core/core-agent-ide
8
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
core-agent-ide/codex-rs/cli/src
History
Jeremy Rose 0271c20d8f
add codex debug seatbelt --log-denials (#4098) 
This adds a debugging tool for analyzing why certain commands fail to
execute under the sandbox.

Example output:

```
$ codex debug seatbelt --log-denials bash -lc "(echo foo > ~/foo.txt)"
bash: /Users/nornagon/foo.txt: Operation not permitted

=== Sandbox denials ===
(bash) file-write-data /dev/tty
(bash) file-write-data /dev/ttys001
(bash) sysctl-read kern.ngroups
(bash) file-write-create /Users/nornagon/foo.txt
```

It operates by:

1. spawning `log stream` to watch system logs, and
2. tracking all descendant PIDs using kqueue + proc_listchildpids.

this is a "best-effort" technique, as `log stream` may drop logs(?), and
kqueue + proc_listchildpids isn't atomic and can end up missing very
short-lived processes. But it works well enough in my testing to be
useful :)
2025-11-10 22:48:14 +00:00
..
debug_sandbox add codex debug seatbelt --log-denials (#4098) 2025-11-10 22:48:14 +00:00
debug_sandbox.rs add codex debug seatbelt --log-denials (#4098) 2025-11-10 22:48:14 +00:00
exit_status.rs feat: experimental env var: CODEX_SANDBOX_NETWORK_DISABLED (#879) 2025-05-09 18:29:34 -07:00
lib.rs add codex debug seatbelt --log-denials (#4098) 2025-11-10 22:48:14 +00:00
login.rs [Auth] Choose which auth storage to use based on config (#5792) 2025-10-27 19:41:49 -07:00
main.rs fix: update brew auto update version check (#6238) 2025-11-10 09:05:00 -08:00
mcp_cmd.rs fix: Update the deprecation message to link to the docs (#6211) 2025-11-04 21:02:27 +00:00
wsl_paths.rs fix(wsl): normalize Windows paths during update (#6086) (#6097) 2025-11-07 14:49:17 -08:00