Phase 1: Repository & Infrastructure Setup

- Renamed directories: codex-rs -> llmx-rs, codex-cli -> llmx-cli
- Updated package.json files:
  - Root: llmx-monorepo
  - CLI: @llmx/llmx
  - SDK: @llmx/llmx-sdk
- Updated pnpm workspace configuration
- Renamed binary: codex.js -> llmx.js
- Updated environment variables: CODEX_* -> LLMX_*
- Changed repository URLs to valknar/llmx

🤖 Generated with Claude Code

llmx-rs/linux-sandbox/Cargo.toml

@@ -0,0 +1,32 @@
+[package]
+edition = "2024"
+name = "codex-linux-sandbox"
+version = { workspace = true }
+
+[[bin]]
+name = "codex-linux-sandbox"
+path = "src/main.rs"
+
+[lib]
+name = "codex_linux_sandbox"
+path = "src/lib.rs"
+
+[lints]
+workspace = true
+
+[target.'cfg(target_os = "linux")'.dependencies]
+clap = { workspace = true, features = ["derive"] }
+codex-core = { workspace = true }
+landlock = { workspace = true }
+libc = { workspace = true }
+seccompiler = { workspace = true }
+
+[target.'cfg(target_os = "linux")'.dev-dependencies]
+tempfile = { workspace = true }
+tokio = { workspace = true, features = [
+    "io-std",
+    "macros",
+    "process",
+    "rt-multi-thread",
+    "signal",
+] }

llmx-rs/linux-sandbox/README.md

@@ -0,0 +1,8 @@
+# codex-linux-sandbox
+
+This crate is responsible for producing:
+
+- a `codex-linux-sandbox` standalone executable for Linux that is bundled with the Node.js version of the Codex CLI
+- a lib crate that exposes the business logic of the executable as `run_main()` so that
+  - the `codex-exec` CLI can check if its arg0 is `codex-linux-sandbox` and, if so, execute as if it were `codex-linux-sandbox`
+  - this should also be true of the `codex` multitool CLI

