Commit Graph

59 Commits

  • linux-sandbox: honor split filesystem policies in bwrap (#13453)
    ## Why
    
    After `#13449`, the Linux helper could receive split filesystem and
    network policies, but the bubblewrap mount builder still reconstructed
    filesystem access from the legacy `SandboxPolicy`.
    
    That loses explicit unreadable carveouts under writable roots, and it
    also mishandles `Root` read access paired with explicit deny carveouts.
    In those cases bubblewrap could still expose paths that the split
    filesystem policy intentionally blocked.
    
    ## What changed
    
    - switched bubblewrap mount generation to consume
    `FileSystemSandboxPolicy` directly at the implementation boundary;
    legacy `SandboxPolicy` configs still flow through the existing
    `FileSystemSandboxPolicy::from(&sandbox_policy)` bridge before reaching
    bwrap
    - kept the Linux helper and preflight path on the split filesystem
    policy all the way into bwrap
    - re-applied explicit unreadable carveouts after readable and writable
    mounts so blocked subpaths still win under bubblewrap
    - masked denied directories with `--tmpfs` plus `--remount-ro` and
    denied files with `--ro-bind-data`, preserving the backing fd until exec
    - added comments in the unreadable-root masking block to explain why the
    mount order and directory/file split are intentional
    - updated Linux helper call sites and tests for the split-policy bwrap
    path
    
    ## Verification
    
    - added protocol coverage for root carveouts staying scoped
    - added core coverage that root-write plus deny carveouts still requires
    a platform sandbox
    - added bwrap unit coverage for reapplying blocked carveouts after
    writable binds
    - added Linux integration coverage for explicit split-policy carveouts
    under bubblewrap
    - validated the final branch state with `cargo test -p
    codex-linux-sandbox`, `cargo clippy -p codex-linux-sandbox --all-targets
    -- -D warnings`, and the PR CI reruns
    
    ---
    [//]: # (BEGIN SAPLING FOOTER)
    Stack created with [Sapling](https://sapling-scm.com). Best reviewed
    with [ReviewStack](https://reviewstack.dev/openai/codex/pull/13453).
    * __->__ #13453
    * #13452
    * #13451
    * #13449
    * #13448
    * #13445
    * #13440
    * #13439
    
    ---------
    
    Co-authored-by: viyatb-oai <viyatb@openai.com>
  • linux-sandbox: plumb split sandbox policies through helper (#13449)
    ## Why
    
    The Linux sandbox helper still only accepted the legacy `SandboxPolicy`
    payload.
    
    That meant the runtime could compute split filesystem and network
    policies, but the helper would immediately collapse them back to the
    compatibility projection before applying seccomp or staging the
    bubblewrap inner command.
    
    ## What changed
    
    - added hidden `--file-system-sandbox-policy` and
    `--network-sandbox-policy` flags alongside the legacy `--sandbox-policy`
    flag so the helper can migrate incrementally
    - updated the core-side Landlock wrapper to pass the split policies
    explicitly when launching `codex-linux-sandbox`
    - added helper-side resolution logic that accepts either the legacy
    policy alone or a complete split-policy pair and normalizes that into
    one effective configuration
    - switched Linux helper network decisions to use `NetworkSandboxPolicy`
    directly
    - added `FromStr` support for the split policy types so the helper can
    parse them from CLI JSON
    
    ## Verification
    
    - added helper coverage in `linux-sandbox/src/linux_run_main_tests.rs`
    for split-policy flags and policy resolution
    - added CLI argument coverage in `core/src/landlock.rs`
    - verified the current PR state with `just clippy`
    
    
    
    
    ---
    [//]: # (BEGIN SAPLING FOOTER)
    Stack created with [Sapling](https://sapling-scm.com). Best reviewed
    with [ReviewStack](https://reviewstack.dev/openai/codex/pull/13449).
    * #13453
    * #13452
    * #13451
    * __->__ #13449
    * #13448
    * #13445
    * #13440
    * #13439
    
    ---------
    
    Co-authored-by: viyatb-oai <viyatb@openai.com>
  • sandboxing: plumb split sandbox policies through runtime (#13439)
    ## Why
    
    `#13434` introduces split `FileSystemSandboxPolicy` and
    `NetworkSandboxPolicy`, but the runtime still made most execution-time
    sandbox decisions from the legacy `SandboxPolicy` projection.
    
    That projection loses information about combinations like unrestricted
    filesystem access with restricted network access. In practice, that
    means the runtime can choose the wrong platform sandbox behavior or set
    the wrong network-restriction environment for a command even when config
    has already separated those concerns.
    
    This PR carries the split policies through the runtime so sandbox
    selection, process spawning, and exec handling can consult the policy
    that actually matters.
    
    ## What changed
    
    - threaded `FileSystemSandboxPolicy` and `NetworkSandboxPolicy` through
    `TurnContext`, `ExecRequest`, sandbox attempts, shell escalation state,
    unified exec, and app-server exec overrides
    - updated sandbox selection in `core/src/sandboxing/mod.rs` and
    `core/src/exec.rs` to key off `FileSystemSandboxPolicy.kind` plus
    `NetworkSandboxPolicy`, rather than inferring behavior only from the
    legacy `SandboxPolicy`
    - updated process spawning in `core/src/spawn.rs` and the platform
    wrappers to use `NetworkSandboxPolicy` when deciding whether to set
    `CODEX_SANDBOX_NETWORK_DISABLED`
    - kept additional-permissions handling and legacy `ExternalSandbox`
    compatibility projections aligned with the split policies, including
    explicit user-shell execution and Windows restricted-token routing
    - updated callers across `core`, `app-server`, and `linux-sandbox` to
    pass the split policies explicitly
    
    ## Verification
    
    - added regression coverage in `core/tests/suite/user_shell_cmd.rs` to
    verify `RunUserShellCommand` does not inherit
    `CODEX_SANDBOX_NETWORK_DISABLED` from the active turn
    - added coverage in `core/src/exec.rs` for Windows restricted-token
    sandbox selection when the legacy projection is `ExternalSandbox`
    - updated Linux sandbox coverage in
    `linux-sandbox/tests/suite/landlock.rs` to exercise the split-policy
    exec path
    - verified the current PR state with `just clippy`
    
    
    
    
    ---
    [//]: # (BEGIN SAPLING FOOTER)
    Stack created with [Sapling](https://sapling-scm.com). Best reviewed
    with [ReviewStack](https://reviewstack.dev/openai/codex/pull/13439).
    * #13453
    * #13452
    * #13451
    * #13449
    * #13448
    * #13445
    * #13440
    * __->__ #13439
    
    ---------
    
    Co-authored-by: viyatb-oai <viyatb@openai.com>
  • fix(linux-sandbox): always unshare bwrap userns (#13624)
    ## Summary
    - always pass `--unshare-user` in the Linux bubblewrap argv builders
    - stop relying on bubblewrap's auto-userns behavior, which is skipped
    for `uid 0`
    - update argv expectations in tests and document the explicit user
    namespace behavior
    
    The installed Codex binary reproduced the same issue with:
    - `codex -c features.use_linux_sandbox_bwrap=true sandbox linux -- true`
    - `bwrap: Creating new namespace failed: Operation not permitted`
    
    This happens because Codex asked bubblewrap for mount/pid/network
    namespaces without explicitly asking for a user namespace. In a
    root-inside-container environment without ambient `CAP_SYS_ADMIN`, that
    fails. Adding `--unshare-user` makes bubblewrap create the user
    namespace first and then the remaining namespaces succeed.
  • Feat: Preserve network access on read-only sandbox policies (#13409)
    ## Summary
    
    `PermissionProfile.network` could not be preserved when additional or
    compiled permissions resolved to
    `SandboxPolicy::ReadOnly`, because `ReadOnly` had no network_access
    field. This change makes read-only + network
    enabled representable directly and threads that through the protocol,
    app-server v2 mirror, and permission-
      merging logic.
    
