Add workspace metadata protection policy primitive#19846
Add workspace metadata protection policy primitive#19846evawong-oai wants to merge 1 commit intomainfrom
Conversation
evawong-oai
force-pushed
the
codex/bugb15632-policy-primitive
branch
5 times, most recently
from
a99da8c to
5b59ee3
Compare
evawong-oai
changed the base branch from
main
to
codex/bugb15632-windows-cmd-test-skip
evawong-oai
force-pushed
the
codex/bugb15632-policy-primitive
branch
2 times, most recently
from
01771db to
11fa852
Compare
evawong-oai
force-pushed
the
codex/bugb15632-windows-cmd-test-skip
branch
from
5b8dd2e to
0f697bc
Compare
evawong-oai
force-pushed
the
codex/bugb15632-policy-primitive
branch
from
11fa852 to
ab4b378
Compare
evawong-oai
changed the base branch from
codex/bugb15632-windows-cmd-test-skip
to
main
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
codex/codex-rs/protocol/src/permissions.rs
Lines 726 to 728 in ab4b378
Include preserved-write semantics in enforcement bridging check
needs_direct_runtime_enforcement decides compatibility by comparing semantic signatures, but preserved-name write denials are enforced in can_write_path_with_cwd and are not represented in the bridged legacy model. This can return false and skip direct enforcement even when .git/.agents/.codex writes should be blocked.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| fn first_preserved_component(path: &Path) -> Option<(AbsolutePathBuf, &'static str)> { | ||
| let mut candidate = PathBuf::new(); | ||
| for component in path.components() { | ||
| candidate.push(component.as_os_str()); | ||
| if let Some(preserved_name) = preserved_path_name(component.as_os_str()) { | ||
| let absolute = AbsolutePathBuf::from_absolute_path(candidate).ok()?; | ||
| return Some((absolute, preserved_name)); |
There was a problem hiding this comment.
can_write_path_with_cwd calls first_preserved_component, which scans all path components and denies writes whenever any component is .git, .agents, or .codex unless there is a deeper explicit rule. This blocks legitimate nested repo writes (e.g. /tmp/repo/.git/...) under otherwise writable roots, so common flows like cloning in /tmp regress.
Useful? React with 👍 / 👎.
evawong-oai
force-pushed
the
codex/bugb15632-policy-primitive
branch
from
ab4b378 to
8e60a50
Compare
evawong-oai
force-pushed
the
codex/bugb15632-policy-primitive
branch
from
8e60a50 to
0b263d0
Compare
evawong-oai
changed the title
1 participant
Summary
Add a policy primitive for protected workspace metadata names so writable roots can reserve
.git,.codex, and.agentsbefore platform sandbox code consumes the policy.Scope
protected_metadata_namestoWritableRoot..git,.codex, and.agents.Reviewer Focus
Stack
Validation
cargo test --manifest-path codex-rs/Cargo.toml -p codex-protocol permissionscargo fmt --manifest-path codex-rs/Cargo.toml --package codex-protocol --package codex-linux-sandboxgit diff --check