feat: introduce codex_execpolicy crate for defining "safe" commands (#634)

As described in detail in `codex-rs/execpolicy/README.md` introduced in this PR, `execpolicy` is a tool that lets you define a set of _patterns_ used to match [`execv(3)`](https://linux.die.net/man/3/execv) invocations. When a pattern is matched, `execpolicy` returns the parsed version in a structured form that is amenable to static analysis. The primary use case is to define patterns match commands that should be auto-approved by a tool such as Codex. This supports a richer pattern matching mechanism that the sort of prefix-matching we have done to date, e.g.: 5e40d9d221/codex-cli/src/approvals.ts (L333-L354) Note we are still playing with the API and the `system_path` option in particular still needs some work.
2025-04-24 17:14:47 -07:00
parent 5e40d9d221
commit 58f0e5ab74
29 changed files with 3830 additions and 47 deletions
--- a/codex-rs/execpolicy/src/opt.rs
+++ b/codex-rs/execpolicy/src/opt.rs
@@ -0,0 +1,77 @@
+#![allow(clippy::needless_lifetimes)]
+
+use crate::starlark::values::ValueLike;
+use crate::ArgType;
+use allocative::Allocative;
+use derive_more::derive::Display;
+use starlark::any::ProvidesStaticType;
+use starlark::values::starlark_value;
+use starlark::values::AllocValue;
+use starlark::values::Heap;
+use starlark::values::NoSerialize;
+use starlark::values::StarlarkValue;
+use starlark::values::UnpackValue;
+use starlark::values::Value;
+
+/// Command line option that takes a value.
+#[derive(Clone, Debug, Display, PartialEq, Eq, ProvidesStaticType, NoSerialize, Allocative)]
+#[display("opt({})", opt)]
+pub struct Opt {
+    /// The option as typed on the command line, e.g., `-h` or `--help`. If
+    /// it can be used in the `--name=value` format, then this should be
+    /// `--name` (though this is subject to change).
+    pub opt: String,
+    pub meta: OptMeta,
+    pub required: bool,
+}
+
+/// When defining an Opt, use as specific an OptMeta as possible.
+#[derive(Clone, Debug, Display, PartialEq, Eq, ProvidesStaticType, NoSerialize, Allocative)]
+#[display("{}", self)]
+pub enum OptMeta {
+    /// Option does not take a value.
+    Flag,
+
+    /// Option takes a single value matching the specified type.
+    Value(ArgType),
+}
+
+impl Opt {
+    pub fn new(opt: String, meta: OptMeta, required: bool) -> Self {
+        Self {
+            opt,
+            meta,
+            required,
+        }
+    }
+
+    pub fn name(&self) -> &str {
+        &self.opt
+    }
+}
+
+#[starlark_value(type = "Opt")]
+impl<'v> StarlarkValue<'v> for Opt {
+    type Canonical = Opt;
+}
+
+impl<'v> UnpackValue<'v> for Opt {
+    type Error = starlark::Error;
+
+    fn unpack_value_impl(value: Value<'v>) -> starlark::Result<Option<Self>> {
+        // TODO(mbolin): It fels like this should be doable without cloning?
+        // Cannot simply consume the value?
+        Ok(value.downcast_ref::<Opt>().cloned())
+    }
+}
+
+impl<'v> AllocValue<'v> for Opt {
+    fn alloc_value(self, heap: &'v Heap) -> Value<'v> {
+        heap.alloc_simple(self)
+    }
+}
+
+#[starlark_value(type = "OptMeta")]
+impl<'v> StarlarkValue<'v> for OptMeta {
+    type Canonical = OptMeta;
+}