Refactor execpolicy fallback evaluation (#7544)

## Refactor of the `execpolicy` crate To illustrate why we need this refactor, consider an agent attempting to run `apple | rm -rf ./`. Suppose `apple` is allowed by `execpolicy`. Before this PR, `execpolicy` would consider `apple` and `pear` and only render one rule match: `Allow`. We would skip any heuristics checks on `rm -rf ./` and immediately approve `apple | rm -rf ./` to run. To fix this, we now thread a `fallback` evaluation function into `execpolicy` that runs when no `execpolicy` rules match a given command. In our example, we would run `fallback` on `rm -rf ./` and prevent `apple | rm -rf ./` from being run without approval.
2026-04-29 19:03:02 +03:00 · 2025-12-04 02:39:48 -05:00
parent e925a380dc
commit 3d35cb4619
27 changed files with 538 additions and 257 deletions
--- a/codex-rs/execpolicy/src/execpolicycheck.rs
+++ b/codex-rs/execpolicy/src/execpolicycheck.rs
@@ -4,10 +4,12 @@ use std::path::PathBuf;
 use anyhow::Context;
 use anyhow::Result;
 use clap::Parser;
+use serde::Serialize;

-use crate::Evaluation;
+use crate::Decision;
 use crate::Policy;
 use crate::PolicyParser;
+use crate::RuleMatch;

 /// Arguments for evaluating a command against one or more execpolicy files.
 #[derive(Debug, Parser, Clone)]
@@ -34,20 +36,25 @@ impl ExecPolicyCheckCommand {
    /// Load the policies for this command, evaluate the command, and render JSON output.
    pub fn run(&self) -> Result<()> {
        let policy = load_policies(&self.policies)?;
-        let evaluation = policy.check(&self.command);
+        let matched_rules = policy.matches_for_command(&self.command, None);

-        let json = format_evaluation_json(&evaluation, self.pretty)?;
+        let json = format_matches_json(&matched_rules, self.pretty)?;
        println!("{json}");

        Ok(())
    }
 }

-pub fn format_evaluation_json(evaluation: &Evaluation, pretty: bool) -> Result<String> {
+pub fn format_matches_json(matched_rules: &[RuleMatch], pretty: bool) -> Result<String> {
+    let output = ExecPolicyCheckOutput {
+        matched_rules,
+        decision: matched_rules.iter().map(RuleMatch::decision).max(),
+    };
+
    if pretty {
-        serde_json::to_string_pretty(evaluation).map_err(Into::into)
+        serde_json::to_string_pretty(&output).map_err(Into::into)
    } else {
-        serde_json::to_string(evaluation).map_err(Into::into)
+        serde_json::to_string(&output).map_err(Into::into)
    }
 }

@@ -65,3 +72,12 @@ pub fn load_policies(policy_paths: &[PathBuf]) -> Result<Policy> {

    Ok(parser.build())
 }
+
+#[derive(Serialize)]
+#[serde(rename_all = "camelCase")]
+struct ExecPolicyCheckOutput<'a> {
+    #[serde(rename = "matchedRules")]
+    matched_rules: &'a [RuleMatch],
+    #[serde(skip_serializing_if = "Option::is_none")]
+    decision: Option<Decision>,
+}