feat: intercept apply_patch for unified_exec (#7446)

2026-05-05 22:01:37 +03:00 · 2025-12-02 17:54:02 +00:00
parent 37ee6bf2c3
commit 72b95db12f
8 changed files with 331 additions and 106 deletions
--- a/codex-rs/core/src/safety.rs
+++ b/codex-rs/core/src/safety.rs
@@ -6,6 +6,7 @@ use codex_apply_patch::ApplyPatchAction;
 use codex_apply_patch::ApplyPatchFileChange;

 use crate::exec::SandboxType;
+use crate::util::resolve_path;

 use crate::protocol::AskForApproval;
 use crate::protocol::SandboxPolicy;
@@ -150,11 +151,7 @@ fn is_write_patch_constrained_to_writable_paths(
    // and roots are converted to absolute, normalized forms before the
    // prefix check.
    let is_path_writable = |p: &PathBuf| {
-        let abs = if p.is_absolute() {
-            p.clone()
-        } else {
-            cwd.join(p)
-        };
+        let abs = resolve_path(cwd, p);
        let abs = match normalize(&abs) {
            Some(v) => v,
            None => return false,