llmx-rs/linux-sandbox/src/landlock.rs

@@ -0,0 +1,145 @@
+use std::collections::BTreeMap;
+use std::path::Path;
+use std::path::PathBuf;
+
+use codex_core::error::CodexErr;
+use codex_core::error::Result;
+use codex_core::error::SandboxErr;
+use codex_core::protocol::SandboxPolicy;
+
+use landlock::ABI;
+use landlock::Access;
+use landlock::AccessFs;
+use landlock::CompatLevel;
+use landlock::Compatible;
+use landlock::Ruleset;
+use landlock::RulesetAttr;
+use landlock::RulesetCreatedAttr;
+use seccompiler::BpfProgram;
+use seccompiler::SeccompAction;
+use seccompiler::SeccompCmpArgLen;
+use seccompiler::SeccompCmpOp;
+use seccompiler::SeccompCondition;
+use seccompiler::SeccompFilter;
+use seccompiler::SeccompRule;
+use seccompiler::TargetArch;
+use seccompiler::apply_filter;
+
+/// Apply sandbox policies inside this thread so only the child inherits
+/// them, not the entire CLI process.
+pub(crate) fn apply_sandbox_policy_to_current_thread(
+    sandbox_policy: &SandboxPolicy,
+    cwd: &Path,
+) -> Result<()> {
+    if !sandbox_policy.has_full_network_access() {
+        install_network_seccomp_filter_on_current_thread()?;
+    }
+
+    if !sandbox_policy.has_full_disk_write_access() {
+        let writable_roots = sandbox_policy
+            .get_writable_roots_with_cwd(cwd)
+            .into_iter()
+            .map(|writable_root| writable_root.root)
+            .collect();
+        install_filesystem_landlock_rules_on_current_thread(writable_roots)?;
+    }
+
+    // TODO(ragona): Add appropriate restrictions if
+    // `sandbox_policy.has_full_disk_read_access()` is `false`.
+
+    Ok(())
+}
+
+/// Installs Landlock file-system rules on the current thread allowing read
+/// access to the entire file-system while restricting write access to
+/// `/dev/null` and the provided list of `writable_roots`.
+///
+/// # Errors
+/// Returns [`CodexErr::Sandbox`] variants when the ruleset fails to apply.
+fn install_filesystem_landlock_rules_on_current_thread(writable_roots: Vec<PathBuf>) -> Result<()> {
+    let abi = ABI::V5;
+    let access_rw = AccessFs::from_all(abi);
+    let access_ro = AccessFs::from_read(abi);
+
+    let mut ruleset = Ruleset::default()
+        .set_compatibility(CompatLevel::BestEffort)
+        .handle_access(access_rw)?
+        .create()?
+        .add_rules(landlock::path_beneath_rules(&["/"], access_ro))?
+        .add_rules(landlock::path_beneath_rules(&["/dev/null"], access_rw))?
+        .set_no_new_privs(true);
+
+    if !writable_roots.is_empty() {
+        ruleset = ruleset.add_rules(landlock::path_beneath_rules(&writable_roots, access_rw))?;
+    }
+
+    let status = ruleset.restrict_self()?;
+
+    if status.ruleset == landlock::RulesetStatus::NotEnforced {
+        return Err(CodexErr::Sandbox(SandboxErr::LandlockRestrict));
+    }
+
+    Ok(())
+}
+
+/// Installs a seccomp filter that blocks outbound network access except for
+/// AF_UNIX domain sockets.
+fn install_network_seccomp_filter_on_current_thread() -> std::result::Result<(), SandboxErr> {
+    // Build rule map.
+    let mut rules: BTreeMap<i64, Vec<SeccompRule>> = BTreeMap::new();
+
+    // Helper – insert unconditional deny rule for syscall number.
+    let mut deny_syscall = |nr: i64| {
+        rules.insert(nr, vec![]); // empty rule vec = unconditional match
+    };
+
+    deny_syscall(libc::SYS_connect);
+    deny_syscall(libc::SYS_accept);
+    deny_syscall(libc::SYS_accept4);
+    deny_syscall(libc::SYS_bind);
+    deny_syscall(libc::SYS_listen);
+    deny_syscall(libc::SYS_getpeername);
+    deny_syscall(libc::SYS_getsockname);
+    deny_syscall(libc::SYS_shutdown);
+    deny_syscall(libc::SYS_sendto);
+    deny_syscall(libc::SYS_sendmsg);
+    deny_syscall(libc::SYS_sendmmsg);
+    // NOTE: allowing recvfrom allows some tools like: `cargo clippy` to run
+    // with their socketpair + child processes for sub-proc management
+    // deny_syscall(libc::SYS_recvfrom);
+    deny_syscall(libc::SYS_recvmsg);
+    deny_syscall(libc::SYS_recvmmsg);
+    deny_syscall(libc::SYS_getsockopt);
+    deny_syscall(libc::SYS_setsockopt);
+    deny_syscall(libc::SYS_ptrace);
+
+    // For `socket` we allow AF_UNIX (arg0 == AF_UNIX) and deny everything else.
+    let unix_only_rule = SeccompRule::new(vec![SeccompCondition::new(
+        0, // first argument (domain)
+        SeccompCmpArgLen::Dword,
+        SeccompCmpOp::Ne,
+        libc::AF_UNIX as u64,
+    )?])?;
+
+    rules.insert(libc::SYS_socket, vec![unix_only_rule.clone()]);
+    rules.insert(libc::SYS_socketpair, vec![unix_only_rule]); // always deny (Unix can use socketpair but fine, keep open?)
+
+    let filter = SeccompFilter::new(
+        rules,
+        SeccompAction::Allow,                     // default – allow
+        SeccompAction::Errno(libc::EPERM as u32), // when rule matches – return EPERM
+        if cfg!(target_arch = "x86_64") {
+            TargetArch::x86_64
+        } else if cfg!(target_arch = "aarch64") {
+            TargetArch::aarch64
+        } else {
+            unimplemented!("unsupported architecture for seccomp filter");
+        },
+    )?;
+
+    let prog: BpfProgram = filter.try_into()?;
+
+    apply_filter(&prog)?;
+
+    Ok(())
+}

