feat: add output even in sandbox denied (#5908)

2025-10-29 18:21:18 +00:00
parent 060637b4d4
commit 3183935bd7
5 changed files with 139 additions and 52 deletions
--- a/codex-rs/core/src/tools/events.rs
+++ b/codex-rs/core/src/tools/events.rs
@@ -274,31 +274,32 @@ impl ToolEmitter {
        ctx: ToolEventCtx<'_>,
        out: Result<ExecToolCallOutput, ToolError>,
    ) -> Result<String, FunctionCallError> {
-        let event;
-        let result = match out {
+        let (event, result) = match out {
            Ok(output) => {
                let content = super::format_exec_output_for_model(&output);
                let exit_code = output.exit_code;
-                event = ToolEventStage::Success(output);
-                if exit_code == 0 {
+                let event = ToolEventStage::Success(output);
+                let result = if exit_code == 0 {
                    Ok(content)
                } else {
                    Err(FunctionCallError::RespondToModel(content))
-                }
+                };
+                (event, result)
            }
            Err(ToolError::Codex(CodexErr::Sandbox(SandboxErr::Timeout { output })))
            | Err(ToolError::Codex(CodexErr::Sandbox(SandboxErr::Denied { output }))) => {
                let response = super::format_exec_output_for_model(&output);
-                event = ToolEventStage::Failure(ToolEventFailure::Output(*output));
-                Err(FunctionCallError::RespondToModel(response))
+                let event = ToolEventStage::Failure(ToolEventFailure::Output(*output));
+                let result = Err(FunctionCallError::RespondToModel(response));
+                (event, result)
            }
            Err(ToolError::Codex(err)) => {
                let message = format!("execution error: {err:?}");
-                let response = message.clone();
-                event = ToolEventStage::Failure(ToolEventFailure::Message(message));
-                Err(FunctionCallError::RespondToModel(response))
+                let event = ToolEventStage::Failure(ToolEventFailure::Message(message.clone()));
+                let result = Err(FunctionCallError::RespondToModel(message));
+                (event, result)
            }
-            Err(ToolError::Rejected(msg)) | Err(ToolError::SandboxDenied(msg)) => {
+            Err(ToolError::Rejected(msg)) => {
                // Normalize common rejection messages for exec tools so tests and
                // users see a clear, consistent phrase.
                let normalized = if msg == "rejected by user" {
@@ -306,9 +307,9 @@ impl ToolEmitter {
                } else {
                    msg
                };
-                let response = &normalized;
-                event = ToolEventStage::Failure(ToolEventFailure::Message(normalized.clone()));
-                Err(FunctionCallError::RespondToModel(response.clone()))
+                let event = ToolEventStage::Failure(ToolEventFailure::Message(normalized.clone()));
+                let result = Err(FunctionCallError::RespondToModel(normalized));
+                (event, result)
            }
        };
        self.emit(ctx, event).await;
--- a/codex-rs/core/src/tools/orchestrator.rs
+++ b/codex-rs/core/src/tools/orchestrator.rs
@@ -98,15 +98,16 @@ impl ToolOrchestrator {
            }
            Err(ToolError::Codex(CodexErr::Sandbox(SandboxErr::Denied { output }))) => {
                if !tool.escalate_on_failure() {
-                    return Err(ToolError::SandboxDenied(
-                        "sandbox denied and no retry".to_string(),
-                    ));
+                    return Err(ToolError::Codex(CodexErr::Sandbox(SandboxErr::Denied {
+                        output,
+                    })));
                }
-                // Under `Never` or `OnRequest`, do not retry without sandbox; surface a concise message
-                // derived from the actual output (platform-agnostic).
+                // Under `Never` or `OnRequest`, do not retry without sandbox; surface a concise
+                // sandbox denial that preserves the original output.
                if !tool.wants_no_sandbox_approval(approval_policy) {
-                    let msg = build_never_denied_message_from_output(output.as_ref());
-                    return Err(ToolError::SandboxDenied(msg));
+                    return Err(ToolError::Codex(CodexErr::Sandbox(SandboxErr::Denied {
+                        output,
+                    })));
                }

                // Ask for approval before retrying without sandbox.
@@ -167,29 +168,6 @@ impl ToolOrchestrator {
    }
 }

-fn build_never_denied_message_from_output(output: &ExecToolCallOutput) -> String {
-    let body = format!(
-        "{}\n{}\n{}",
-        output.stderr.text, output.stdout.text, output.aggregated_output.text
-    )
-    .to_lowercase();
-
-    let detail = if body.contains("permission denied") {
-        Some("Permission denied")
-    } else if body.contains("operation not permitted") {
-        Some("Operation not permitted")
-    } else if body.contains("read-only file system") {
-        Some("Read-only file system")
-    } else {
-        None
-    };
-
-    match detail {
-        Some(tag) => format!("failed in sandbox: {tag}"),
-        None => "failed in sandbox".to_string(),
-    }
-}
-
 fn build_denial_reason_from_output(_output: &ExecToolCallOutput) -> String {
    // Keep approval reason terse and stable for UX/tests, but accept the
    // output so we can evolve heuristics later without touching call sites.
--- a/codex-rs/core/src/tools/sandboxing.rs
+++ b/codex-rs/core/src/tools/sandboxing.rs
@@ -173,7 +173,6 @@ pub(crate) trait ProvidesSandboxRetryData {
 #[derive(Debug)]
 pub(crate) enum ToolError {
    Rejected(String),
-    SandboxDenied(String),
    Codex(CodexErr),
 }