Skip to content

guide Windows to use -WindowStyle Hidden for Start-Process calls #19044

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
iceweasel-oai merged 4 commits into from
Apr 23, 2026
+12 −11
Merged

guide Windows to use -WindowStyle Hidden for Start-Process calls #19044

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5aea783
guide Windows to use -WindowStyle Hidden for Start-Process calls
iceweasel-oai Apr 22, 2026
a301c30
cargo fmt
iceweasel-oai Apr 22, 2026
c771eda
fix tests.
iceweasel-oai Apr 22, 2026
70ce000
Fix Windows exec_command spec test
iceweasel-oai Apr 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 6 additions & 5 deletions codex-rs/tools/src/local_tool.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ pub fn create_exec_command_tool(options: CommandToolOptions) -> ToolSpec {
description: if cfg!(windows) {
format!(
"Runs a command in a PTY, returning output or a session ID for ongoing interaction.\n\n{}",
windows_destructive_filesystem_guidance()
windows_shell_guidance()
)
} else {
"Runs a command in a PTY, returning output or a session ID for ongoing interaction."
Expand Down Expand Up @@ -173,7 +173,7 @@ Examples of valid command strings:
- running an inline Python script: ["powershell.exe", "-Command", "@'\\nprint('Hello, world!')\\n'@ | python -"]

{}"#,
windows_destructive_filesystem_guidance()
windows_shell_guidance()
)
} else {
r#"Runs a shell command and returns its output.
Expand Down Expand Up @@ -244,7 +244,7 @@ Examples of valid command strings:
- running an inline Python script: "@'\\nprint('Hello, world!')\\n'@ | python -"

{}"#,
windows_destructive_filesystem_guidance()
windows_shell_guidance()
)
} else {
r#"Runs a shell command and returns its output.
Expand Down Expand Up @@ -421,10 +421,11 @@ fn file_system_permissions_schema() -> JsonSchema {
)
}

fn windows_destructive_filesystem_guidance() -> &'static str {
fn windows_shell_guidance() -> &'static str {
r#"Windows safety rules:
- Do not compose destructive filesystem commands across shells. Do not enumerate paths in PowerShell and then pass them to `cmd /c`, batch builtins, or another shell for deletion or moving. Use one shell end-to-end, prefer native PowerShell cmdlets such as `Remove-Item` / `Move-Item` with `-LiteralPath`, and avoid string-built shell commands for file operations.
- Before any recursive delete or move on Windows, verify the resolved absolute target paths stay within the intended workspace or explicitly named target directory. Never issue a recursive delete or move against a computed path if the final target has not been checked."#
- Before any recursive delete or move on Windows, verify the resolved absolute target paths stay within the intended workspace or explicitly named target directory. Never issue a recursive delete or move against a computed path if the final target has not been checked.
- When using `Start-Process` to launch a background helper or service, pass `-WindowStyle Hidden` unless the user explicitly asked for a visible interactive window. Use visible windows only for interactive tools the user needs to see or control."#
}

#[cfg(test)]
Expand Down
12 changes: 6 additions & 6 deletions codex-rs/tools/src/local_tool_tests.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@ use super::*;
use pretty_assertions::assert_eq;
use std::collections::BTreeMap;

fn windows_shell_safety_description() -> String {
format!("\n\n{}", windows_destructive_filesystem_guidance())
fn windows_shell_guidance_description() -> String {
format!("\n\n{}", windows_shell_guidance())
}

#[test]
Expand All @@ -24,7 +24,7 @@ Examples of valid command strings:
- setting an env var: ["powershell.exe", "-Command", "$env:FOO='bar'; echo $env:FOO"]
- running an inline Python script: ["powershell.exe", "-Command", "@'\\nprint('Hello, world!')\\n'@ | python -"]"#
.to_string()
+ &windows_shell_safety_description()
+ &windows_shell_guidance_description()
} else {
r#"Runs a shell command and returns its output.
- The arguments to `shell` will be passed to execvp(). Most terminal commands should be prefixed with ["bash", "-lc"].
Expand Down Expand Up @@ -101,7 +101,7 @@ fn exec_command_tool_matches_expected_spec() {
let description = if cfg!(windows) {
format!(
"Runs a command in a PTY, returning output or a session ID for ongoing interaction.{}",
windows_shell_safety_description()
windows_shell_guidance_description()
)
} else {
"Runs a command in a PTY, returning output or a session ID for ongoing interaction."
Expand Down Expand Up @@ -269,7 +269,7 @@ Examples of valid command strings:
- running an inline Python script: ["powershell.exe", "-Command", "@'\\nprint('Hello, world!')\\n'@ | python -"]

{}"#,
windows_destructive_filesystem_guidance()
windows_shell_guidance()
)
} else {
r#"Runs a shell command and returns its output.
Expand Down Expand Up @@ -346,7 +346,7 @@ Examples of valid command strings:
- setting an env var: "$env:FOO='bar'; echo $env:FOO"
- running an inline Python script: "@'\\nprint('Hello, world!')\\n'@ | python -""#
.to_string()
+ &windows_shell_safety_description()
+ &windows_shell_guidance_description()
} else {
r#"Runs a shell command and returns its output.
- Always set the `workdir` param when using the shell_command function. Do not use `cd` unless absolutely necessary."#
Expand Down
Loading