core/core-agent-ide
8
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
core-agent-ide/codex-rs/execpolicy/src/rule.rs

167 lines
4.7 KiB
Rust
Raw Normal View History

feat: execpolicy v2 (#6467) ## Summary - Introduces the `codex-execpolicy2` crate. - This PR covers only the prefix-rule subset of the planned execpolicy v2 language; a richer language will follow. ## Policy - Policy language centers on `prefix_rule(pattern=[...], decision?, match?, not_match?)`, where `pattern` is an ordered list of tokens; any element may be a list to denote alternatives. `decision` defaults to `allow`; valid values are `allow`, `prompt`, and `forbidden`. `match` / `not_match` hold example commands that are tokenized and validated at load time (think of these as unit tests). ## Policy shapes - Prefix rules use Starlark syntax: ```starlark prefix_rule( pattern = ["cmd", ["alt1", "alt2"]], # ordered tokens; list entries denote alternatives decision = "prompt", # allow | prompt | forbidden; defaults to allow match = [["cmd", "alt1"]], # examples that must match this rule (enforced at compile time) not_match = [["cmd", "oops"]], # examples that must not match this rule (enforced at compile time) ) ``` ## Response shapes - Match: ```json { "match": { "decision": "allow|prompt|forbidden", "matchedRules": [ { "prefixRuleMatch": { "matchedPrefix": ["<token>", "..."], "decision": "allow|prompt|forbidden" } } ] } } ``` - No match: ```json "noMatch" ``` - `matchedRules` lists every rule whose prefix matched the command; `matchedPrefix` is the exact prefix that matched. - The effective `decision` is the strictest severity across all matches (`forbidden` > `prompt` > `allow`). --------- Co-authored-by: Michael Bolin <mbolin@openai.com>
2025-11-17 10:15:45 -08:00
use crate::decision::Decision;
use crate::error::Error;
use crate::error::Result;
use serde::Deserialize;
use serde::Serialize;
use shlex::try_join;
use std::any::Any;
use std::fmt::Debug;
use std::sync::Arc;
/// Matches a single command token, either a fixed string or one of several allowed alternatives.
#[derive(Clone, Debug, Eq, PartialEq)]
pub enum PatternToken {
Single(String),
Alts(Vec<String>),
}
impl PatternToken {
fn matches(&self, token: &str) -> bool {
match self {
Self::Single(expected) => expected == token,
Self::Alts(alternatives) => alternatives.iter().any(|alt| alt == token),
}
}
pub fn alternatives(&self) -> &[String] {
match self {
Self::Single(expected) => std::slice::from_ref(expected),
Self::Alts(alternatives) => alternatives,
}
}
}
/// Prefix matcher for commands with support for alternative match tokens.
/// First token is fixed since we key by the first token in policy.
#[derive(Clone, Debug, Eq, PartialEq)]
pub struct PrefixPattern {
pub first: Arc<str>,
pub rest: Arc<[PatternToken]>,
}
impl PrefixPattern {
pub fn matches_prefix(&self, cmd: &[String]) -> Option<Vec<String>> {
let pattern_length = self.rest.len() + 1;
if cmd.len() < pattern_length || cmd[0] != self.first.as_ref() {
return None;
}
for (pattern_token, cmd_token) in self.rest.iter().zip(&cmd[1..pattern_length]) {
if !pattern_token.matches(cmd_token) {
return None;
}
}
Some(cmd[..pattern_length].to_vec())
}
}
#[derive(Clone, Debug, Eq, PartialEq, Serialize, Deserialize)]
#[serde(rename_all = "camelCase")]
pub enum RuleMatch {
PrefixRuleMatch {
#[serde(rename = "matchedPrefix")]
matched_prefix: Vec<String>,
decision: Decision,
feat: add justification arg to prefix_rule() in *.rules (#8751) Adds an optional `justification` parameter to the `prefix_rule()` execpolicy DSL so policy authors can attach human-readable rationale to a rule. That justification is propagated through parsing/matching and can be surfaced to the model (or approval UI) when a command is blocked or requires approval. When a command is rejected (or gated behind approval) due to policy, a generic message makes it hard for the model/user to understand what went wrong and what to do instead. Allowing policy authors to supply a short justification improves debuggability and helps guide the model toward compliant alternatives. Example: ```python prefix_rule( pattern = ["git", "push"], decision = "forbidden", justification = "pushing is blocked in this repo", ) ``` If Codex tried to run `git push origin main`, now the failure would include: ``` `git push origin main` rejected: pushing is blocked in this repo ``` whereas previously, all it was told was: ``` execpolicy forbids this command ```
2026-01-05 13:24:48 -08:00
/// Optional rationale for why this rule exists.
