fix: ensure cwd for conversation and sandbox are separate concerns (#3874)

Previous to this PR, both of these functions take a single `cwd`:


71038381aa/codex-rs/core/src/seatbelt.rs (L19-L25)


71038381aa/codex-rs/core/src/landlock.rs (L16-L23)

whereas `cwd` and `sandbox_cwd` should be set independently (fixed in
this PR).

Added `sandbox_distinguishes_command_and_policy_cwds()` to
`codex-rs/exec/tests/suite/sandbox.rs` to verify this.

codex-rs/core/tests/suite/exec.rs

@@ -39,7 +39,7 @@ async fn run_test_cmd(tmp: TempDir, cmd: Vec<&str>) -> Result<ExecToolCallOutput
 
     let policy = SandboxPolicy::new_read_only_policy();
 
-    process_exec_tool_call(params, sandbox_type, &policy, &None, None).await
+    process_exec_tool_call(params, sandbox_type, &policy, tmp.path(), &None, None).await
 }
 
 /// Command succeeds with exit code 0 normally

codex-rs/core/tests/suite/exec_stream_events.rs

@@ -49,9 +49,10 @@ async fn test_exec_stdout_stream_events_echo() {
         "printf 'hello-world\n'".to_string(),
     ];
 
+    let cwd = std::env::current_dir().unwrap_or_else(|_| PathBuf::from("."));
     let params = ExecParams {
         command: cmd,
-        cwd: std::env::current_dir().unwrap_or_else(|_| PathBuf::from(".")),
+        cwd: cwd.clone(),
         timeout_ms: Some(5_000),
         env: HashMap::new(),
         with_escalated_permissions: None,
@@ -64,6 +65,7 @@ async fn test_exec_stdout_stream_events_echo() {
         params,
         SandboxType::None,
         &policy,
+        cwd.as_path(),
         &None,
         Some(stdout_stream),
     )
@@ -99,9 +101,10 @@ async fn test_exec_stderr_stream_events_echo() {
         "printf 'oops\n' 1>&2".to_string(),
     ];
 
+    let cwd = std::env::current_dir().unwrap_or_else(|_| PathBuf::from("."));
     let params = ExecParams {
         command: cmd,
-        cwd: std::env::current_dir().unwrap_or_else(|_| PathBuf::from(".")),
+        cwd: cwd.clone(),
         timeout_ms: Some(5_000),
         env: HashMap::new(),
         with_escalated_permissions: None,
@@ -114,6 +117,7 @@ async fn test_exec_stderr_stream_events_echo() {
         params,
         SandboxType::None,
         &policy,
+        cwd.as_path(),
         &None,
         Some(stdout_stream),
     )
@@ -152,9 +156,10 @@ async fn test_aggregated_output_interleaves_in_order() {
         "printf 'O1\\n'; sleep 0.01; printf 'E1\\n' 1>&2; sleep 0.01; printf 'O2\\n'; sleep 0.01; printf 'E2\\n' 1>&2".to_string(),
     ];
 
+    let cwd = std::env::current_dir().unwrap_or_else(|_| PathBuf::from("."));
     let params = ExecParams {
         command: cmd,
-        cwd: std::env::current_dir().unwrap_or_else(|_| PathBuf::from(".")),
+        cwd: cwd.clone(),
         timeout_ms: Some(5_000),
         env: HashMap::new(),
         with_escalated_permissions: None,
@@ -163,9 +168,16 @@ async fn test_aggregated_output_interleaves_in_order() {
 
     let policy = SandboxPolicy::new_read_only_policy();
 
-    let result = process_exec_tool_call(params, SandboxType::None, &policy, &None, None)
-        .await
-        .expect("process_exec_tool_call");
+    let result = process_exec_tool_call(
+        params,
+        SandboxType::None,
+        &policy,
+        cwd.as_path(),
+        &None,
+        None,
+    )
+    .await
+    .expect("process_exec_tool_call");
 
     assert_eq!(result.exit_code, 0);
     assert_eq!(result.stdout.text, "O1\nO2\n");
@@ -182,9 +194,10 @@ async fn test_exec_timeout_returns_partial_output() {
         "printf 'before\\n'; sleep 2; printf 'after\\n'".to_string(),
     ];
 
+    let cwd = std::env::current_dir().unwrap_or_else(|_| PathBuf::from("."));
     let params = ExecParams {
         command: cmd,
-        cwd: std::env::current_dir().unwrap_or_else(|_| PathBuf::from(".")),
+        cwd: cwd.clone(),
         timeout_ms: Some(200),
         env: HashMap::new(),
         with_escalated_permissions: None,
@@ -193,7 +206,15 @@ async fn test_exec_timeout_returns_partial_output() {
 
     let policy = SandboxPolicy::new_read_only_policy();
 
-    let result = process_exec_tool_call(params, SandboxType::None, &policy, &None, None).await;
+    let result = process_exec_tool_call(
+        params,
+        SandboxType::None,
+        &policy,
+        cwd.as_path(),
+        &None,
+        None,
+    )
+    .await;
 
     let Err(CodexErr::Sandbox(SandboxErr::Timeout { output })) = result else {
         panic!("expected timeout error");

codex-rs/core/tests/suite/seatbelt.rs

@@ -171,6 +171,8 @@ async fn python_getpwuid_works_under_seatbelt() {
 
     // ReadOnly is sufficient here since we are only exercising user lookup.
     let policy = SandboxPolicy::ReadOnly;
+    let command_cwd = std::env::current_dir().expect("getcwd");
+    let sandbox_cwd = command_cwd.clone();
 
     let mut child = spawn_command_under_seatbelt(
         vec![
@@ -179,8 +181,9 @@ async fn python_getpwuid_works_under_seatbelt() {
             // Print the passwd struct; success implies lookup worked.
             "import pwd, os; print(pwd.getpwuid(os.getuid()))".to_string(),
         ],
+        command_cwd,
         &policy,
-        std::env::current_dir().expect("should be able to get current dir"),
+        sandbox_cwd.as_path(),
         StdioPolicy::RedirectForShellTool,
         HashMap::new(),
     )
@@ -216,13 +219,16 @@ fn create_test_scenario(tmp: &TempDir) -> TestScenario {
 /// Note that `path` must be absolute.
 async fn touch(path: &Path, policy: &SandboxPolicy) -> bool {
     assert!(path.is_absolute(), "Path must be absolute: {path:?}");
+    let command_cwd = std::env::current_dir().expect("getcwd");
+    let sandbox_cwd = command_cwd.clone();
     let mut child = spawn_command_under_seatbelt(
         vec![
             "/usr/bin/touch".to_string(),
             path.to_string_lossy().to_string(),
         ],
+        command_cwd,
         policy,
-        std::env::current_dir().expect("should be able to get current dir"),
+        sandbox_cwd.as_path(),
         StdioPolicy::RedirectForShellTool,
         HashMap::new(),
     )