Phase 1: Repository & Infrastructure Setup

- Renamed directories: codex-rs -> llmx-rs, codex-cli -> llmx-cli
- Updated package.json files:
  - Root: llmx-monorepo
  - CLI: @llmx/llmx
  - SDK: @llmx/llmx-sdk
- Updated pnpm workspace configuration
- Renamed binary: codex.js -> llmx.js
- Updated environment variables: CODEX_* -> LLMX_*
- Changed repository URLs to valknar/llmx

🤖 Generated with Claude Code

llmx-rs/execpolicy/src/default.policy

@@ -0,0 +1,202 @@
+"""
+define_program() supports the following arguments:
+- program: the name of the program
+- system_path: list of absolute paths on the system where program can likely be found
+- option_bundling (PLANNED): whether to allow bundling of options (e.g. `-al` for `-a -l`)
+- combine_format (PLANNED): whether to allow `--option=value` (as opposed to `--option value`)
+- options: the command-line flags/options: use flag() and opt() to define these
+- args: the rules for what arguments are allowed that are not "options"
+- should_match: list of command-line invocations that should be matched by the rule
+- should_not_match: list of command-line invocations that should not be matched by the rule
+"""
+
+define_program(
+    program="ls",
+    system_path=["/bin/ls", "/usr/bin/ls"],
+    options=[
+        flag("-1"),
+        flag("-a"),
+        flag("-l"),
+    ],
+    args=[ARG_RFILES_OR_CWD],
+)
+
+define_program(
+    program="cat",
+    options=[
+        flag("-b"),
+        flag("-n"),
+        flag("-t"),
+    ],
+    system_path=["/bin/cat", "/usr/bin/cat"],
+    args=[ARG_RFILES],
+    should_match=[
+        ["file.txt"],
+        ["-n", "file.txt"],
+        ["-b", "file.txt"],
+    ],
+    should_not_match=[
+        # While cat without args is valid, it will read from stdin, which
+        # does not seem appropriate for our current use case.
+        [],
+        # Let's not auto-approve advisory locking.
+        ["-l", "file.txt"],
+    ]
+)
+
+define_program(
+    program="cp",
+    options=[
+        flag("-r"),
+        flag("-R"),
+        flag("--recursive"),
+    ],
+    args=[ARG_RFILES, ARG_WFILE],
+    system_path=["/bin/cp", "/usr/bin/cp"],
+    should_match=[
+        ["foo", "bar"],
+    ],
+    should_not_match=[
+        ["foo"],
+    ],
+)
+
+define_program(
+    program="head",
+    system_path=["/bin/head", "/usr/bin/head"],
+    options=[
+        opt("-c", ARG_POS_INT),
+        opt("-n", ARG_POS_INT),
+    ],
+    args=[ARG_RFILES],
+)
+
+printenv_system_path = ["/usr/bin/printenv"]
+
+# Print all environment variables.
+define_program(
+    program="printenv",
+    args=[],
+    system_path=printenv_system_path,
+    # This variant of `printenv` only allows zero args.
+    should_match=[[]],
+    should_not_match=[["PATH"]],
+)
+
+# Print a specific environment variable.
+define_program(
+    program="printenv",
+    args=[ARG_OPAQUE_VALUE],
+    system_path=printenv_system_path,
+    # This variant of `printenv` only allows exactly one arg.
+    should_match=[["PATH"]],
+    should_not_match=[[], ["PATH", "HOME"]],
+)
+
+# Note that `pwd` is generally implemented as a shell built-in. It does not
+# accept any arguments.
+define_program(
+    program="pwd",
+    options=[
+        flag("-L"),
+        flag("-P"),
+    ],
+    args=[],
+)
+
+define_program(
+    program="rg",
+    options=[
+        opt("-A", ARG_POS_INT),
+        opt("-B", ARG_POS_INT),
+        opt("-C", ARG_POS_INT),
+        opt("-d", ARG_POS_INT),
+        opt("--max-depth", ARG_POS_INT),
+        opt("-g", ARG_OPAQUE_VALUE),
+        opt("--glob", ARG_OPAQUE_VALUE),
+        opt("-m", ARG_POS_INT),
+        opt("--max-count", ARG_POS_INT),
+
+        flag("-n"),
+        flag("-i"),
+        flag("-l"),
+        flag("--files"),
+        flag("--files-with-matches"),
+        flag("--files-without-match"),
+    ],
+    args=[ARG_OPAQUE_VALUE, ARG_RFILES_OR_CWD],
+    should_match=[
+        ["-n", "init"],
+        ["-n", "init", "."],
+        ["-i", "-n", "init", "src"],
+        ["--files", "--max-depth", "2", "."],
+    ],
+    should_not_match=[
+        ["-m", "-n", "init"],
+        ["--glob", "src"],
+    ],
+    # TODO(mbolin): Perhaps we need a way to indicate that we expect `rg` to be
+    # bundled with the host environment and we should be using that version.
+    system_path=[],
+)
+
+# Unfortunately, `sed` is difficult to secure because GNU sed supports an `e`
+# flag where `s/pattern/replacement/e` would run `replacement` as a shell
+# command every time `pattern` is matched. For example, try the following on
+# Ubuntu (which uses GNU sed, unlike macOS):
+#
+# ```shell
+# $ yes | head -n 4 > /tmp/yes.txt
+# $ sed 's/y/echo hi/e' /tmp/yes.txt
+# hi
+# hi
+# hi
+# hi
+# ```
+#
+# As you can see, `echo hi` got executed four times. In order to support some
+# basic sed functionality, we implement a bespoke `ARG_SED_COMMAND` that matches
+# only "known safe" sed commands.
+common_sed_flags = [
+    # We deliberately do not support -i or -f.
+    flag("-n"),
+    flag("-u"),
+]
+sed_system_path = ["/usr/bin/sed"]
+
+# When -e is not specified, the first argument must be a valid sed command.
+define_program(
+    program="sed",
+    options=common_sed_flags,
+    args=[ARG_SED_COMMAND, ARG_RFILES],
+    system_path=sed_system_path,
+)
+
+# When -e is required, all arguments are assumed to be readable files.
+define_program(
+    program="sed",
+    options=common_sed_flags + [
+        opt("-e", ARG_SED_COMMAND, required=True),
+    ],
+    args=[ARG_RFILES],
+    system_path=sed_system_path,
+)
+
+define_program(
+    program="which",
+    options=[
+        flag("-a"),
+        flag("-s"),
+    ],
+    # Surprisingly, `which` takes more than one argument.
+    args=[ARG_RFILES],
+    should_match=[
+        ["python3"],
+        ["-a", "python3"],
+        ["-a", "python3", "cargo"],
+    ],
+    should_not_match=[
+        [],
+    ],
+    system_path=["/bin/which", "/usr/bin/which"],
+)