///
/// This can be supplied for any decision and may be surfaced in different contexts
/// (e.g., prompt reasons or rejection messages).
#[serde(skip_serializing_if = "Option::is_none")]
justification: Option<String>,
feat: execpolicy v2 (#6467) ## Summary - Introduces the `codex-execpolicy2` crate. - This PR covers only the prefix-rule subset of the planned execpolicy v2 language; a richer language will follow. ## Policy - Policy language centers on `prefix_rule(pattern=[...], decision?, match?, not_match?)`, where `pattern` is an ordered list of tokens; any element may be a list to denote alternatives. `decision` defaults to `allow`; valid values are `allow`, `prompt`, and `forbidden`. `match` / `not_match` hold example commands that are tokenized and validated at load time (think of these as unit tests). ## Policy shapes - Prefix rules use Starlark syntax: ```starlark prefix_rule( pattern = ["cmd", ["alt1", "alt2"]], # ordered tokens; list entries denote alternatives decision = "prompt", # allow | prompt | forbidden; defaults to allow match = [["cmd", "alt1"]], # examples that must match this rule (enforced at compile time) not_match = [["cmd", "oops"]], # examples that must not match this rule (enforced at compile time) ) ``` ## Response shapes - Match: ```json { "match": { "decision": "allow|prompt|forbidden", "matchedRules": [ { "prefixRuleMatch": { "matchedPrefix": ["<token>", "..."], "decision": "allow|prompt|forbidden" } } ] } } ``` - No match: ```json "noMatch" ``` - `matchedRules` lists every rule whose prefix matched the command; `matchedPrefix` is the exact prefix that matched. - The effective `decision` is the strictest severity across all matches (`forbidden` > `prompt` > `allow`). --------- Co-authored-by: Michael Bolin <mbolin@openai.com>
2025-11-17 10:15:45 -08:00
},
Refactor execpolicy fallback evaluation (#7544) ## Refactor of the `execpolicy` crate To illustrate why we need this refactor, consider an agent attempting to run `apple | rm -rf ./`. Suppose `apple` is allowed by `execpolicy`. Before this PR, `execpolicy` would consider `apple` and `pear` and only render one rule match: `Allow`. We would skip any heuristics checks on `rm -rf ./` and immediately approve `apple | rm -rf ./` to run. To fix this, we now thread a `fallback` evaluation function into `execpolicy` that runs when no `execpolicy` rules match a given command. In our example, we would run `fallback` on `rm -rf ./` and prevent `apple | rm -rf ./` from being run without approval.
2025-12-04 02:39:48 -05:00
HeuristicsRuleMatch {
command: Vec<String>,
decision: Decision,
},
feat: execpolicy v2 (#6467) ## Summary - Introduces the `codex-execpolicy2` crate. - This PR covers only the prefix-rule subset of the planned execpolicy v2 language; a richer language will follow. ## Policy - Policy language centers on `prefix_rule(pattern=[...], decision?, match?, not_match?)`, where `pattern` is an ordered list of tokens; any element may be a list to denote alternatives. `decision` defaults to `allow`; valid values are `allow`, `prompt`, and `forbidden`. `match` / `not_match` hold example commands that are tokenized and validated at load time (think of these as unit tests). ## Policy shapes - Prefix rules use Starlark syntax: ```starlark prefix_rule( pattern = ["cmd", ["alt1", "alt2"]], # ordered tokens; list entries denote alternatives decision = "prompt", # allow | prompt | forbidden; defaults to allow match = [["cmd", "alt1"]], # examples that must match this rule (enforced at compile time) not_match = [["cmd", "oops"]], # examples that must not match this rule (enforced at compile time) ) ``` ## Response shapes - Match: ```json { "match": { "decision": "allow|prompt|forbidden", "matchedRules": [ { "prefixRuleMatch": { "matchedPrefix": ["<token>", "..."], "decision": "allow|prompt|forbidden" } } ] } } ``` - No match: ```json "noMatch" ``` - `matchedRules` lists every rule whose prefix matched the command; `matchedPrefix` is the exact prefix that matched. - The effective `decision` is the strictest severity across all matches (`forbidden` > `prompt` > `allow`). --------- Co-authored-by: Michael Bolin <mbolin@openai.com>
2025-11-17 10:15:45 -08:00
}
impl RuleMatch {
pub fn decision(&self) -> Decision {
match self {
Self::PrefixRuleMatch { decision, .. } => *decision,
Refactor execpolicy fallback evaluation (#7544) ## Refactor of the `execpolicy` crate To illustrate why we need this refactor, consider an agent attempting to run `apple | rm -rf ./`. Suppose `apple` is allowed by `execpolicy`. Before this PR, `execpolicy` would consider `apple` and `pear` and only render one rule match: `Allow`. We would skip any heuristics checks on `rm -rf ./` and immediately approve `apple | rm -rf ./` to run. To fix this, we now thread a `fallback` evaluation function into `execpolicy` that runs when no `execpolicy` rules match a given command. In our example, we would run `fallback` on `rm -rf ./` and prevent `apple | rm -rf ./` from being run without approval.
