execpolicycheck command in codex cli (#7012)

adding execpolicycheck tool onto codex cli this is useful for validating policies (can be multiple) against commands. it will also surface errors in policy syntax: <img width="1150" height="281" alt="Screenshot 2025-11-19 at 12 46 21 PM" src="https://github.com/user-attachments/assets/8f99b403-564c-4172-acc9-6574a8d13dc3" /> this PR also changes output format when there's no match in the CLI. instead of returning the raw string `noMatch`, we return `{"noMatch":{}}` this PR is a rewrite of: https://github.com/openai/codex/pull/6932 (due to the numerous merge conflicts present in the original PR) --------- Co-authored-by: Michael Bolin <mbolin@openai.com>
2026-04-30 11:21:34 +03:00 · 2025-11-20 16:44:31 -05:00
parent c30ca0d5b6
commit fe7a3f0c2b
12 changed files with 183 additions and 71 deletions
--- a/codex-rs/core/src/exec_policy.rs
+++ b/codex-rs/core/src/exec_policy.rs
@@ -109,7 +109,7 @@ fn evaluate_with_policy(
            }
            Decision::Allow => Some(ApprovalRequirement::Skip),
        },
-        Evaluation::NoMatch => None,
+        Evaluation::NoMatch { .. } => None,
    }
 }

@@ -206,7 +206,7 @@ mod tests {
        let commands = [vec!["rm".to_string()]];
        assert!(matches!(
            policy.check_multiple(commands.iter()),
-            Evaluation::NoMatch
+            Evaluation::NoMatch { .. }
        ));
        assert!(!temp_dir.path().join(POLICY_DIR_NAME).exists());
    }
@@ -259,7 +259,7 @@ mod tests {
        let command = [vec!["ls".to_string()]];
        assert!(matches!(
            policy.check_multiple(command.iter()),
-            Evaluation::NoMatch
+            Evaluation::NoMatch { .. }
        ));
    }