Skip to content

feat(core): plumb distinct approval ids for command approvals#12051

Merged
owenlin0 merged 1 commit intomainfrom
owen/approval_id_plumbing2
Feb 18, 2026
Merged

feat(core): plumb distinct approval ids for command approvals#12051
owenlin0 merged 1 commit intomainfrom
owen/approval_id_plumbing2

Conversation

@owenlin0
Copy link
Collaborator

@owenlin0 owenlin0 commented Feb 17, 2026

zsh fork PR stack:

With upcoming support for a fork of zsh that allows us to intercept execve and run execpolicy checks for each subcommand as part of a CommandExecution, it will be possible for there to be multiple approval requests for a shell command like /path/to/zsh -lc 'git status && rg \"TODO\" src && make test'.

To support that, this PR introduces a new approval_id field across core, protocol, and app-server so that we can associate approvals properly for subcommands.

@owenlin0 owenlin0 force-pushed the owen/approval_id_plumbing2 branch from 7809050 to 16cb298 Compare February 17, 2026 23:23
@owenlin0 owenlin0 marked this pull request as ready for review February 17, 2026 23:23
@owenlin0 owenlin0 force-pushed the owen/approval_id_plumbing2 branch from 16cb298 to 9ecd1e9 Compare February 17, 2026 23:39
@owenlin0
Copy link
Collaborator Author

@codex review

Copy link
Contributor

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9ecd1e99f5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

let turn = ctx.turn;
let call_id = ctx.call_id.to_string();
Box::pin(async move {
with_cached_approval(&session.services, "shell", keys, move || async move {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe do this here for clarity:

let approval_id = call_id.clone();

Alternatively, it looks like request_command_approval() is close to needing a struct as a param?

/// The request is keyed by `approval_id` so matching responses are delivered
/// to the correct in-flight turn. If the task is aborted, this returns the
/// default `ReviewDecision` (`Denied`).
#[allow(clippy::too_many_arguments)]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe it's time? It's too easy to accidentally switch call_id and approval_id, IMHO. Maybe in the next PR if not this one?

@owenlin0 owenlin0 force-pushed the owen/approval_id_plumbing2 branch 4 times, most recently from c538ea4 to 77e1e90 Compare February 18, 2026 01:18
#[ts(optional = nullable)]
pub reason: Option<String>,
/// The command to be executed.
#[serde(default, skip_serializing_if = "Option::is_none")]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@owenlin0 some, but not all, of these have is_none

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated to make it consistent

@owenlin0 owenlin0 force-pushed the owen/approval_id_plumbing2 branch 6 times, most recently from 2a312b7 to bfcf41b Compare February 18, 2026 01:36
@owenlin0 owenlin0 force-pushed the owen/approval_id_plumbing2 branch from bfcf41b to f3e0244 Compare February 18, 2026 01:42
@owenlin0 owenlin0 enabled auto-merge (squash) February 18, 2026 01:53
@owenlin0 owenlin0 merged commit db4d259 into main Feb 18, 2026
33 checks passed
@owenlin0 owenlin0 deleted the owen/approval_id_plumbing2 branch February 18, 2026 01:55
@github-actions github-actions bot locked and limited conversation to collaborators Feb 18, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants