Commit Graph

1 Commits

  • feat: execpolicy v2 (#6467)
    ## Summary
    - Introduces the `codex-execpolicy2` crate.
    - This PR covers only the prefix-rule subset of the planned execpolicy
    v2 language; a richer language will follow.
    
    ## Policy
    - Policy language centers on `prefix_rule(pattern=[...], decision?,
    match?, not_match?)`, where `pattern` is an ordered list of tokens; any
    element may be a list to denote alternatives. `decision` defaults to
    `allow`; valid values are `allow`, `prompt`, and `forbidden`. `match` /
    `not_match` hold example commands that are tokenized and validated at
    load time (think of these as unit tests).
    
    ## Policy shapes
    - Prefix rules use Starlark syntax:
    ```starlark
    prefix_rule(
        pattern = ["cmd", ["alt1", "alt2"]], # ordered tokens; list entries denote alternatives
        decision = "prompt",                # allow | prompt | forbidden; defaults to allow
        match = [["cmd", "alt1"]],          # examples that must match this rule (enforced at compile time)
        not_match = [["cmd", "oops"]],      # examples that must not match this rule (enforced at compile time)
    )
    ```
    
    ## Response shapes
    - Match:
    
    ```json
    {
      "match": {
        "decision": "allow|prompt|forbidden",
        "matchedRules": [
          {
            "prefixRuleMatch": {
              "matchedPrefix": ["<token>", "..."],
              "decision": "allow|prompt|forbidden"
            }
          }
        ]
      }
    }
    ```
    
    - No match:
    
    ```json
    "noMatch"
    ```
    
    - `matchedRules` lists every rule whose prefix matched the command;
    `matchedPrefix` is the exact prefix that matched.
    - The effective `decision` is the strictest severity across all matches
    (`forbidden` > `prompt` > `allow`).
    
    ---------
    
    Co-authored-by: Michael Bolin <mbolin@openai.com>