feat: introduce codex_execpolicy crate for defining "safe" commands (#634)
As described in detail in `codex-rs/execpolicy/README.md` introduced in
this PR, `execpolicy` is a tool that lets you define a set of _patterns_
used to match [`execv(3)`](https://linux.die.net/man/3/execv)
invocations. When a pattern is matched, `execpolicy` returns the parsed
version in a structured form that is amenable to static analysis.
The primary use case is to define patterns match commands that should be
auto-approved by a tool such as Codex. This supports a richer pattern
matching mechanism that the sort of prefix-matching we have done to
date, e.g.:
5e40d9d221/codex-cli/src/approvals.ts (L333-L354)
Note we are still playing with the API and the `system_path` option in
particular still needs some work.
This commit is contained in:
Michael Bolin
GitHub
9
codex-rs/execpolicy/tests/good.rs
Normal file
9
codex-rs/execpolicy/tests/good.rs
Normal file
@@ -0,0 +1,9 @@
|
||||
use codex_execpolicy::get_default_policy;
|
||||
use codex_execpolicy::PositiveExampleFailedCheck;
|
||||
|
||||
#[test]
|
||||
fn verify_everything_in_good_list_is_allowed() {
|
||||
let policy = get_default_policy().expect("failed to load default policy");
|
||||
let violations = policy.check_each_good_list_individually();
|
||||
assert_eq!(Vec::<PositiveExampleFailedCheck>::new(), violations);
|
||||
}
|
||||
Reference in New Issue
Block a user