Skip to content

feat(exec_allow): whitelist trusted commands with approval + TLS guardrails#180

Closed
cbusillo wants to merge 3 commits into
just-every:mainfrom
cbusillo:feat-exec-allow
Closed

feat(exec_allow): whitelist trusted commands with approval + TLS guardrails#180
cbusillo wants to merge 3 commits into
just-every:mainfrom
cbusillo:feat-exec-allow

Conversation

@cbusillo

Copy link
Copy Markdown

Summary

  • add an exec_allow config section plus runtime matcher so simple commands (e.g. uv run test*, docker compose) can bypass the sandbox while we continue validating that every argv path stays under writable roots
  • respect confirm = true on those rules so risky escapes still pause for user approval before leaving the sandbox
  • populate SSL_CERT_FILE when inject_ssl_cert_file = true, sourcing from CODEX_DEFAULT_SSL_CERT_FILE or common CA bundle paths so gh and other TLS clients keep working after the bypass
  • drop native TLS dependencies and guard the locale detector panic so macOS runners without a login keychain don’t crash when formatting numbers

Testing

  • ./build-fast.sh

@cbusillo

Copy link
Copy Markdown
Author

Testing this out now! I have an issue where commands like uv run and docker won't run right in the sandbox on macOS. I also want most git commands to always require confirmation.

Basically I want commands like uv run test* to always run without confirmation and outside the sandbox. I also want gh cli to work but require confirmation. gh wouldn't run without passing it ssl stuff.

I couldn't figure out a way to do this without new code, if I am mistaken, please let me know! I love the system you have created, it's what I was working on trying to build myself. Of course I just canceled my Claude account, but right now I can't find a reason to use it. Maybe with their next model release.

I am still trying to learn how to use the new agents system, I had a nice system with Claude Code, but the CLI tool kept crashing and Codex CLI doesn't support it so I ditched it. Looking forward to learning your system

@zemaj

zemaj commented Sep 18, 2025

Copy link
Copy Markdown

Thanks for the PR! So when you run gh in sandbox mode does it fail to run for you? What's the sandbox config you're using?

@cbusillo

Copy link
Copy Markdown
Author

This is what I am using right now. It is never able to auth correctly. It fails with a sandbox error. If you like I can install the stock Code and give you the actual error.

approval_policy = "on-request"
sandbox_mode = "workspace-write"

@cbusillo cbusillo force-pushed the feat-exec-allow branch 2 times, most recently from 1a8528a to 0b01f85 Compare September 22, 2025 16:11
@zemaj zemaj force-pushed the main branch 2 times, most recently from 804b5ad to b7927a2 Compare October 28, 2025 23:57
@zemaj

zemaj commented Nov 3, 2025

Copy link
Copy Markdown

We now keep codex-rs in lockstep with upstream openai/codex (see c8111bb), so Rust changes need to target the code-rs workspace instead. Closing this to keep the mirror clean—happy to revisit the exec allowlist in a fresh PR on code-rs.

@zemaj zemaj closed this Nov 3, 2025
@cbusillo cbusillo deleted the feat-exec-allow branch February 12, 2026 15:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants