fix: close Bazel argument-comment-lint CI gaps (#16253)

## Why The Bazel-backed `argument-comment-lint` CI path had two gaps: - Bazel wildcard target expansion skipped inline unit-test crates from `src/` modules because the generated `*-unit-tests-bin` `rust_test` targets are tagged `manual`. - `argument-comment-mismatch` was still only a warning in the Bazel and packaged-wrapper entrypoints, so a typoed `/*param_name*/` comment could still pass CI even when the lint detected it. That left CI blind to real linux-sandbox examples, including the missing `/*local_port*/` comment in `codex-rs/linux-sandbox/src/proxy_routing.rs` and typoed argument comments in `codex-rs/linux-sandbox/src/landlock.rs`. ## What Changed - Added `tools/argument-comment-lint/list-bazel-targets.sh` so Bazel lint runs cover `//codex-rs/...` plus the manual `rust_test` `*-unit-tests-bin` targets. - Updated `just argument-comment-lint`, `rust-ci.yml`, and `rust-ci-full.yml` to use that helper. - Promoted both `argument-comment-mismatch` and `uncommented-anonymous-literal-argument` to errors in every strict entrypoint: - `tools/argument-comment-lint/lint_aspect.bzl` - `tools/argument-comment-lint/src/bin/argument-comment-lint.rs` - `tools/argument-comment-lint/wrapper_common.py` - Added wrapper/bin coverage for the stricter lint flags and documented the behavior in `tools/argument-comment-lint/README.md`. - Fixed the now-covered callsites in `codex-rs/linux-sandbox/src/proxy_routing.rs`, `codex-rs/linux-sandbox/src/landlock.rs`, and `codex-rs/core/src/shell_snapshot_tests.rs`. This keeps the Bazel target expansion narrow while making the Bazel and prebuilt-linter paths enforce the same strict lint set. ## Verification - `python3 -m unittest discover -s tools/argument-comment-lint -p 'test_*.py'` - `cargo +nightly-2025-09-18 test --manifest-path tools/argument-comment-lint/Cargo.toml` - `just argument-comment-lint`
2026-05-03 21:01:55 +03:00 · 2026-03-30 11:59:50 -07:00
parent 258ba436f1
commit 9313c49e4c
12 changed files with 111 additions and 27 deletions
--- a/codex-rs/linux-sandbox/src/landlock.rs
+++ b/codex-rs/linux-sandbox/src/landlock.rs
@@ -274,7 +274,10 @@ mod tests {
    #[test]
    fn managed_network_enforces_seccomp_even_for_full_network_policy() {
        assert_eq!(
-            should_install_network_seccomp(NetworkSandboxPolicy::Enabled, true),
+            should_install_network_seccomp(
+                NetworkSandboxPolicy::Enabled,
+                /*allow_network_for_proxy*/ true
+            ),
            true
        );
    }
@@ -282,7 +285,10 @@ mod tests {
    #[test]
    fn full_network_policy_without_managed_network_skips_seccomp() {
        assert_eq!(
-            should_install_network_seccomp(NetworkSandboxPolicy::Enabled, false),
+            should_install_network_seccomp(
+                NetworkSandboxPolicy::Enabled,
+                /*allow_network_for_proxy*/ false
+            ),
            false
        );
    }
@@ -291,18 +297,22 @@ mod tests {
    fn restricted_network_policy_always_installs_seccomp() {
        assert!(should_install_network_seccomp(
            NetworkSandboxPolicy::Restricted,
-            false
+            /*allow_network_for_proxy*/ false
        ));
        assert!(should_install_network_seccomp(
            NetworkSandboxPolicy::Restricted,
-            true
+            /*allow_network_for_proxy*/ true
        ));
    }

    #[test]
    fn managed_proxy_routes_use_proxy_routed_seccomp_mode() {
        assert_eq!(
-            network_seccomp_mode(NetworkSandboxPolicy::Enabled, true, true),
+            network_seccomp_mode(
+                NetworkSandboxPolicy::Enabled,
+                /*allow_network_for_proxy*/ true,
+                /*proxy_routed_network*/ true
+            ),
            Some(NetworkSeccompMode::ProxyRouted)
        );
    }
@@ -310,7 +320,11 @@ mod tests {
    #[test]
    fn restricted_network_without_proxy_routing_uses_restricted_mode() {
        assert_eq!(
-            network_seccomp_mode(NetworkSandboxPolicy::Restricted, false, false),
+            network_seccomp_mode(
+                NetworkSandboxPolicy::Restricted,
+                /*allow_network_for_proxy*/ false,
+                /*proxy_routed_network*/ false
+            ),
            Some(NetworkSeccompMode::Restricted)
        );
    }
@@ -318,7 +332,11 @@ mod tests {
    #[test]
    fn full_network_without_managed_proxy_skips_network_seccomp_mode() {
        assert_eq!(
-            network_seccomp_mode(NetworkSandboxPolicy::Enabled, false, false),
+            network_seccomp_mode(
+                NetworkSandboxPolicy::Enabled,
+                /*allow_network_for_proxy*/ false,
+                /*proxy_routed_network*/ false
+            ),
            None
        );
    }