2025-12-04 02:39:48 -05:00
Self::HeuristicsRuleMatch { decision, .. } => *decision,
feat: execpolicy v2 (#6467) ## Summary - Introduces the `codex-execpolicy2` crate. - This PR covers only the prefix-rule subset of the planned execpolicy v2 language; a richer language will follow. ## Policy - Policy language centers on `prefix_rule(pattern=[...], decision?, match?, not_match?)`, where `pattern` is an ordered list of tokens; any element may be a list to denote alternatives. `decision` defaults to `allow`; valid values are `allow`, `prompt`, and `forbidden`. `match` / `not_match` hold example commands that are tokenized and validated at load time (think of these as unit tests). ## Policy shapes - Prefix rules use Starlark syntax: ```starlark prefix_rule( pattern = ["cmd", ["alt1", "alt2"]], # ordered tokens; list entries denote alternatives decision = "prompt", # allow | prompt | forbidden; defaults to allow match = [["cmd", "alt1"]], # examples that must match this rule (enforced at compile time) not_match = [["cmd", "oops"]], # examples that must not match this rule (enforced at compile time) ) ``` ## Response shapes - Match: ```json { "match": { "decision": "allow|prompt|forbidden", "matchedRules": [ { "prefixRuleMatch": { "matchedPrefix": ["<token>", "..."], "decision": "allow|prompt|forbidden" } } ] } } ``` - No match: ```json "noMatch" ``` - `matchedRules` lists every rule whose prefix matched the command; `matchedPrefix` is the exact prefix that matched. - The effective `decision` is the strictest severity across all matches (`forbidden` > `prompt` > `allow`). --------- Co-authored-by: Michael Bolin <mbolin@openai.com>
2025-11-17 10:15:45 -08:00
}
}
}
#[derive(Clone, Debug, Eq, PartialEq)]
pub struct PrefixRule {
pub pattern: PrefixPattern,
pub decision: Decision,
feat: add justification arg to prefix_rule() in *.rules (#8751) Adds an optional `justification` parameter to the `prefix_rule()` execpolicy DSL so policy authors can attach human-readable rationale to a rule. That justification is propagated through parsing/matching and can be surfaced to the model (or approval UI) when a command is blocked or requires approval. When a command is rejected (or gated behind approval) due to policy, a generic message makes it hard for the model/user to understand what went wrong and what to do instead. Allowing policy authors to supply a short justification improves debuggability and helps guide the model toward compliant alternatives. Example: ```python prefix_rule( pattern = ["git", "push"], decision = "forbidden", justification = "pushing is blocked in this repo", ) ``` If Codex tried to run `git push origin main`, now the failure would include: ``` `git push origin main` rejected: pushing is blocked in this repo ``` whereas previously, all it was told was: ``` execpolicy forbids this command ```
2026-01-05 13:24:48 -08:00
pub justification: Option<String>,
feat: execpolicy v2 (#6467) ## Summary - Introduces the `codex-execpolicy2` crate. - This PR covers only the prefix-rule subset of the planned execpolicy v2 language; a richer language will follow. ## Policy - Policy language centers on `prefix_rule(pattern=[...], decision?, match?, not_match?)`, where `pattern` is an ordered list of tokens; any element may be a list to denote alternatives. `decision` defaults to `allow`; valid values are `allow`, `prompt`, and `forbidden`. `match` / `not_match` hold example commands that are tokenized and validated at load time (think of these as unit tests). ## Policy shapes - Prefix rules use Starlark syntax: ```starlark prefix_rule( pattern = ["cmd", ["alt1", "alt2"]], # ordered tokens; list entries denote alternatives decision = "prompt", # allow | prompt | forbidden; defaults to allow match = [["cmd", "alt1"]], # examples that must match this rule (enforced at compile time) not_match = [["cmd", "oops"]], # examples that must not match this rule (enforced at compile time) ) ``` ## Response shapes - Match: ```json { "match": { "decision": "allow|prompt|forbidden", "matchedRules": [ { "prefixRuleMatch": { "matchedPrefix": ["<token>", "..."], "decision": "allow|prompt|forbidden" } } ] } } ``` - No match: ```json "noMatch" ``` - `matchedRules` lists every rule whose prefix matched the command; `matchedPrefix` is the exact prefix that matched. - The effective `decision` is the strictest severity across all matches (`forbidden` > `prompt` > `allow`). --------- Co-authored-by: Michael Bolin <mbolin@openai.com>
