core/core-agent-ide
8
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
core-agent-ide/codex-rs/shell-escalation
History
Michael Bolin af215eb390
refactor: decouple shell-escalation from codex-core (#12638) 
## Why

After removing `exec-server`, the next step is to wire a new shell tool
to `codex-rs/shell-escalation` directly.

That is blocked while `codex-shell-escalation` depends on `codex-core`,
because the new integration would require `codex-core` to depend on
`codex-shell-escalation` and create a dependency cycle.

This change ports the reusable pieces from the earlier prep work, but
drops the old compatibility shim because `exec-server`/MCP support is
already gone.

## What Changed

### Decouple `shell-escalation` from `codex-core`

- Introduce a crate-local `SandboxState` in `shell-escalation`
- Introduce a `ShellCommandExecutor` trait so callers provide process
execution/sandbox integration
- Update `EscalateServer::exec(...)` and `run_escalate_server(...)` to
use the injected executor
- Remove the direct `codex_core::exec::process_exec_tool_call(...)` call
from `shell-escalation`
- Remove the `codex-core` dependency from `codex-shell-escalation`

### Restore reusable policy adapter exports

- Re-enable `unix::core_shell_escalation`
- Export `ShellActionProvider` and `ShellPolicyFactory` from
`shell-escalation`
- Keep the crate root API simple (no `legacy_api` compatibility layer)

### Port socket fixes from the earlier prep commit

- Use `socket2::Socket::pair_raw(...)` for AF_UNIX socketpairs and
restore `CLOEXEC` explicitly on both endpoints
- Keep `CLOEXEC` cleared only on the single datagram client FD that is
intentionally passed across `exec`
- Clean up `tokio::AsyncFd::try_io(...)` error handling in the socket
helpers

## Verification

- `cargo shear`
- `cargo clippy -p codex-shell-escalation --tests`
- `cargo test -p codex-shell-escalation`
2026-02-23 20:58:24 -08:00
..
src refactor: decouple shell-escalation from codex-core (#12638) 2026-02-23 20:58:24 -08:00
BUILD.bazel refactor: normalize unix module layout for exec-server and shell-escalation (#12556) 2026-02-23 09:28:17 -08:00
Cargo.toml refactor: decouple shell-escalation from codex-core (#12638) 2026-02-23 20:58:24 -08:00
README.md refactor: delete exec-server and move execve wrapper into shell-escalation (#12632) 2026-02-23 20:10:22 -08:00

README.md

codex-shell-escalation

This crate contains the Unix shell-escalation protocol implementation and the codex-execve-wrapper executable.

codex-execve-wrapper receives the arguments to an intercepted execve(2) call and delegates the decision to the shell-escalation protocol over a shared file descriptor (specified by the CODEX_ESCALATE_SOCKET environment variable). The server on the other side replies with one of:

  • Run: codex-execve-wrapper should invoke execve(2) on itself to run the original command within the sandboxed shell.
  • Escalate: forward the file descriptors of the current process so the command can be run faithfully outside the sandbox. When the process completes, the server forwards the exit code back to codex-execve-wrapper.
  • Deny: the server has declared the proposed command to be forbidden, so codex-execve-wrapper prints an error to stderr and exits with 1.

Patched Bash

We carry a small patch to execute_cmd.c (see patches/bash-exec-wrapper.patch) that adds support for EXEC_WRAPPER. The original commit message is “add support for BASH_EXEC_WRAPPER” and the patch applies cleanly to a8a1c2fac029404d3f42cd39f5a20f24b6e4fe4b from https://github.com/bminor/bash. To rebuild manually:

git clone https://github.com/bminor/bash
git checkout a8a1c2fac029404d3f42cd39f5a20f24b6e4fe4b
git apply /path/to/patches/bash-exec-wrapper.patch
./configure --without-bash-malloc
make -j"$(nproc)"