			`"main",`
			`])`
			`.output()?;`

			`assert!(output.status.success());`
			`let result: serde_json::Value = serde_json::from_slice(&output.stdout)?;`
			`assert_eq!(`
			`result,`
			`json!({`
			`"match": {`
			`"decision": "forbidden",`
			`"matchedRules": [`
			`{`
			`"prefixRuleMatch": {`
			`"matchedPrefix": ["git", "push"],`
			`"decision": "forbidden"`
			`}`
			`}`
			`]`
			`}`
			`})`
			`);`

			`Ok(())`
			`}`