Derive remote exec env on the exec-server

Add an exec-server env policy contract and send only the env overlay needed for runtime/sandbox transforms when Core starts remote unified-exec processes. Keep local process startup on the existing exact-env path, and share the shell-environment-policy builder from codex-config so the executor can apply the same inherit/filter/set/include rules against its own process environment. Co-authored-by: Codex <noreply@openai.com>
2026-05-02 04:11:39 +03:00 · 2026-04-09 12:29:15 +01:00
parent 8f705b0702
commit 3040717ae2
18 changed files with 352 additions and 101 deletions
--- a/codex-rs/exec-server/src/protocol.rs
+++ b/codex-rs/exec-server/src/protocol.rs
@@ -2,6 +2,7 @@ use std::collections::HashMap;
 use std::path::PathBuf;

 use base64::engine::general_purpose::STANDARD as BASE64_STANDARD;
+use codex_config::types::ShellEnvironmentPolicyInherit;
 use codex_protocol::protocol::SandboxPolicy;
 use codex_utils_absolute_path::AbsolutePathBuf;
 use serde::Deserialize;
@@ -60,11 +61,23 @@ pub struct ExecParams {
    pub process_id: ProcessId,
    pub argv: Vec<String>,
    pub cwd: PathBuf,
+    #[serde(default)]
+    pub env_policy: Option<ExecEnvPolicy>,
    pub env: HashMap<String, String>,
    pub tty: bool,
    pub arg0: Option<String>,
 }

+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct ExecEnvPolicy {
+    pub inherit: ShellEnvironmentPolicyInherit,
+    pub ignore_default_excludes: bool,
+    pub exclude: Vec<String>,
+    pub r#set: HashMap<String, String>,
+    pub include_only: Vec<String>,
+}
+
 #[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
 #[serde(rename_all = "camelCase")]
 pub struct ExecResponse {