llmx-rs/linux-sandbox/src/lib.rs

@@ -0,0 +1,14 @@
+#[cfg(target_os = "linux")]
+mod landlock;
+#[cfg(target_os = "linux")]
+mod linux_run_main;
+
+#[cfg(target_os = "linux")]
+pub fn run_main() -> ! {
+    linux_run_main::run_main();
+}
+
+#[cfg(not(target_os = "linux"))]
+pub fn run_main() -> ! {
+    panic!("codex-linux-sandbox is only supported on Linux");
+}

llmx-rs/linux-sandbox/src/linux_run_main.rs

@@ -0,0 +1,56 @@
+use clap::Parser;
+use std::ffi::CString;
+use std::path::PathBuf;
+
+use crate::landlock::apply_sandbox_policy_to_current_thread;
+
+#[derive(Debug, Parser)]
+pub struct LandlockCommand {
+    /// It is possible that the cwd used in the context of the sandbox policy
+    /// is different from the cwd of the process to spawn.
+    #[arg(long = "sandbox-policy-cwd")]
+    pub sandbox_policy_cwd: PathBuf,
+
+    #[arg(long = "sandbox-policy")]
+    pub sandbox_policy: codex_core::protocol::SandboxPolicy,
+
+    /// Full command args to run under landlock.
+    #[arg(trailing_var_arg = true)]
+    pub command: Vec<String>,
+}
+
+pub fn run_main() -> ! {
+    let LandlockCommand {
+        sandbox_policy_cwd,
+        sandbox_policy,
+        command,
+    } = LandlockCommand::parse();
+
+    if let Err(e) = apply_sandbox_policy_to_current_thread(&sandbox_policy, &sandbox_policy_cwd) {
+        panic!("error running landlock: {e:?}");
+    }
+
+    if command.is_empty() {
+        panic!("No command specified to execute.");
+    }
+
+    #[expect(clippy::expect_used)]
+    let c_command =
+        CString::new(command[0].as_str()).expect("Failed to convert command to CString");
+    #[expect(clippy::expect_used)]
+    let c_args: Vec<CString> = command
+        .iter()
+        .map(|arg| CString::new(arg.as_str()).expect("Failed to convert arg to CString"))
+        .collect();
+
+    let mut c_args_ptrs: Vec<*const libc::c_char> = c_args.iter().map(|arg| arg.as_ptr()).collect();
+    c_args_ptrs.push(std::ptr::null());
+
+    unsafe {
+        libc::execvp(c_command.as_ptr(), c_args_ptrs.as_ptr());
+    }
+
+    // If execvp returns, there was an error.
+    let err = std::io::Error::last_os_error();
+    panic!("Failed to execvp {}: {err}", command[0].as_str());
+}

llmx-rs/linux-sandbox/src/main.rs

@@ -0,0 +1,6 @@
+/// Note that the cwd, env, and command args are preserved in the ultimate call
+/// to `execv`, so the caller is responsible for ensuring those values are
+/// correct.
+fn main() -> ! {
+    codex_linux_sandbox::run_main()
+}

llmx-rs/linux-sandbox/tests/all.rs

@@ -0,0 +1,3 @@
+// Single integration test binary that aggregates all test modules.
+// The submodules live in `tests/suite/`.
+mod suite;

