Revert "Load untrusted rules" (#10536)

Reverts openai/codex#9791
2026-02-03 11:38:44 -08:00 · 2026-02-03 11:38:44 -08:00 · 1dcce204fc
commit 1dcce204fc
parent 66b196a725
1 changed files with 8 additions and 12 deletions
--- a/codex-rs/core/src/exec_policy.rs
+++ b/codex-rs/core/src/exec_policy.rs
@ -248,9 +248,7 @@ pub async fn load_exec_policy(config_stack: &ConfigLayerStack) -> Result<Policy,
    // from each layer, so that higher-precedence layers can override
    // rules defined in lower-precedence ones.
    let mut policy_paths = Vec::new();
-    // Include disabled project layers so .codex/rules still applies when
-    // project config.toml is trust-disabled.
-    for layer in config_stack.get_layers(ConfigLayerStackOrdering::LowestPrecedenceFirst, true) {
+    for layer in config_stack.get_layers(ConfigLayerStackOrdering::LowestPrecedenceFirst, false) {
        if let Some(config_folder) = layer.config_folder() {
            #[expect(clippy::expect_used)]
            let policy_dir = config_folder.join(RULES_DIR_NAME).expect("safe join");
@ -684,12 +682,12 @@ mod tests {
    }

    #[tokio::test]
-    async fn loads_rules_from_disabled_project_layers() -> anyhow::Result<()> {
+    async fn ignores_rules_from_untrusted_project_layers() -> anyhow::Result<()> {
        let project_dir = tempdir()?;
        let policy_dir = project_dir.path().join(RULES_DIR_NAME);
        fs::create_dir_all(&policy_dir)?;
        fs::write(
-            policy_dir.join("disabled.rules"),
+            policy_dir.join("untrusted.rules"),
            r#"prefix_rule(pattern=["ls"], decision="forbidden")"#,
        )?;

@ -699,7 +697,7 @@ mod tests {
                dot_codex_folder: project_dot_codex_folder,
            },
            TomlValue::Table(Default::default()),
-            "trust disabled",
+            "marked untrusted",
        )];
        let config_stack = ConfigLayerStack::new(
            layers,
@ -711,16 +709,14 @@ mod tests {

        assert_eq!(
            Evaluation {
-                decision: Decision::Forbidden,
-                matched_rules: vec![RuleMatch::PrefixRuleMatch {
-                    matched_prefix: vec!["ls".to_string()],
-                    decision: Decision::Forbidden,
-                    justification: None,
+                decision: Decision::Allow,
+                matched_rules: vec![RuleMatch::HeuristicsRuleMatch {
+                    command: vec!["ls".to_string()],
+                    decision: Decision::Allow,
                }],
            },
            policy.check_multiple([vec!["ls".to_string()]].iter(), &|_| Decision::Allow)
        );
-
        Ok(())
    }