From 1dcce204fcf86ed60e65eb9f6f08dd7c0ccae4ae Mon Sep 17 00:00:00 2001
From: viyatb-oai <viyatb@openai.com>
Date: Tue, 3 Feb 2026 11:38:44 -0800
Subject: [PATCH] Revert "Load untrusted rules" (#10536)

Reverts openai/codex#9791
---
 codex-rs/core/src/exec_policy.rs | 20 ++++++++------------
 1 file changed, 8 insertions(+), 12 deletions(-)

diff --git a/codex-rs/core/src/exec_policy.rs b/codex-rs/core/src/exec_policy.rs
index a2e1e8d40..2ae5a08e4 100644
--- a/codex-rs/core/src/exec_policy.rs
+++ b/codex-rs/core/src/exec_policy.rs
@@ -248,9 +248,7 @@ pub async fn load_exec_policy(config_stack: &ConfigLayerStack) -> Result<Policy,
     // from each layer, so that higher-precedence layers can override
     // rules defined in lower-precedence ones.
     let mut policy_paths = Vec::new();
-    // Include disabled project layers so .codex/rules still applies when
-    // project config.toml is trust-disabled.
-    for layer in config_stack.get_layers(ConfigLayerStackOrdering::LowestPrecedenceFirst, true) {
+    for layer in config_stack.get_layers(ConfigLayerStackOrdering::LowestPrecedenceFirst, false) {
         if let Some(config_folder) = layer.config_folder() {
             #[expect(clippy::expect_used)]
             let policy_dir = config_folder.join(RULES_DIR_NAME).expect("safe join");
@@ -684,12 +682,12 @@ mod tests {
     }
 
     #[tokio::test]
-    async fn loads_rules_from_disabled_project_layers() -> anyhow::Result<()> {
+    async fn ignores_rules_from_untrusted_project_layers() -> anyhow::Result<()> {
         let project_dir = tempdir()?;
         let policy_dir = project_dir.path().join(RULES_DIR_NAME);
         fs::create_dir_all(&policy_dir)?;
         fs::write(
-            policy_dir.join("disabled.rules"),
+            policy_dir.join("untrusted.rules"),
             r#"prefix_rule(pattern=["ls"], decision="forbidden")"#,
         )?;
 
@@ -699,7 +697,7 @@ mod tests {
                 dot_codex_folder: project_dot_codex_folder,
             },
             TomlValue::Table(Default::default()),
-            "trust disabled",
+            "marked untrusted",
         )];
         let config_stack = ConfigLayerStack::new(
             layers,
@@ -711,16 +709,14 @@ mod tests {
 
         assert_eq!(
             Evaluation {
-                decision: Decision::Forbidden,
-                matched_rules: vec![RuleMatch::PrefixRuleMatch {
-                    matched_prefix: vec!["ls".to_string()],
-                    decision: Decision::Forbidden,
-                    justification: None,
+                decision: Decision::Allow,
+                matched_rules: vec![RuleMatch::HeuristicsRuleMatch {
+                    command: vec!["ls".to_string()],
+                    decision: Decision::Allow,
                 }],
             },
             policy.check_multiple([vec!["ls".to_string()]].iter(), &|_| Decision::Allow)
         );
-
         Ok(())
     }