    ## What changed
    
    - Added `network_access: bool` to `SandboxPolicy::ReadOnly` in the core
    protocol and app-server v2 protocol.
    - Kept backward compatibility by defaulting the new field to false, so
    legacy read-only payloads still
        deserialize unchanged.
    - Updated `has_full_network_access()` and sandbox summaries to respect
    read-only network access.
      - Preserved PermissionProfile.network when:
          - compiling skill permission profiles into sandbox policies
          - normalizing additional permissions
          - merging additional permissions into existing sandbox policies
    - Updated the approval overlay to show network in the rendered
    permission rule when requested.
      - Regenerated app-server schema fixtures for the new v2 wire shape.
  • feat(linux-sandbox): support restricted ReadOnlyAccess in bwrap (#12369)
    ## Summary
    Implements Linux bubblewrap support for restricted `ReadOnlyAccess`
    (introduced in #11387) by honoring `readable_roots` and
    `include_platform_defaults` instead of failing closed.
    
    ## What changed
    - Added a Linux platform-default read allowlist for common
    system/runtime paths (e.g. /usr, /etc, /lib*, Nix store roots).
    - Updated the bwrap filesystem mount builder to support restricted read
    access:
      - Full-read policies still use `--ro-bind / /`
    - Restricted-read policies now start from` --tmpfs `/ and add scoped
    `--ro-bind` mounts
    - Preserved existing writable-root and protected-subpath behavior
    (`.git`, `.codex`, etc.).
    
    `ReadOnlyAccess::Restricted` was already modeled in protocol, but Linux
    bwrap still returned `UnsupportedOperation` for restricted read access.
    This closes that gap for the active Linux filesystem backend.
    
    
    ## Notes
    Legacy Linux Landlock fallback still fail-closes for restricted read
    access (unchanged).
  • Revert "Ensure shell command skills trigger approval (#12697)" (#12721)
    This reverts commit daf0f03ac8.
    
    # External (non-OpenAI) Pull Request Requirements
    
    Before opening this Pull Request, please read the dedicated
    "Contributing" markdown file or your PR may be closed:
    https://github.com/openai/codex/blob/main/docs/contributing.md
    
    If your PR conforms to our contribution guidelines, replace this text
    with a detailed and high quality description of your changes.
    
    Include a link to a bug report or enhancement request.
  • Ensure shell command skills trigger approval (#12697)
    Summary
    - detect skill-invoking shell commands based on the original command
    string, request approvals when needed, and cache positive decisions per
    session
    - keep implicit skill invocation emitted after approval and keep skill
    approval decline messaging centralized to the shell handler
    - expand and adjust skill approval tests to cover shell-based skill
    scripts while matching the new detection expectations
    
    Testing
    - Not run (not requested)
  • feat(linux-sandbox): implement proxy-only egress via TCP-UDS-TCP bridge (#11293)
    ## Summary
    - Implement Linux proxy-only routing in `codex-rs/linux-sandbox` with a
    two-stage bridge: host namespace `loopback TCP proxy endpoint -> UDS`,
    then bwrap netns `loopback TCP listener -> host UDS`.
    - Add hidden `--proxy-route-spec` plumbing for outer-to-inner stage
    handoff.
    - Fail closed in proxy mode when no valid loopback proxy endpoints can
    be routed.
    - Introduce explicit network seccomp modes: `Restricted` (legacy
    restricted networking) and `ProxyRouted` (allow INET/INET6 for routed
    proxy access, deny `AF_UNIX` and `socketpair`).
    - Enforce that proxy bridge/routing is bwrap-only by validating
    `--apply-seccomp-then-exec` requires `--use-bwrap-sandbox`.
    - Keep landlock-only flows unchanged (no proxy bridge behavior outside
    bwrap).
    
    ---------
    
    Co-authored-by: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
  • chore: remove codex-core public protocol/shell re-exports (#12432)
    ## Why
    
    `codex-rs/core/src/lib.rs` re-exported a broad set of types and modules
    from `codex-protocol` and `codex-shell-command`. That made it easy for
    workspace crates to import those APIs through `codex-core`, which in
    turn hides dependency edges and makes it harder to reduce compile-time
    coupling over time.
    
    This change removes those public re-exports so call sites must import
    from the source crates directly. Even when a crate still depends on
    `codex-core` today, this makes dependency boundaries explicit and
    unblocks future work to drop `codex-core` dependencies where possible.
    
    ## What Changed
    
    - Removed public re-exports from `codex-rs/core/src/lib.rs` for:
    - `codex_protocol::protocol` and related protocol/model types (including
    `InitialHistory`)
      - `codex_protocol::config_types` (`protocol_config_types`)
    - `codex_shell_command::{bash, is_dangerous_command, is_safe_command,
    parse_command, powershell}`
    - Migrated workspace Rust call sites to import directly from:
      - `codex_protocol::protocol`
      - `codex_protocol::config_types`
      - `codex_protocol::models`
      - `codex_shell_command`
    - Added explicit `Cargo.toml` dependencies (`codex-protocol` /
    `codex-shell-command`) in crates that now import those crates directly.
    - Kept `codex-core` internal modules compiling by using `pub(crate)`
    aliases in `core/src/lib.rs` (internal-only, not part of the public
    API).
    - Updated the two utility crates that can already drop a `codex-core`
    dependency edge entirely:
      - `codex-utils-approval-presets`
      - `codex-utils-cli`
    
    ## Verification
    
    - `cargo test -p codex-utils-approval-presets`
    - `cargo test -p codex-utils-cli`
    - `cargo check --workspace --all-targets`
    - `just clippy`
  • Refactor network approvals to host/protocol/port scope (#12140)
    ## Summary
    Simplify network approvals by removing per-attempt proxy correlation and
    moving to session-level approval dedupe keyed by (host, protocol, port).
    Instead of encoding attempt IDs into proxy credentials/URLs, we now
    treat approvals as a destination policy decision.
    
    - Concurrent calls to the same destination share one approval prompt.
    - Different destinations (or same host on different ports) get separate
    prompts.
    - Allow once approves the current queued request group only.
    - Allow for session caches that (host, protocol, port) and auto-allows
    future matching requests.
    - Never policy continues to deny without prompting.
    