2025-11-17 10:15:45 -08:00
}
pub trait Rule: Any + Debug + Send + Sync {
fn program(&self) -> &str;
fn matches(&self, cmd: &[String]) -> Option<RuleMatch>;
feat(core) RequestRule (#9489) ## Summary Instead of trying to derive the prefix_rule for a command mechanically, let's let the model decide for us. ## Testing - [x] tested locally
2026-01-28 01:43:17 -07:00
fn as_any(&self) -> &dyn Any;
feat: execpolicy v2 (#6467) ## Summary - Introduces the `codex-execpolicy2` crate. - This PR covers only the prefix-rule subset of the planned execpolicy v2 language; a richer language will follow. ## Policy - Policy language centers on `prefix_rule(pattern=[...], decision?, match?, not_match?)`, where `pattern` is an ordered list of tokens; any element may be a list to denote alternatives. `decision` defaults to `allow`; valid values are `allow`, `prompt`, and `forbidden`. `match` / `not_match` hold example commands that are tokenized and validated at load time (think of these as unit tests). ## Policy shapes - Prefix rules use Starlark syntax: ```starlark prefix_rule( pattern = ["cmd", ["alt1", "alt2"]], # ordered tokens; list entries denote alternatives decision = "prompt", # allow | prompt | forbidden; defaults to allow match = [["cmd", "alt1"]], # examples that must match this rule (enforced at compile time) not_match = [["cmd", "oops"]], # examples that must not match this rule (enforced at compile time) ) ``` ## Response shapes - Match: ```json { "match": { "decision": "allow|prompt|forbidden", "matchedRules": [ { "prefixRuleMatch": { "matchedPrefix": ["<token>", "..."], "decision": "allow|prompt|forbidden" } } ] } } ``` - No match: ```json "noMatch" ``` - `matchedRules` lists every rule whose prefix matched the command; `matchedPrefix` is the exact prefix that matched. - The effective `decision` is the strictest severity across all matches (`forbidden` > `prompt` > `allow`). --------- Co-authored-by: Michael Bolin <mbolin@openai.com>
2025-11-17 10:15:45 -08:00
}
pub type RuleRef = Arc<dyn Rule>;
impl Rule for PrefixRule {
fn program(&self) -> &str {
self.pattern.first.as_ref()
}
fn matches(&self, cmd: &[String]) -> Option<RuleMatch> {
self.pattern
.matches_prefix(cmd)
.map(|matched_prefix| RuleMatch::PrefixRuleMatch {
matched_prefix,
decision: self.decision,
feat: add justification arg to prefix_rule() in *.rules (#8751) Adds an optional `justification` parameter to the `prefix_rule()` execpolicy DSL so policy authors can attach human-readable rationale to a rule. That justification is propagated through parsing/matching and can be surfaced to the model (or approval UI) when a command is blocked or requires approval. When a command is rejected (or gated behind approval) due to policy, a generic message makes it hard for the model/user to understand what went wrong and what to do instead. Allowing policy authors to supply a short justification improves debuggability and helps guide the model toward compliant alternatives. Example: ```python prefix_rule( pattern = ["git", "push"], decision = "forbidden", justification = "pushing is blocked in this repo", ) ``` If Codex tried to run `git push origin main`, now the failure would include: ``` `git push origin main` rejected: pushing is blocked in this repo ``` whereas previously, all it was told was: ``` execpolicy forbids this command ```
2026-01-05 13:24:48 -08:00
justification: self.justification.clone(),
