History

zhao-oai a941ae7632 feat: execpolicy v2 (#6467 ) ## Summary - Introduces the `codex-execpolicy2` crate. - This PR covers only the prefix-rule subset of the planned execpolicy v2 language; a richer language will follow. ## Policy - Policy language centers on `prefix_rule(pattern=[...], decision?, match?, not_match?)`, where `pattern` is an ordered list of tokens; any element may be a list to denote alternatives. `decision` defaults to `allow`; valid values are `allow`, `prompt`, and `forbidden`. `match` / `not_match` hold example commands that are tokenized and validated at load time (think of these as unit tests). ## Policy shapes - Prefix rules use Starlark syntax: ```starlark prefix_rule( pattern = ["cmd", ["alt1", "alt2"]], # ordered tokens; list entries denote alternatives decision = "prompt", # allow \| prompt \| forbidden; defaults to allow match = [["cmd", "alt1"]], # examples that must match this rule (enforced at compile time) not_match = [["cmd", "oops"]], # examples that must not match this rule (enforced at compile time) ) ``` ## Response shapes - Match: ```json { "match": { "decision": "allow\|prompt\|forbidden", "matchedRules": [ { "prefixRuleMatch": { "matchedPrefix": ["<token>", "..."], "decision": "allow\|prompt\|forbidden" } } ] } } ``` - No match: ```json "noMatch" ``` - `matchedRules` lists every rule whose prefix matched the command; `matchedPrefix` is the exact prefix that matched. - The effective `decision` is the strictest severity across all matches (`forbidden` > `prompt` > `allow`). --------- Co-authored-by: Michael Bolin <mbolin@openai.com>		2025-11-17 10:15:45 -08:00
..
examples	feat: execpolicy v2 (#6467 )	2025-11-17 10:15:45 -08:00
src	feat: execpolicy v2 (#6467 )	2025-11-17 10:15:45 -08:00
tests	feat: execpolicy v2 (#6467 )	2025-11-17 10:15:45 -08:00
Cargo.toml	feat: execpolicy v2 (#6467 )	2025-11-17 10:15:45 -08:00
README.md	feat: execpolicy v2 (#6467 )	2025-11-17 10:15:45 -08:00

README.md

codex-execpolicy2

Overview

Policy engine and CLI built around prefix_rule(pattern=[...], decision?, match?, not_match?).
This release covers only the prefix-rule subset of the planned execpolicy v2 language; a richer language will follow.
Tokens are matched in order; any pattern element may be a list to denote alternatives. decision defaults to allow; valid values: allow, prompt, forbidden.
match / not_match supply example invocations that are validated at load time (think of them as unit tests); examples can be token arrays or strings (strings are tokenized with shlex).
The CLI always prints the JSON serialization of the evaluation result (whether a match or not).

Policy shapes

Prefix rules use Starlark syntax:

prefix_rule(
    pattern = ["cmd", ["alt1", "alt2"]], # ordered tokens; list entries denote alternatives
    decision = "prompt",                 # allow | prompt | forbidden; defaults to allow
    match = [["cmd", "alt1"], "cmd alt2"],           # examples that must match this rule
    not_match = [["cmd", "oops"], "cmd alt3"],       # examples that must not match this rule
)

Response shapes

Match:

{
  "match": {
    "decision": "allow|prompt|forbidden",
    "matchedRules": [
      {
        "prefixRuleMatch": {
          "matchedPrefix": ["<token>", "..."],
          "decision": "allow|prompt|forbidden"
        }
      }
    ]
  }
}

No match:

"noMatch"

matchedRules lists every rule whose prefix matched the command; matchedPrefix is the exact prefix that matched.
The effective decision is the strictest severity across all matches (forbidden > prompt > allow).

CLI

Provide a policy file (for example src/default.codexpolicy) to check a command:

cargo run -p codex-execpolicy2 -- check --policy path/to/policy.codexpolicy git status

Example outcomes:
- Match: {"match": { ... "decision": "allow" ... }}
- No match: "noMatch"