    Example:
    - 3 calls: 
      - a.com (line 443)
      - b.com (line 443)
      - a.com (line 443)
    => 2 prompts total (a, b), second a waits on the first decision.
    - a.com:80 is treated separately from a.com line 443
    
    ## Testing
    - `just fmt` (in `codex-rs`)
    - `cargo test -p codex-core tools::network_approval::tests`
    - `cargo test -p codex-core` (unit tests pass; existing
    integration-suite failures remain in this environment)
  • fix(linux-sandbox): mount /dev in bwrap sandbox (#12081)
    ## Summary
    - Updates the Linux bubblewrap sandbox args to mount a minimal `/dev`
    using `--dev /dev` instead of only binding `/dev/null`. tools needing
    entropy (git, crypto libs, etc.) can fail.
    
    - Changed mount order so `--dev /dev` is added before writable-root
    `--bind` mounts, preserving writable `/dev/*` submounts like `/dev/shm`
    
    ## Why
    Fixes sandboxed command failures when reading `/dev/urandom` (and
    similar standard device-node access).
    
    
    Fixes https://github.com/openai/codex/issues/12056
  • feat(core): add structured network approval plumbing and policy decision model (#11672)
    ### Description
    #### Summary
    Introduces the core plumbing required for structured network approvals
    
    #### What changed
    - Added structured network policy decision modeling in core.
    - Added approval payload/context types needed for network approval
    semantics.
    - Wired shell/unified-exec runtime plumbing to consume structured
    decisions.
    - Updated related core error/event surfaces for structured handling.
    - Updated protocol plumbing used by core approval flow.
    - Included small CLI debug sandbox compatibility updates needed by this
    layer.
    
    #### Why
    establishes the minimal backend foundation for network approvals without
    yet changing high-level orchestration or TUI behavior.
    
    #### Notes
    - Behavior remains constrained by existing requirements/config gating.
    - Follow-up PRs in the stack handle orchestration, UX, and app-server
    integration.
    
    ---------
    
    Co-authored-by: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
  • build(linux-sandbox): always compile vendored bubblewrap on Linux; remove CODEX_BWRAP_ENABLE_FFI (#11498)
    ## Summary
    This PR removes the temporary `CODEX_BWRAP_ENABLE_FFI` flag and makes
    Linux builds always compile vendored bubblewrap support for
    `codex-linux-sandbox`.
    
    ## Changes
    - Removed `CODEX_BWRAP_ENABLE_FFI` gating from
    `codex-rs/linux-sandbox/build.rs`.
    - Linux builds now fail fast if vendored bubblewrap compilation fails
    (instead of warning and continuing).
    - Updated fallback/help text in
    `codex-rs/linux-sandbox/src/vendored_bwrap.rs` to remove references to
    `CODEX_BWRAP_ENABLE_FFI`.
    - Removed `CODEX_BWRAP_ENABLE_FFI` env wiring from:
      - `.github/workflows/rust-ci.yml`
      - `.github/workflows/bazel.yml`
      - `.github/workflows/rust-release.yml`
    
    ---------
    
    Co-authored-by: David Zbarsky <zbarsky@openai.com>
  • feat: make sandbox read access configurable with ReadOnlyAccess (#11387)
    `SandboxPolicy::ReadOnly` previously implied broad read access and could
    not express a narrower read surface.
    This change introduces an explicit read-access model so we can support
    user-configurable read restrictions in follow-up work, while preserving
    current behavior today.
    
    It also ensures unsupported backends fail closed for restricted-read
    policies instead of silently granting broader access than intended.
    
    ## What
    
    - Added `ReadOnlyAccess` in protocol with:
      - `Restricted { include_platform_defaults, readable_roots }`
      - `FullAccess`
    - Updated `SandboxPolicy` to carry read-access configuration:
      - `ReadOnly { access: ReadOnlyAccess }`
      - `WorkspaceWrite { ..., read_only_access: ReadOnlyAccess }`
    - Preserved existing behavior by defaulting current construction paths
    to `ReadOnlyAccess::FullAccess`.
    - Threaded the new fields through sandbox policy consumers and call
    sites across `core`, `tui`, `linux-sandbox`, `windows-sandbox`, and
    related tests.
    - Updated Seatbelt policy generation to honor restricted read roots by
    emitting scoped read rules when full read access is not granted.
    - Added fail-closed behavior on Linux and Windows backends when
    restricted read access is requested but not yet implemented there
    (`UnsupportedOperation`).
    - Regenerated app-server protocol schema and TypeScript artifacts,
    including `ReadOnlyAccess`.
    
    ## Compatibility / rollout
    
    - Runtime behavior remains unchanged by default (`FullAccess`).
    - API/schema changes are in place so future config wiring can enable
    restricted read access without another policy-shape migration.
  • feat(sandbox): enforce proxy-aware network routing in sandbox (#11113)
    ## Summary
    - expand proxy env injection to cover common tool env vars
    (`HTTP_PROXY`/`HTTPS_PROXY`/`ALL_PROXY`/`NO_PROXY` families +
    tool-specific variants)
    - harden macOS Seatbelt network policy generation to route through
    inferred loopback proxy endpoints and fail closed when proxy env is
    malformed
    - thread proxy-aware Linux sandbox flags and add minimal bwrap netns
    isolation hook for restricted non-proxy runs
    - add/refresh tests for proxy env wiring, Seatbelt policy generation,
    and Linux sandbox argument wiring
  • deflake linux-sandbox NoNewPrivs timeout (#11245)
    Deflake `codex-linux-sandbox::all
    suite::landlock::test_no_new_privs_is_enabled`.
    
    CI has intermittently failed with `Sandbox(Timeout)` (exit 124) because
    the sandboxed
    `grep '^NoNewPrivs:' /proc/self/status` can run close to the short
    timeout budget.
    
    This updates only this test to use `LONG_TIMEOUT_MS`, which removes the
    near-threshold timeout
    behavior while keeping the rest of the suite unchanged.
    
    Refs (previous failures):
    - PR:
    https://github.com/openai/codex/actions/runs/21836764823/job/63009902779
    - PR:
    https://github.com/openai/codex/actions/runs/21837427251/job/63012470353
    - main:
    https://github.com/openai/codex/actions/runs/21830746538/job/62988079964
    
    Validation:
    - Local: `cd codex-rs && cargo test -p codex-linux-sandbox` (non-Linux
    runs 0 tests)
  • feat: include NetworkConfig through ExecParams (#11105)
    This PR adds the following field to `Config`:
    
    ```rust
    pub network: Option<NetworkProxy>,
    ```
    
    Though for the moment, it will always be initialized as `None` (this
    will be addressed in a subsequent PR).
    
    This PR does the work to thread `network` through to `execute_exec_env()`, `process_exec_tool_call()`, and `UnifiedExecRuntime.run()` to ensure it is available whenever we span a process.
  • fix(linux-sandbox): block io_uring syscalls in no-network seccomp policy (#10814)
    ## Summary
    
    - Add seccomp deny rules for `io_uring` syscalls in the Linux sandbox
    network policy.
    - Specifically deny:
      - `SYS_io_uring_setup`
      - `SYS_io_uring_enter`
      - `SYS_io_uring_register`
  • feat(linux-sandbox): add bwrap support (#9938)
    ## Summary
    This PR introduces a gated Bubblewrap (bwrap) Linux sandbox path. The
    curent Linux sandbox path relies on in-process restrictions (including
    Landlock). Bubblewrap gives us a more uniform filesystem isolation
    model, especially explicit writable roots with the option to make some
    directories read-only and granular network controls.
    
