## Problem
There's a security vulnerability in the current implementation where
shell commands are being executed without requesting user permission
even when in 'suggest' mode. According to our documentation:
> In **Suggest** mode (default): All file writes/patches and **ALL
shell/Bash commands** should require approval.
However, the current implementation in `approvals.ts` was auto-approving
commands deemed "safe" by the `isSafeCommand` function, bypassing the
user permission requirement. This is a security risk as users expect all
shell commands to require explicit approval in 'suggest' mode.
## Solution
This PR fixes the issue by modifying the `canAutoApprove` function in
`approvals.ts` to respect the 'suggest' mode policy for all shell
commands:
1. Added an early check at the beginning of `canAutoApprove` to
immediately return `{ type: "ask-user" }` when the policy is `suggest`,
regardless of whether the command is considered "safe" or not.
2. Added a similar check in the bash command handling section to ensure
bash commands also respect the 'suggest' mode.
3. Updated tests to verify the new behavior, ensuring that all shell
commands require approval in 'suggest' mode, while still being
auto-approved in 'auto-edit' and 'full-auto' modes when appropriate.
## Testing
All tests pass, confirming that the fix works as expected. The updated
tests verify that:
- All commands (even "safe" ones) require approval in 'suggest' mode
- Safe commands are still auto-approved in 'auto-edit' mode
- Bash commands with redirects still require approval in all modes
This change ensures that the behavior matches what's documented and what
users expect, improving security by requiring explicit permission for
all shell commands in the default 'suggest' mode.
This PR makes changes in the Dockerfile to reduce the final image size.
I'm sure this can be optimized further. But I didn't want to make too
many changes at once.
Original:
```
REPOSITORY TAG IMAGE ID CREATED SIZE
codex latest c8f66942ded3 4 minutes ago 1.91GB
```
Now:
```
REPOSITORY TAG IMAGE ID CREATED SIZE
codex latest 2a6d6450609c 4 minutes ago 747MB
```
## Description
This PR fixes the issue where the CLI can't continue after interrupting
the assistant with ESC ESC (Fixes#114). The problem was caused by
duplicate code in the `cancel()` method and improper state reset after
cancellation.
## Changes
- Fixed duplicate code in the `cancel()` method of the `AgentLoop` class
- Added proper reset of the `currentStream` property in the `cancel()`
method
- Created a new `AbortController` after aborting the current one to
ensure future tool calls work
- Added a system message to indicate the interruption to the user
- Added a comprehensive test to verify the fix
## Benefits
- Users can now continue using the CLI after interrupting the assistant
- Improved user experience by providing feedback when interruption
occurs
- Better state management in the agent loop
## Testing
- Added a dedicated test that verifies the agent can process new input
after cancellation
- Manually tested the fix by interrupting the assistant and confirming
that new input is processed correctly
---------
Signed-off-by: crazywolf132 <crazywolf132@gmail.com>
# Description
This PR fixes a typo where the prompt prefix for the agent loop was
missing the word "as"
# Changes
* Added missing word "as" within the agent loop prompt prefix
# Benefits
* The prompt is now grammatically correct and clearer
# Testing
* Manually tested the fix
...and try to parse the suggested time from the error message while we
don't yet have this in a structured way
---------
Signed-off-by: Thibault Sottiaux <tibo@openai.com>
Why
---
Improves the usability of the `codex` CLI by adding shell completion for
file paths. This allows users to quickly complete file arguments using
tab completion in bash, zsh, and fish shells. Enable via `eval "$(codex
completion <shell>)"`.
## Description
This fix resolves a bug where Ctrl+Backspace (hex 0x17) deletes the
entire line when the cursor is positioned after a trailing space.
## Problem
When the user has a line like "I want you to refactor my view " (with a
space at the end) and the cursor is after that space, Ctrl+Backspace
deletes the entire line instead of just removing the word "view".
## Solution
- Added a check to detect if the cursor is after spaces
- Modified the logic to delete only one space at a time in this case
- Added a unit test to verify this behavior
## Tests
All tests pass, including the new test that verifies the corrected
behavior.
---------
Signed-off-by: Alpha Diop <alphakhoss@gmail.com>
Co-authored-by: Thibault Sottiaux <tibo@openai.com>
### Summary
Refactored the `renderFilesToXml` function to improve performance and
readability by replacing iterative string concatenation with
`Array.map().join()`.
### Changes
- Replaced the `for...of` loop with `files.map(...).join('')`
- Reduced number of string mutation operations
- Preserved the existing XML structure and CDATA safety
### Why
Using `join` avoids repeated string concatenation in loops, which can
improve performance, especially when rendering a large number of files.
It also results in more concise and idiomatic code.
I have read the CLA Document and I hereby sign the CLA
---
Let me know if this needs any adjustments!
Signed-off-by: yonatanlavy <yehonatanmind@gmail.com>
Previously, `parseToolCall()` was using `computeAutoApproval()`, which
was a somewhat parallel implementation of `canAutoApprove()` in order to
get `SafeCommandReason` metadata for presenting information to the user.
The only function that was using `SafeCommandReason` was
`useMessageGrouping()`, but it turns out that function was unused, so
this PR removes `computeAutoApproval()` and all code related to it.
More importantly, I believe this fixes
https://github.com/openai/codex/issues/87 because
`computeAutoApproval()` was calling `parse()` from `shell-quote` without
wrapping it in a try-catch. This PR updates `canAutoApprove()` to use a
tighter try-catch block that is specific to `parse()` and returns an
appropriate `SafetyAssessment` in the event of an error, based on the
`ApprovalPolicy`.
Signed-off-by: Michael Bolin <mbolin@openai.com>
