mirror of
https://github.com/openai/codex.git
synced 2026-05-03 12:52:11 +03:00
0bb438bca6
## Summary 1. Add a Security Boundaries section to `SECURITY.md`. 2. Point readers to the Codex Agent approvals and security documentation for sandboxing, approvals, and network controls. ## Validation 1. Reviewed the `SECURITY.md` diff in a clean worktree. 2. No tests run. Docs only change.
113 lines
3.5 KiB
Python
113 lines
3.5 KiB
Python
load("//:defs.bzl", "codex_rust_crate", "workspace_root_test")
|
|
|
|
filegroup(
|
|
name = "model_availability_nux_fixtures",
|
|
srcs = [
|
|
"tests/cli_responses_fixture.sse",
|
|
],
|
|
visibility = ["//visibility:public"],
|
|
)
|
|
|
|
codex_rust_crate(
|
|
name = "core",
|
|
crate_name = "codex_core",
|
|
compile_data = glob(
|
|
include = ["**"],
|
|
exclude = [
|
|
"**/* *",
|
|
"BUILD.bazel",
|
|
"Cargo.toml",
|
|
],
|
|
allow_empty = True,
|
|
) + [
|
|
"//codex-rs:node-version.txt",
|
|
],
|
|
rustc_env = {
|
|
# Keep manifest-root path lookups inside the Bazel execroot for code
|
|
# that relies on env!("CARGO_MANIFEST_DIR").
|
|
"CARGO_MANIFEST_DIR": "codex-rs/core",
|
|
},
|
|
integration_compile_data_extra = [
|
|
"//codex-rs/apply-patch:apply_patch_tool_instructions.md",
|
|
"templates/realtime/backend_prompt.md",
|
|
],
|
|
integration_test_flaky_by_stem = {
|
|
"all": [
|
|
"suite::abort_tasks::interrupt_tool_records_history_entries",
|
|
"suite::apply_patch_cli::apply_patch_cli_rejects_invalid_hunk_header::applypatchmodeloutput_function_expects",
|
|
],
|
|
"responses_headers": [
|
|
"responses_stream_includes_turn_metadata_header_for_git_workspace_e2e",
|
|
],
|
|
},
|
|
integration_test_timeout = "long",
|
|
test_data_extra = [
|
|
"config.schema.json",
|
|
] + glob([
|
|
"src/**/snapshots/**",
|
|
]) + [
|
|
# This is a bit of a hack, but empirically, some of our integration tests
|
|
# are relying on the presence of this file as a repo root marker. When
|
|
# running tests locally, this "just works," but in remote execution,
|
|
# the working directory is different and so the file is not found unless it
|
|
# is explicitly added as test data.
|
|
#
|
|
# TODO(aibrahim): Update the tests so that `just bazel-remote-test`
|
|
# succeeds without this workaround.
|
|
"//:AGENTS.md",
|
|
],
|
|
test_tags = ["no-sandbox"],
|
|
unit_test_args = [
|
|
"--skip",
|
|
"guardian::tests::guardian_parallel_reviews_fork_from_last_committed_trunk_history",
|
|
"--skip",
|
|
"agent::control::tests::completion_watcher_notifies_parent_when_child_is_missing",
|
|
],
|
|
unit_test_timeout = "long",
|
|
extra_binaries = [
|
|
"//codex-rs/linux-sandbox:codex-linux-sandbox",
|
|
"//codex-rs/rmcp-client:test_stdio_server",
|
|
"//codex-rs/rmcp-client:test_streamable_http_server",
|
|
"//codex-rs/responses-api-proxy:codex-responses-api-proxy",
|
|
"//codex-rs/cli:codex",
|
|
],
|
|
)
|
|
|
|
workspace_root_test(
|
|
name = "core-guardian-parallel-reviews-flaky-test",
|
|
env = {
|
|
"INSTA_WORKSPACE_ROOT": ".",
|
|
"INSTA_SNAPSHOT_PATH": "src",
|
|
},
|
|
test_bin = ":core-unit-tests-bin",
|
|
workspace_root_marker = "//codex-rs/utils/cargo-bin:repo_root.marker",
|
|
args = [
|
|
"--exact",
|
|
"guardian::tests::guardian_parallel_reviews_fork_from_last_committed_trunk_history",
|
|
],
|
|
tags = [
|
|
"flaky",
|
|
"no-sandbox",
|
|
],
|
|
timeout = "long",
|
|
)
|
|
|
|
workspace_root_test(
|
|
name = "core-completion-watcher-missing-child-flaky-test",
|
|
env = {
|
|
"INSTA_WORKSPACE_ROOT": ".",
|
|
"INSTA_SNAPSHOT_PATH": "src",
|
|
},
|
|
test_bin = ":core-unit-tests-bin",
|
|
workspace_root_marker = "//codex-rs/utils/cargo-bin:repo_root.marker",
|
|
args = [
|
|
"--exact",
|
|
"agent::control::tests::completion_watcher_notifies_parent_when_child_is_missing",
|
|
],
|
|
tags = [
|
|
"flaky",
|
|
"no-sandbox",
|
|
],
|
|
timeout = "long",
|
|
)
|