    This is behind a feature flag so we can validate behavior safely before
    making it the default.
    
    - Added temporary rollout flag:
      - `features.use_linux_sandbox_bwrap`
    - Preserved existing default path when the flag is off.
    - In Bubblewrap mode:
    - Added internal retry without /proc when /proc mount is not permitted
    by the host/container.
  • Inject CODEX_THREAD_ID into the terminal environment (#10096)
    Inject CODEX_THREAD_ID (when applicable) into the terminal environment
    so that the agent (and skills) can refer to the current thread / session
    ID.
    
    Discussion:
    https://openai.slack.com/archives/C095U48JNL9/p1769542492067109
  • feat(linux-sandbox): vendor bubblewrap and wire it with FFI (#10413)
    ## Summary
    
    Vendor Bubblewrap into the repo and add minimal build plumbing in
    `codex-linux-sandbox` to compile/link it.
    
    ## Why
    
    We want to move Linux sandboxing toward Bubblewrap, but in a safe
    two-step rollout:
    1) vendoring/build setup (this PR),  
    2) runtime integration (follow-up PR).
    
    ## Included
    
    - Add `codex-rs/vendor/bubblewrap` sources.
    - Add build-time FFI path in `codex-rs/linux-sandbox`.
    - Update `build.rs` rerun tracking for vendored files.
    - Small vendored compile warning fix (`sockaddr_nl` full init).
    
    follow up in https://github.com/openai/codex/pull/9938
  • remove sandbox globals. (#9797)
    Threads sandbox updates through OverrideTurnContext for active turn
    Passes computed sandbox type into safety/exec
  • revert: remove pre-Landlock bind mounts apply (#9300)
    **Description**
    
    This removes the pre‑Landlock read‑only bind‑mount step from the Linux
    sandbox so filesystem restrictions rely solely on Landlock again.
    `mounts.rs` is kept in place but left unused. The linux‑sandbox README
    is updated to match the new behavior and manual test expectations.
  • fix: fallback to Landlock-only when user namespaces unavailable and set PR_SET_NO_NEW_PRIVS early (#9250)
    fixes https://github.com/openai/codex/issues/9236
    
    ### Motivation
    - Prevent sandbox setup from failing when unprivileged user namespaces
    are denied so Landlock-only protections can still be applied.
    - Ensure `PR_SET_NO_NEW_PRIVS` is set before installing seccomp and
    Landlock restrictions to avoid kernel `EPERM`/`LandlockRestrict`
    ordering issues.
    
    ### Description
    - Add `is_permission_denied` helper that detects `EPERM` /
    `PermissionDenied` from `CodexErr` to drive fallback logic.
    - In `apply_read_only_mounts` skip read-only bind-mount setup and return
    `Ok(())` when `unshare_user_and_mount_namespaces()` fails with
    permission-denied so Landlock rules can still be installed.
    - Add `set_no_new_privs()` and call it from
    `apply_sandbox_policy_to_current_thread` before installing seccomp
    filters and Landlock rules when disk or network access is restricted.
  • fix: correct linux sandbox uid/gid mapping after unshare (#9234)
    fixes https://github.com/openai/codex/issues/9233
    ## Summary
    - capture effective uid/gid before unshare for user namespace maps
    - pass captured ids into uid/gid map writer
    
    ## Testing
    - just fmt
    - just fix -p codex-linux-sandbox
    - cargo test -p codex-linux-sandbox
  • feat: add support for read-only bind mounts in the linux sandbox (#9112)
    ### Motivation
    
    - Landlock alone cannot prevent writes to sensitive in-repo files like
    `.git/` when the repo root is writable, so explicit mount restrictions
    are required for those paths.
    - The sandbox must set up any mounts before calling Landlock so Landlock
    can still be applied afterwards and the two mechanisms compose
    correctly.
    
    ### Description
    
    - Add a new `linux-sandbox` helper `apply_read_only_mounts` in
    `linux-sandbox/src/mounts.rs` that: unshares namespaces, maps uids/gids
    when required, makes mounts private, bind-mounts targets, and remounts
    them read-only.
    - Wire the mount step into the sandbox flow by calling
    `apply_read_only_mounts(...)` before network/seccomp and before applying
    Landlock rules in `linux-sandbox/src/landlock.rs`.
  • feat: add support for building with Bazel (#8875)
    This PR configures Codex CLI so it can be built with
    [Bazel](https://bazel.build) in addition to Cargo. The `.bazelrc`
    includes configuration so that remote builds can be done using
    [BuildBuddy](https://www.buildbuddy.io).
    
    If you are familiar with Bazel, things should work as you expect, e.g.,
    run `bazel test //... --keep-going` to run all the tests in the repo,
    but we have also added some new aliases in the `justfile` for
    convenience:
    
    - `just bazel-test` to run tests locally
    - `just bazel-remote-test` to run tests remotely (currently, the remote
    build is for x86_64 Linux regardless of your host platform). Note we are
    currently seeing the following test failures in the remote build, so we
    still need to figure out what is happening here:
    
    ```
    failures:
        suite::compact::manual_compact_twice_preserves_latest_user_messages
        suite::compact_resume_fork::compact_resume_after_second_compaction_preserves_history
        suite::compact_resume_fork::compact_resume_and_fork_preserve_model_history_view
    ```
    
    - `just build-for-release` to build release binaries for all
    platforms/architectures remotely
    
    To setup remote execution:
    - [Create a buildbuddy account](https://app.buildbuddy.io/) (OpenAI
    employees should also request org access at
    https://openai.buildbuddy.io/join/ with their `@openai.com` email
    address.)
    - [Copy your API key](https://app.buildbuddy.io/docs/setup/) to
    `~/.bazelrc` (add the line `build
    --remote_header=x-buildbuddy-api-key=YOUR_KEY`)
    - Use `--config=remote` in your `bazel` invocations (or add `common
    --config=remote` to your `~/.bazelrc`, or use the `just` commands)
    
    ## CI
    
    In terms of CI, this PR introduces `.github/workflows/bazel.yml`, which
    uses Bazel to run the tests _locally_ on Mac and Linux GitHub runners
    (we are working on supporting Windows, but that is not ready yet). Note
    that the failures we are seeing in `just bazel-remote-test` do not occur
    on these GitHub CI jobs, so everything in `.github/workflows/bazel.yml`
    is green right now.
    
    The `bazel.yml` uses extra config in `.github/workflows/ci.bazelrc` so
    that macOS CI jobs build _remotely_ on Linux hosts (using the
    `docker://docker.io/mbolin491/codex-bazel` Docker image declared in the
    root `BUILD.bazel`) using cross-compilation to build the macOS
    artifacts. Then these artifacts are downloaded locally to GitHub's macOS
    runner so the tests can be executed natively. This is the relevant
    config that enables this:
    
    ```
    common:macos --config=remote
    common:macos --strategy=remote
    common:macos --strategy=TestRunner=darwin-sandbox,local
    ```
    
    Because of the remote caching benefits we get from BuildBuddy, these new
    CI jobs can be extremely fast! For example, consider these two jobs that
    ran all the tests on Linux x86_64:
    
    - Bazel 1m37s
    https://github.com/openai/codex/actions/runs/20861063212/job/59940545209?pr=8875
    - Cargo 9m20s
    https://github.com/openai/codex/actions/runs/20861063192/job/59940559592?pr=8875
    
    For now, we will continue to run both the Bazel and Cargo jobs for PRs,
    but once we add support for Windows and running Clippy, we should be
    able to cutover to using Bazel exclusively for PRs, which should still
    speed things up considerably. We will probably continue to run the Cargo
    jobs post-merge for commits that land on `main` as a sanity check.
    