feat: execpolicy v2 (#6467) ## Summary - Introduces the `codex-execpolicy2` crate. - This PR covers only the prefix-rule subset of the planned execpolicy v2 language; a richer language will follow. ## Policy - Policy language centers on `prefix_rule(pattern=[...], decision?, match?, not_match?)`, where `pattern` is an ordered list of tokens; any element may be a list to denote alternatives. `decision` defaults to `allow`; valid values are `allow`, `prompt`, and `forbidden`. `match` / `not_match` hold example commands that are tokenized and validated at load time (think of these as unit tests). ## Policy shapes - Prefix rules use Starlark syntax: ```starlark prefix_rule( pattern = ["cmd", ["alt1", "alt2"]], # ordered tokens; list entries denote alternatives decision = "prompt", # allow | prompt | forbidden; defaults to allow match = [["cmd", "alt1"]], # examples that must match this rule (enforced at compile time) not_match = [["cmd", "oops"]], # examples that must not match this rule (enforced at compile time) ) ``` ## Response shapes - Match: ```json { "match": { "decision": "allow|prompt|forbidden", "matchedRules": [ { "prefixRuleMatch": { "matchedPrefix": ["<token>", "..."], "decision": "allow|prompt|forbidden" } } ] } } ``` - No match: ```json "noMatch" ``` - `matchedRules` lists every rule whose prefix matched the command; `matchedPrefix` is the exact prefix that matched. - The effective `decision` is the strictest severity across all matches (`forbidden` > `prompt` > `allow`). --------- Co-authored-by: Michael Bolin <mbolin@openai.com>
2025-11-17 10:15:45 -08:00
})
}
feat(core) RequestRule (#9489) ## Summary Instead of trying to derive the prefix_rule for a command mechanically, let's let the model decide for us. ## Testing - [x] tested locally
2026-01-28 01:43:17 -07:00
fn as_any(&self) -> &dyn Any {
self
}
feat: execpolicy v2 (#6467) ## Summary - Introduces the `codex-execpolicy2` crate. - This PR covers only the prefix-rule subset of the planned execpolicy v2 language; a richer language will follow. ## Policy - Policy language centers on `prefix_rule(pattern=[...], decision?, match?, not_match?)`, where `pattern` is an ordered list of tokens; any element may be a list to denote alternatives. `decision` defaults to `allow`; valid values are `allow`, `prompt`, and `forbidden`. `match` / `not_match` hold example commands that are tokenized and validated at load time (think of these as unit tests). ## Policy shapes - Prefix rules use Starlark syntax: ```starlark prefix_rule( pattern = ["cmd", ["alt1", "alt2"]], # ordered tokens; list entries denote alternatives decision = "prompt", # allow | prompt | forbidden; defaults to allow match = [["cmd", "alt1"]], # examples that must match this rule (enforced at compile time) not_match = [["cmd", "oops"]], # examples that must not match this rule (enforced at compile time) ) ``` ## Response shapes - Match: ```json { "match": { "decision": "allow|prompt|forbidden", "matchedRules": [ { "prefixRuleMatch": { "matchedPrefix": ["<token>", "..."], "decision": "allow|prompt|forbidden" } } ] } } ``` - No match: ```json "noMatch" ``` - `matchedRules` lists every rule whose prefix matched the command; `matchedPrefix` is the exact prefix that matched. - The effective `decision` is the strictest severity across all matches (`forbidden` > `prompt` > `allow`). --------- Co-authored-by: Michael Bolin <mbolin@openai.com>
2025-11-17 10:15:45 -08:00
}
/// Count how many rules match each provided example and error if any example is unmatched.
pub(crate) fn validate_match_examples(rules: &[RuleRef], matches: &[Vec<String>]) -> Result<()> {
let mut unmatched_examples = Vec::new();
for example in matches {
if rules.iter().any(|rule| rule.matches(example).is_some()) {
continue;
}
unmatched_examples.push(
try_join(example.iter().map(String::as_str))
.unwrap_or_else(|_| "unable to render example".to_string()),
);
}
if unmatched_examples.is_empty() {
Ok(())
} else {
Err(Error::ExampleDidNotMatch {
rules: rules.iter().map(|rule| format!("{rule:?}")).collect(),
examples: unmatched_examples,
})
}
}
/// Ensure that no rule matches any provided negative example.
pub(crate) fn validate_not_match_examples(
rules: &[RuleRef],
not_matches: &[Vec<String>],
) -> Result<()> {
for example in not_matches {
if let Some(rule) = rules.iter().find(|rule| rule.matches(example).is_some()) {
return Err(Error::ExampleDidMatch {
rule: format!("{rule:?}"),
example: try_join(example.iter().map(String::as_str))
.unwrap_or_else(|_| "unable to render example".to_string()),
});
}
}
Ok(())
}
Reference in a new issue Copy permalink