llmx-rs/linux-sandbox/tests/suite/landlock.rs

@@ -0,0 +1,238 @@
+#![cfg(target_os = "linux")]
+use codex_core::config::types::ShellEnvironmentPolicy;
+use codex_core::error::CodexErr;
+use codex_core::error::SandboxErr;
+use codex_core::exec::ExecParams;
+use codex_core::exec::SandboxType;
+use codex_core::exec::process_exec_tool_call;
+use codex_core::exec_env::create_env;
+use codex_core::protocol::SandboxPolicy;
+use std::collections::HashMap;
+use std::path::PathBuf;
+use tempfile::NamedTempFile;
+
+// At least on GitHub CI, the arm64 tests appear to need longer timeouts.
+
+#[cfg(not(target_arch = "aarch64"))]
+const SHORT_TIMEOUT_MS: u64 = 200;
+#[cfg(target_arch = "aarch64")]
+const SHORT_TIMEOUT_MS: u64 = 5_000;
+
+#[cfg(not(target_arch = "aarch64"))]
+const LONG_TIMEOUT_MS: u64 = 1_000;
+#[cfg(target_arch = "aarch64")]
+const LONG_TIMEOUT_MS: u64 = 5_000;
+
+#[cfg(not(target_arch = "aarch64"))]
+const NETWORK_TIMEOUT_MS: u64 = 2_000;
+#[cfg(target_arch = "aarch64")]
+const NETWORK_TIMEOUT_MS: u64 = 10_000;
+
+fn create_env_from_core_vars() -> HashMap<String, String> {
+    let policy = ShellEnvironmentPolicy::default();
+    create_env(&policy)
+}
+
+#[expect(clippy::print_stdout, clippy::expect_used, clippy::unwrap_used)]
+async fn run_cmd(cmd: &[&str], writable_roots: &[PathBuf], timeout_ms: u64) {
+    let cwd = std::env::current_dir().expect("cwd should exist");
+    let sandbox_cwd = cwd.clone();
+    let params = ExecParams {
+        command: cmd.iter().copied().map(str::to_owned).collect(),
+        cwd,
+        timeout_ms: Some(timeout_ms),
+        env: create_env_from_core_vars(),
+        with_escalated_permissions: None,
+        justification: None,
+        arg0: None,
+    };
+
+    let sandbox_policy = SandboxPolicy::WorkspaceWrite {
+        writable_roots: writable_roots.to_vec(),
+        network_access: false,
+        // Exclude tmp-related folders from writable roots because we need a
+        // folder that is writable by tests but that we intentionally disallow
+        // writing to in the sandbox.
+        exclude_tmpdir_env_var: true,
+        exclude_slash_tmp: true,
+    };
+    let sandbox_program = env!("CARGO_BIN_EXE_codex-linux-sandbox");
+    let codex_linux_sandbox_exe = Some(PathBuf::from(sandbox_program));
+    let res = process_exec_tool_call(
+        params,
+        SandboxType::LinuxSeccomp,
+        &sandbox_policy,
+        sandbox_cwd.as_path(),
+        &codex_linux_sandbox_exe,
+        None,
+    )
+    .await
+    .unwrap();
+
+    if res.exit_code != 0 {
+        println!("stdout:\n{}", res.stdout.text);
+        println!("stderr:\n{}", res.stderr.text);
+        panic!("exit code: {}", res.exit_code);
+    }
+}
+
+#[tokio::test]
+async fn test_root_read() {
+    run_cmd(&["ls", "-l", "/bin"], &[], SHORT_TIMEOUT_MS).await;
+}
+
+#[tokio::test]
+#[should_panic]
+async fn test_root_write() {
+    let tmpfile = NamedTempFile::new().unwrap();
+    let tmpfile_path = tmpfile.path().to_string_lossy();
+    run_cmd(
+        &["bash", "-lc", &format!("echo blah > {tmpfile_path}")],
+        &[],
+        SHORT_TIMEOUT_MS,
+    )
+    .await;
+}
+
+#[tokio::test]
+async fn test_dev_null_write() {
+    run_cmd(
+        &["bash", "-lc", "echo blah > /dev/null"],
+        &[],
+        // We have seen timeouts when running this test in CI on GitHub,
+        // so we are using a generous timeout until we can diagnose further.
+        LONG_TIMEOUT_MS,
+    )
+    .await;
+}
+
+#[tokio::test]
+async fn test_writable_root() {
+    let tmpdir = tempfile::tempdir().unwrap();
+    let file_path = tmpdir.path().join("test");
+    run_cmd(
+        &[
+            "bash",
+            "-lc",
+            &format!("echo blah > {}", file_path.to_string_lossy()),
+        ],
+        &[tmpdir.path().to_path_buf()],
+        // We have seen timeouts when running this test in CI on GitHub,
+        // so we are using a generous timeout until we can diagnose further.