    Release builds will also continue to be done by Cargo for now.
    
    Earlier attempt at this PR: https://github.com/openai/codex/pull/8832
    Earlier attempt to add support for Buck2, now abandoned:
    https://github.com/openai/codex/pull/8504
    
    ---------
    
    Co-authored-by: David Zbarsky <dzbarsky@gmail.com>
    Co-authored-by: Michael Bolin <mbolin@openai.com>
  • fix: introduce AbsolutePathBuf as part of sandbox config (#7856)
    Changes the `writable_roots` field of the `WorkspaceWrite` variant of
    the `SandboxPolicy` enum from `Vec<PathBuf>` to `Vec<AbsolutePathBuf>`.
    This is helpful because now callers can be sure the value is an absolute
    path rather than a relative one. (Though when using an absolute path in
    a Seatbelt config policy, we still have to _canonicalize_ it first.)
    
    Because `writable_roots` can be read from a config file, it is important
    that we are able to resolve relative paths properly using the parent
    folder of the config file as the base path.
  • refactoring with_escalated_permissions to use SandboxPermissions instead (#7750)
    helpful in the future if we want more granularity for requesting
    escalated permissions:
    e.g when running in readonly sandbox, model can request to escalate to a
    sandbox that allows writes
  • fix: allow sendmsg(2) and recvmsg(2) syscalls in our Linux sandbox (#7779)
    This changes our default Landlock policy to allow `sendmsg(2)` and
    `recvmsg(2)` syscalls. We believe these were originally denied out of an
    abundance of caution, but given that `send(2)` nor `recv(2)` are allowed
    today [which provide comparable capability to the `*msg` equivalents],
    we do not believe allowing them grants any privileges beyond what we
    already allow.
    
    Rather than using the syscall as the security boundary, preventing
    access to the potentially hazardous file descriptor in the first place
    seems like the right layer of defense.
    
    In particular, this makes it possible for `shell-tool-mcp` to run on
    Linux when using a read-only sandbox for the Bash process, as
    demonstrated by `accept_elicitation_for_prompt_rule()` now succeeding in
    CI.
  • chore: add cargo-deny configuration (#7119)
    - add GitHub workflow running cargo-deny on push/PR
    - document cargo-deny allowlist with workspace-dep notes and advisory
    ignores
    - align workspace crates to inherit version/edition/license for
    consistent checks
  • refactor: inline sandbox type lookup in process_exec_tool_call (#7122)
    `process_exec_tool_call()` was taking `SandboxType` as a param, but in
    practice, the only place it was constructed was in
    `codex_message_processor.rs` where it was derived from the other
    `sandbox_policy` param, so this PR inlines the logic that decides the
    `SandboxType` into `process_exec_tool_call()`.
    
    
    
    ---
    [//]: # (BEGIN SAPLING FOOTER)
    Stack created with [Sapling](https://sapling-scm.com). Best reviewed
    with [ReviewStack](https://reviewstack.dev/openai/codex/pull/7122).
    * #7112
    * __->__ #7122
  • feat: update process_exec_tool_call() to take a cancellation token (#6972)
    This updates `ExecParams` so that instead of taking `timeout_ms:
    Option<u64>`, it now takes a more general cancellation mechanism,
    `ExecExpiration`, which is an enum that includes a
    `Cancellation(tokio_util::sync::CancellationToken)` variant.
    
    If the cancellation token is fired, then `process_exec_tool_call()`
    returns in the same way as if a timeout was exceeded.
    
    This is necessary so that in #6973, we can manage the timeout logic
    external to the `process_exec_tool_call()` because we want to "suspend"
    the timeout when an elicitation from a human user is pending.
    
    
    
    
    
    
    
    
    ---
    [//]: # (BEGIN SAPLING FOOTER)
    Stack created with [Sapling](https://sapling-scm.com). Best reviewed
    with [ReviewStack](https://reviewstack.dev/openai/codex/pull/6972).
    * #7005
    * #6973
    * __->__ #6972
  • chore: rework tools execution workflow (#5278)
    Re-work the tool execution flow. Read `orchestrator.rs` to understand
    the structure
  • chore: clippy on redundant closure (#4058)
    Add redundant closure clippy rules and let Codex fix it by minimising
    FQP
  • chore: unify cargo versions (#4044)
    Unify cargo versions at root
  • fix: ensure cwd for conversation and sandbox are separate concerns (#3874)
    Previous to this PR, both of these functions take a single `cwd`:
    
    
    https://github.com/openai/codex/blob/71038381aa0f51aa62e1a2bcc7cbf26a05b141f3/codex-rs/core/src/seatbelt.rs#L19-L25
    
    
    https://github.com/openai/codex/blob/71038381aa0f51aa62e1a2bcc7cbf26a05b141f3/codex-rs/core/src/landlock.rs#L16-L23
    
    whereas `cwd` and `sandbox_cwd` should be set independently (fixed in
    this PR).
    
    Added `sandbox_distinguishes_command_and_policy_cwds()` to
    `codex-rs/exec/tests/suite/sandbox.rs` to verify this.
  • Include command output when sending timeout to model (#3576)
    Being able to see the output helps the model decide how to handle the
    timeout.
  • feat: Run cargo shear during CI (#3338)
    Run cargo shear as part of the CI to ensure no unused dependencies
  • test: faster test execution in codex-core (#2633)
    this dramatically improves time to run `cargo test -p codex-core` (~25x
    speedup).
    
    before:
    ```
    cargo test -p codex-core  35.96s user 68.63s system 19% cpu 8:49.80 total
    ```
    
    after:
    ```
    cargo test -p codex-core  5.51s user 8.16s system 63% cpu 21.407 total
    ```
    
    both tests measured "hot", i.e. on a 2nd run with no filesystem changes,
    to exclude compile times.
    
    approach inspired by [Delete Cargo Integration
    Tests](https://matklad.github.io/2021/02/27/delete-cargo-integration-tests.html),
    we move all test cases in tests/ into a single suite in order to have a
    single binary, as there is significant overhead for each test binary
    executed, and because test execution is only parallelized with a single
    binary.
  • chore(deps): bump libc from 0.2.174 to 0.2.175 in /codex-rs (#2406)
    Bumps [libc](https://github.com/rust-lang/libc) from 0.2.174 to 0.2.175.
    <details>
    <summary>Release notes</summary>
    <p><em>Sourced from <a
    href="https://github.com/rust-lang/libc/releases">libc's
    releases</a>.</em></p>
    <blockquote>
    <h2>0.2.175</h2>
    <h3>Added</h3>
    <ul>
    <li>AIX: Add <code>getpeereid</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4524">#4524</a>)</li>
    <li>AIX: Add <code>struct ld_info</code> and friends (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4578">#4578</a>)</li>
    <li>AIX: Retore <code>struct winsize</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4577">#4577</a>)</li>
    <li>Android: Add UDP socket option constants (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4619">#4619</a>)</li>
    <li>Android: Add <code>CLONE_CLEAR_SIGHAND</code> and
    <code>CLONE_INTO_CGROUP</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4502">#4502</a>)</li>
    <li>Android: Add more <code>prctl</code> constants (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4531">#4531</a>)</li>
    <li>FreeBSD Add further TCP stack-related constants (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4196">#4196</a>)</li>
    <li>FreeBSD x86-64: Add <code>mcontext_t.mc_tlsbase </code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4503">#4503</a>)</li>
    <li>FreeBSD15: Add <code>kinfo_proc.ki_uerrmsg</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4552">#4552</a>)</li>
    <li>FreeBSD: Add <code>in_conninfo</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4482">#4482</a>)</li>
    <li>FreeBSD: Add <code>xinpgen</code> and related types (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4482">#4482</a>)</li>
    <li>FreeBSD: Add <code>xktls_session</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4482">#4482</a>)</li>
    <li>Haiku: Add functionality from <code>libbsd</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4221">#4221</a>)</li>
    <li>Linux: Add <code>SECBIT_*</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4480">#4480</a>)</li>
    <li>NetBSD, OpenBSD: Export <code>ioctl</code> request generator macros
    (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4460">#4460</a>)</li>
    <li>NetBSD: Add <code>ptsname_r</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4608">#4608</a>)</li>
    <li>RISCV32: Add time-related syscalls (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4612">#4612</a>)</li>
    <li>Solarish: Add <code>strftime*</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4453">#4453</a>)</li>
    <li>linux: Add <code>EXEC_RESTRICT_*</code> and <code>EXEC_DENY_*</code>
    (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4545">#4545</a>)</li>
    </ul>
    <h3>Changed</h3>
    <ul>
    <li>AIX: Add <code>const</code> to signatures to be consistent with
    other platforms (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4563">#4563</a>)</li>
    </ul>
    <h3>Fixed</h3>
    <ul>
    <li>AIX: Fix the type of <code>struct statvfs.f_fsid</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4576">#4576</a>)</li>
    <li>AIX: Fix the type of constants for the <code>ioctl</code>
    <code>request</code> argument (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4582">#4582</a>)</li>
    <li>AIX: Fix the types of <code>stat{,64}.st_*tim</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4597">#4597</a>)</li>
    <li>AIX: Use unique <code>errno</code> values (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4507">#4507</a>)</li>
    <li>Build: Fix an incorrect <code>target_os</code> -&gt;
    <code>target_arch</code> check (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4550">#4550</a>)</li>
    <li>FreeBSD: Fix the type of <code>xktls_session_onedir.ifnet</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4552">#4552</a>)</li>
    <li>Mips64 musl: Fix the type of <code>nlink_t</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4509">#4509</a>)</li>
    <li>Mips64 musl: Use a special MIPS definition of <code>stack_t</code>
    (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4528">#4528</a>)</li>
    <li>Mips64: Fix <code>SI_TIMER</code>, <code>SI_MESGQ</code> and
    <code>SI_ASYNCIO</code> definitions (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4529">#4529</a>)</li>
    <li>Musl Mips64: Swap the order of <code>si_errno</code> and
    <code>si_code</code> in <code>siginfo_t</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4530">#4530</a>)</li>
    <li>Musl Mips64: Use a special MIPS definition of <code>statfs</code>
    (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4527">#4527</a>)</li>
    <li>Musl: Fix the definition of <code>fanotify_event_metadata</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4510">#4510</a>)</li>
    <li>NetBSD: Correct <code>enum fae_action</code> to be
    <code>#[repr(C)]</code> (<a
    href="https://github.com/rust-lang/libc/commit/60a8cfd564f83164d45b9533ff7a0d7371878f2a">#60a8cfd5</a>)</li>
    <li>PSP: Correct <code>char</code> -&gt; <code>c_char</code> (<a
    href="https://github.com/rust-lang/libc/commit/eaab4fc3f05dc646a953d4fd5ba46dfa1f8bd6f6">eaab4fc3</a>)</li>
    <li>PowerPC musl: Fix <code>termios</code> definitions (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4518">#4518</a>)</li>
    <li>PowerPC musl: Fix the definition of <code>EDEADLK</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4517">#4517</a>)</li>
    <li>PowerPC musl: Fix the definition of <code>NCCS</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4513">#4513</a>)</li>
    <li>PowerPC musl: Fix the definitions of <code>MAP_LOCKED</code> and
    <code>MAP_NORESERVE</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4516">#4516</a>)</li>
    <li>PowerPC64 musl: Fix the definition of <code>shmid_ds</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4519">#4519</a>)</li>
    </ul>
    <h3>Deprecated</h3>
    <!-- raw HTML omitted -->
    </blockquote>
    <p>... (truncated)</p>
    </details>
    <details>
    <summary>Changelog</summary>
    <p><em>Sourced from <a
    href="https://github.com/rust-lang/libc/blob/0.2.175/CHANGELOG.md">libc's
    changelog</a>.</em></p>
    <blockquote>
    <h2><a
    href="https://github.com/rust-lang/libc/compare/0.2.174...0.2.175">0.2.175</a>
    - 2025-08-10</h2>
    <h3>Added</h3>
    <ul>
    <li>AIX: Add <code>getpeereid</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4524">#4524</a>)</li>
    <li>AIX: Add <code>struct ld_info</code> and friends (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4578">#4578</a>)</li>
    <li>AIX: Retore <code>struct winsize</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4577">#4577</a>)</li>
    <li>Android: Add UDP socket option constants (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4619">#4619</a>)</li>