+        LONG_TIMEOUT_MS,
+    )
+    .await;
+}
+
+#[tokio::test]
+#[should_panic(expected = "Sandbox(Timeout")]
+async fn test_timeout() {
+    run_cmd(&["sleep", "2"], &[], 50).await;
+}
+
+/// Helper that runs `cmd` under the Linux sandbox and asserts that the command
+/// does NOT succeed (i.e. returns a non‑zero exit code) **unless** the binary
+/// is missing in which case we silently treat it as an accepted skip so the
+/// suite remains green on leaner CI images.
+#[expect(clippy::expect_used)]
+async fn assert_network_blocked(cmd: &[&str]) {
+    let cwd = std::env::current_dir().expect("cwd should exist");
+    let sandbox_cwd = cwd.clone();
+    let params = ExecParams {
+        command: cmd.iter().copied().map(str::to_owned).collect(),
+        cwd,
+        // Give the tool a generous 2-second timeout so even slow DNS timeouts
+        // do not stall the suite.
+        timeout_ms: Some(NETWORK_TIMEOUT_MS),
+        env: create_env_from_core_vars(),
+        with_escalated_permissions: None,
+        justification: None,
+        arg0: None,
+    };
+
+    let sandbox_policy = SandboxPolicy::new_read_only_policy();
+    let sandbox_program = env!("CARGO_BIN_EXE_codex-linux-sandbox");
+    let codex_linux_sandbox_exe: Option<PathBuf> = Some(PathBuf::from(sandbox_program));
+    let result = process_exec_tool_call(
+        params,
+        SandboxType::LinuxSeccomp,
+        &sandbox_policy,
+        sandbox_cwd.as_path(),
+        &codex_linux_sandbox_exe,
+        None,
+    )
+    .await;
+
+    let output = match result {
+        Ok(output) => output,
+        Err(CodexErr::Sandbox(SandboxErr::Denied { output })) => *output,
+        _ => {
+            panic!("expected sandbox denied error, got: {result:?}");
+        }
+    };
+
+    dbg!(&output.stderr.text);
+    dbg!(&output.stdout.text);
+    dbg!(&output.exit_code);
+
+    // A completely missing binary exits with 127.  Anything else should also
+    // be non‑zero (EPERM from seccomp will usually bubble up as 1, 2, 13…)
+    // If—*and only if*—the command exits 0 we consider the sandbox breached.
+
+    if output.exit_code == 0 {
+        panic!(
+            "Network sandbox FAILED - {cmd:?} exited 0\nstdout:\n{}\nstderr:\n{}",
+            output.stdout.text, output.stderr.text
+        );
+    }
+}
+
+#[tokio::test]
+async fn sandbox_blocks_curl() {
+    assert_network_blocked(&["curl", "-I", "http://openai.com"]).await;
+}
+
+#[tokio::test]
+async fn sandbox_blocks_wget() {
+    assert_network_blocked(&["wget", "-qO-", "http://openai.com"]).await;
+}
+
+#[tokio::test]
+async fn sandbox_blocks_ping() {
+    // ICMP requires raw socket – should be denied quickly with EPERM.
+    assert_network_blocked(&["ping", "-c", "1", "8.8.8.8"]).await;
+}
+
+#[tokio::test]
+async fn sandbox_blocks_nc() {
+    // Zero‑length connection attempt to localhost.
+    assert_network_blocked(&["nc", "-z", "127.0.0.1", "80"]).await;
+}
+
+#[tokio::test]
+async fn sandbox_blocks_ssh() {
+    // Force ssh to attempt a real TCP connection but fail quickly.  `BatchMode`
+    // avoids password prompts, and `ConnectTimeout` keeps the hang time low.
+    assert_network_blocked(&[
+        "ssh",
+        "-o",
+        "BatchMode=yes",
+        "-o",
+        "ConnectTimeout=1",
+        "github.com",
+    ])
+    .await;
+}
+
+#[tokio::test]
+async fn sandbox_blocks_getent() {
+    assert_network_blocked(&["getent", "ahosts", "openai.com"]).await;
+}
+
+#[tokio::test]
+async fn sandbox_blocks_dev_tcp_redirection() {
+    // This syntax is only supported by bash and zsh. We try bash first.
+    // Fallback generic socket attempt using /bin/sh with bash‑style /dev/tcp.  Not
+    // all images ship bash, so we guard against 127 as well.
+    assert_network_blocked(&["bash", "-c", "echo hi > /dev/tcp/127.0.0.1/80"]).await;
+}

llmx-rs/linux-sandbox/tests/suite/mod.rs

@@ -0,0 +1,2 @@
+// Aggregates all former standalone integration tests as modules.
+mod landlock;