    <li>Android: Add <code>CLONE_CLEAR_SIGHAND</code> and
    <code>CLONE_INTO_CGROUP</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4502">#4502</a>)</li>
    <li>Android: Add more <code>prctl</code> constants (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4531">#4531</a>)</li>
    <li>FreeBSD Add further TCP stack-related constants (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4196">#4196</a>)</li>
    <li>FreeBSD x86-64: Add <code>mcontext_t.mc_tlsbase </code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4503">#4503</a>)</li>
    <li>FreeBSD15: Add <code>kinfo_proc.ki_uerrmsg</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4552">#4552</a>)</li>
    <li>FreeBSD: Add <code>in_conninfo</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4482">#4482</a>)</li>
    <li>FreeBSD: Add <code>xinpgen</code> and related types (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4482">#4482</a>)</li>
    <li>FreeBSD: Add <code>xktls_session</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4482">#4482</a>)</li>
    <li>Haiku: Add functionality from <code>libbsd</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4221">#4221</a>)</li>
    <li>Linux: Add <code>SECBIT_*</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4480">#4480</a>)</li>
    <li>NetBSD, OpenBSD: Export <code>ioctl</code> request generator macros
    (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4460">#4460</a>)</li>
    <li>NetBSD: Add <code>ptsname_r</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4608">#4608</a>)</li>
    <li>RISCV32: Add time-related syscalls (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4612">#4612</a>)</li>
    <li>Solarish: Add <code>strftime*</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4453">#4453</a>)</li>
    <li>linux: Add <code>EXEC_RESTRICT_*</code> and <code>EXEC_DENY_*</code>
    (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4545">#4545</a>)</li>
    </ul>
    <h3>Changed</h3>
    <ul>
    <li>AIX: Add <code>const</code> to signatures to be consistent with
    other platforms (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4563">#4563</a>)</li>
    </ul>
    <h3>Fixed</h3>
    <ul>
    <li>AIX: Fix the type of <code>struct statvfs.f_fsid</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4576">#4576</a>)</li>
    <li>AIX: Fix the type of constants for the <code>ioctl</code>
    <code>request</code> argument (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4582">#4582</a>)</li>
    <li>AIX: Fix the types of <code>stat{,64}.st_*tim</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4597">#4597</a>)</li>
    <li>AIX: Use unique <code>errno</code> values (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4507">#4507</a>)</li>
    <li>Build: Fix an incorrect <code>target_os</code> -&gt;
    <code>target_arch</code> check (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4550">#4550</a>)</li>
    <li>FreeBSD: Fix the type of <code>xktls_session_onedir.ifnet</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4552">#4552</a>)</li>
    <li>Mips64 musl: Fix the type of <code>nlink_t</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4509">#4509</a>)</li>
    <li>Mips64 musl: Use a special MIPS definition of <code>stack_t</code>
    (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4528">#4528</a>)</li>
    <li>Mips64: Fix <code>SI_TIMER</code>, <code>SI_MESGQ</code> and
    <code>SI_ASYNCIO</code> definitions (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4529">#4529</a>)</li>
    <li>Musl Mips64: Swap the order of <code>si_errno</code> and
    <code>si_code</code> in <code>siginfo_t</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4530">#4530</a>)</li>
    <li>Musl Mips64: Use a special MIPS definition of <code>statfs</code>
    (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4527">#4527</a>)</li>
    <li>Musl: Fix the definition of <code>fanotify_event_metadata</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4510">#4510</a>)</li>
    <li>NetBSD: Correct <code>enum fae_action</code> to be
    <code>#[repr(C)]</code> (<a
    href="https://github.com/rust-lang/libc/commit/60a8cfd564f83164d45b9533ff7a0d7371878f2a">#60a8cfd5</a>)</li>
    <li>PSP: Correct <code>char</code> -&gt; <code>c_char</code> (<a
    href="https://github.com/rust-lang/libc/commit/eaab4fc3f05dc646a953d4fd5ba46dfa1f8bd6f6">eaab4fc3</a>)</li>
    <li>PowerPC musl: Fix <code>termios</code> definitions (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4518">#4518</a>)</li>
    <li>PowerPC musl: Fix the definition of <code>EDEADLK</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4517">#4517</a>)</li>
    <li>PowerPC musl: Fix the definition of <code>NCCS</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4513">#4513</a>)</li>
    <li>PowerPC musl: Fix the definitions of <code>MAP_LOCKED</code> and
    <code>MAP_NORESERVE</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4516">#4516</a>)</li>
    <li>PowerPC64 musl: Fix the definition of <code>shmid_ds</code> (<a
    href="https://redirect.github.com/rust-lang/libc/pull/4519">#4519</a>)</li>
    </ul>
    <!-- raw HTML omitted -->
    </blockquote>
    <p>... (truncated)</p>
    </details>
    <details>
    <summary>Commits</summary>
    <ul>
    <li><a
    href="https://github.com/rust-lang/libc/commit/84e26e6b166a6634d679fbf44e957102846b8a03"><code>84e26e6</code></a>
    Update the lockfile</li>
    <li><a
    href="https://github.com/rust-lang/libc/commit/4d04aee906450fed27305de30c23f518166f919f"><code>4d04aee</code></a>
    chore: release libc 0.2.175</li>
    <li><a
    href="https://github.com/rust-lang/libc/commit/94a7f32972a352fe348edbd49b06995542f3c5f5"><code>94a7f32</code></a>
    cleanup: Format a file that was missed</li>
    <li><a
    href="https://github.com/rust-lang/libc/commit/172527344a1d92b2ca7f88fe2b1bbde4b02de58b"><code>1725273</code></a>
    Rename the ctest file from <code>main</code> to <code>ctest</code></li>
    <li><a
    href="https://github.com/rust-lang/libc/commit/e9b021b7cd3d3f045ce8ec743d344e56b14f7244"><code>e9b021b</code></a>
    freebsd adding further TCP stack related constants.</li>
    <li><a
    href="https://github.com/rust-lang/libc/commit/9606a2918b1f370119af8022d61b0ff03175beb5"><code>9606a29</code></a>
    freebsd15: Add ki_uerrmsg to struct kinfo_proc</li>
    <li><a
    href="https://github.com/rust-lang/libc/commit/2816bc2f66c1c62ec5a616fb499a2b27bbba4a3c"><code>2816bc2</code></a>
    libc-test: include sys/ktls.h on freebsd</li>
    <li><a
    href="https://github.com/rust-lang/libc/commit/adfe283365cff1c6a05cddeca8afeaa667d1c637"><code>adfe283</code></a>
    libc-test: Account for xktls_session_onedir::gen (freebsd)</li>
    <li><a
    href="https://github.com/rust-lang/libc/commit/4cc1bf43310e6a31636e4c4eb31e78e702938f50"><code>4cc1bf4</code></a>
    freebsd: Document avoidance of reserved name <code>gen</code></li>
    <li><a
    href="https://github.com/rust-lang/libc/commit/7cdcaa62396816db2177cb663a4bf57f79603a52"><code>7cdcaa6</code></a>
    freebsd: Fix type of struct xktls_session_onedir, field ifnet</li>
    <li>Additional commits viewable in <a
    href="https://github.com/rust-lang/libc/compare/0.2.174...0.2.175">compare
    view</a></li>
    </ul>
    </details>
    <br />
    
    
    [![Dependabot compatibility
    score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=libc&package-manager=cargo&previous-version=0.2.174&new-version=0.2.175)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
    
    Dependabot will resolve any conflicts with this PR as long as you don't
    alter it yourself. You can also trigger a rebase manually by commenting
    `@dependabot rebase`.
    
    [//]: # (dependabot-automerge-start)
    [//]: # (dependabot-automerge-end)
    
    ---
    
    <details>
    <summary>Dependabot commands and options</summary>
    <br />
    
    You can trigger Dependabot actions by commenting on this PR:
    - `@dependabot rebase` will rebase this PR
    - `@dependabot recreate` will recreate this PR, overwriting any edits
    that have been made to it
    - `@dependabot merge` will merge this PR after your CI passes on it
    - `@dependabot squash and merge` will squash and merge this PR after
    your CI passes on it
    - `@dependabot cancel merge` will cancel a previously requested merge
    and block automerging
    - `@dependabot reopen` will reopen this PR if it is closed
    - `@dependabot close` will close this PR and stop Dependabot recreating
    it. You can achieve the same result by closing it manually
    - `@dependabot show <dependency name> ignore conditions` will show all
    of the ignore conditions of the specified dependency
    - `@dependabot ignore this major version` will close this PR and stop
    Dependabot creating any more for this major version (unless you reopen
    the PR or upgrade to it yourself)
    - `@dependabot ignore this minor version` will close this PR and stop
    Dependabot creating any more for this minor version (unless you reopen
    the PR or upgrade to it yourself)
    - `@dependabot ignore this dependency` will close this PR and stop
    Dependabot creating any more for this dependency (unless you reopen the
    PR or upgrade to it yourself)
    
    
    </details>
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
  • Added allow-expect-in-tests / allow-unwrap-in-tests (#2328)
    This PR:
    * Added the clippy.toml to configure allowable expect / unwrap usage in
    tests
    * Removed as many expect/allow lines as possible from tests
    * moved a bunch of allows to expects where possible
    
    Note: in integration tests, non `#[test]` helper functions are not
    covered by this so we had to leave a few lingering `expect(expect_used`
    checks around
  • Fix AF_UNIX, sockpair, recvfrom in linux sandbox (#2309)
    When using codex-tui on a linux system I was unable to run `cargo
    clippy` inside of codex due to:
    ```
    [pid 3548377] socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0,  <unfinished ...>
    [pid 3548370] close(8 <unfinished ...>
    [pid 3548377] <... socketpair resumed>0x7ffb97f4ed60) = -1 EPERM (Operation not permitted)
    ```
    And
    ```
    3611300 <... recvfrom resumed>0x708b8b5cffe0, 8, 0, NULL, NULL) = -1 EPERM (Operation not permitted)
    ```
    
    This PR:
    * Fixes a bug that disallowed AF_UNIX to allow it on `socket()`
    * Adds recvfrom() to the syscall allow list, this should be fine since
    we disable opening new sockets. But we should validate there is not a
    open socket inheritance issue.
    * Allow socketpair to be called for AF_UNIX
    * Adds tests for AF_UNIX components
    * All of which allows running `cargo clippy` within the sandbox on
    linux, and possibly other tooling using a fork server model + AF_UNIX
    comms.
  • chore: introduce ConversationManager as a clearinghouse for all conversations (#2240)
    This PR does two things because after I got deep into the first one I
    started pulling on the thread to the second:
    
    - Makes `ConversationManager` the place where all in-memory
    conversations are created and stored. Previously, `MessageProcessor` in
    the `codex-mcp-server` crate was doing this via its `session_map`, but
    this is something that should be done in `codex-core`.
    - It unwinds the `ctrl_c: tokio::sync::Notify` that was threaded
    throughout our code. I think this made sense at one time, but now that
    we handle Ctrl-C within the TUI and have a proper `Op::Interrupt` event,
    I don't think this was quite right, so I removed it. For `codex exec`
    and `codex proto`, we now use `tokio::signal::ctrl_c()` directly, but we
    no longer make `Notify` a field of `Codex` or `CodexConversation`.
    
    Changes of note:
    
    - Adds the files `conversation_manager.rs` and `codex_conversation.rs`
    to `codex-core`.
    - `Codex` and `CodexSpawnOk` are no longer exported from `codex-core`:
    other crates must use `CodexConversation` instead (which is created via
    `ConversationManager`).
    - `core/src/codex_wrapper.rs` has been deleted in favor of
    `ConversationManager`.
    - `ConversationManager::new_conversation()` returns `NewConversation`,
    which is in line with the `new_conversation` tool we want to add to the
    MCP server. Note `NewConversation` includes `SessionConfiguredEvent`, so
    we eliminate checks in cases like `codex-rs/core/tests/client.rs` to
    verify `SessionConfiguredEvent` is the first event because that is now
    internal to `ConversationManager`.
    - Quite a bit of code was deleted from
    `codex-rs/mcp-server/src/message_processor.rs` since it no longer has to
    manage multiple conversations itself: it goes through
    `ConversationManager` instead.
    - `core/tests/live_agent.rs` has been deleted because I had to update a
    bunch of tests and all the tests in here were ignored, and I don't think
    anyone ever ran them, so this was just technical debt, at this point.
    - Removed `notify_on_sigint()` from `util.rs` (and in a follow-up, I
    hope to refactor the blandly-named `util.rs` into more descriptive
    files).
    - In general, I started replacing local variables named `codex` as
    `conversation`, where appropriate, though admittedly I didn't do it
    through all the integration tests because that would have added a lot of
    noise to this PR.
    
    
    
    
    ---
    [//]: # (BEGIN SAPLING FOOTER)
    Stack created with [Sapling](https://sapling-scm.com). Best reviewed
    with [ReviewStack](https://reviewstack.dev/openai/codex/pull/2240).
    * #2264
    * #2263
    * __->__ #2240
  • Include output truncation message in tool call results (#2183)
    To avoid model being confused about incomplete output.
  • feat: add /tmp by default (#1919)
    Replaces the `include_default_writable_roots` option on
    `sandbox_workspace_write` (that defaulted to `true`, which was slightly
    weird/annoying) with `exclude_tmpdir_env_var`, which defaults to
    `false`.
    
    Though perhaps more importantly `/tmp` is now enabled by default as part
    of `sandbox_mode = "workspace-write"`, though `exclude_slash_tmp =
    false` can be used to disable this.
  • [approval_policy] Add OnRequest approval_policy (#1865)
    ## Summary
    A split-up PR of #1763 , stacked on top of a tools refactor #1858 to
    make the change clearer. From the previous summary:
    
    > Let's try something new: tell the model about the sandbox, and let it
    decide when it will need to break the sandbox. Some local testing
    suggests that it works pretty well with zero iteration on the prompt!
    
    ## Testing
    - [x] Added unit tests
    - [x] Tested locally and it appears to work smoothly!
  • feat: make .git read-only within a writable root when using Seatbelt (#1765)
    To make `--full-auto` safer, this PR updates the Seatbelt policy so that
    a `SandboxPolicy` with a `writable_root` that contains a `.git/`
    _directory_ will make `.git/` _read-only_ (though as a follow-up, we
    should also consider the case where `.git` is a _file_ with a `gitdir:
    /path/to/actual/repo/.git` entry that should also be protected).
    
    The two major changes in this PR:
    
    - Updating `SandboxPolicy::get_writable_roots_with_cwd()` to return a
    `Vec<WritableRoot>` instead of a `Vec<PathBuf>` where a `WritableRoot`
    can specify a list of read-only subpaths.
    - Updating `create_seatbelt_command_args()` to honor the read-only
    subpaths in `WritableRoot`.
    
    The logic to update the policy is a fairly straightforward update to
    `create_seatbelt_command_args()`, but perhaps the more interesting part
    of this PR is the introduction of an integration test in
    `tests/sandbox.rs`. Leveraging the new API in #1785, we test
    `SandboxPolicy` under various conditions, including ones where `$TMPDIR`
    is not readable, which is critical for verifying the new behavior.
    
    To ensure that Codex can run its own tests, e.g.:
    
    ```
    just codex debug seatbelt --full-auto -- cargo test if_git_repo_is_writable_root_then_dot_git_folder_is_read_only
    ```
    
    I had to introduce the use of `CODEX_SANDBOX=sandbox`, which is
    comparable to how `CODEX_SANDBOX_NETWORK_DISABLED=1` was already being
    used.
    
    Adding a comparable change for Landlock will be done in a subsequent PR.