Skip to content

Commit 2fddf02

Browse files
committed
core: expose permission profile to shell tools
1 parent f15df62 commit 2fddf02

7 files changed

Lines changed: 131 additions & 8 deletions

File tree

codex-rs/core/src/exec_env.rs

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,11 +2,16 @@ use codex_protocol::ThreadId;
22
#[cfg(test)]
33
use codex_protocol::config_types::EnvironmentVariablePattern;
44
use codex_protocol::config_types::ShellEnvironmentPolicy;
5+
use codex_protocol::models::ActivePermissionProfile;
56
use codex_protocol::shell_environment;
67
use std::collections::HashMap;
78

89
pub use codex_protocol::shell_environment::CODEX_THREAD_ID_ENV_VAR;
910

11+
/// Informational name of the active permission profile. Child processes can
12+
/// overwrite this value, so it must not be treated as proof of enforcement.
13+
pub const CODEX_PERMISSION_PROFILE_ENV_VAR: &str = "CODEX_PERMISSION_PROFILE";
14+
1015
/// Construct an environment map based on the rules in the specified policy. The
1116
/// resulting map can be passed directly to `Command::envs()` after calling
1217
/// `env_clear()` to ensure no unintended variables are leaked to the spawned
@@ -25,6 +30,24 @@ pub fn create_env(
2530
shell_environment::create_env(policy, thread_id.as_deref())
2631
}
2732

33+
/// Injects the selected named permission profile into a shell tool's environment.
34+
///
35+
/// This is applied after the shell environment policy so the runtime-selected
36+
/// profile wins over inherited or configured values.
37+
pub(crate) fn inject_permission_profile_env(
38+
env: &mut HashMap<String, String>,
39+
active_permission_profile: Option<&ActivePermissionProfile>,
40+
) {
41+
if let Some(active_permission_profile) = active_permission_profile {
42+
env.insert(
43+
CODEX_PERMISSION_PROFILE_ENV_VAR.to_string(),
44+
active_permission_profile.id.clone(),
45+
);
46+
} else {
47+
env.remove(CODEX_PERMISSION_PROFILE_ENV_VAR);
48+
}
49+
}
50+
2851
#[cfg(all(test, target_os = "windows"))]
2952
fn create_env_from_vars<I>(
3053
vars: I,

codex-rs/core/src/exec_env_tests.rs

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,37 @@ fn make_vars(pairs: &[(&str, &str)]) -> Vec<(String, String)> {
1010
.collect()
1111
}
1212

13+
#[test]
14+
fn inject_permission_profile_env_overrides_policy_value() {
15+
let mut env = HashMap::from([(
16+
CODEX_PERMISSION_PROFILE_ENV_VAR.to_string(),
17+
"stale-profile".to_string(),
18+
)]);
19+
20+
inject_permission_profile_env(
21+
&mut env,
22+
Some(&ActivePermissionProfile::new("current-profile")),
23+
);
24+
25+
assert_eq!(
26+
env.get(CODEX_PERMISSION_PROFILE_ENV_VAR)
27+
.map(String::as_str),
28+
Some("current-profile")
29+
);
30+
}
31+
32+
#[test]
33+
fn inject_permission_profile_env_removes_stale_value_without_active_profile() {
34+
let mut env = HashMap::from([(
35+
CODEX_PERMISSION_PROFILE_ENV_VAR.to_string(),
36+
"stale-profile".to_string(),
37+
)]);
38+
39+
inject_permission_profile_env(&mut env, /*active_permission_profile*/ None);
40+
41+
assert_eq!(env.get(CODEX_PERMISSION_PROFILE_ENV_VAR), None);
42+
}
43+
1344
#[test]
1445
fn test_core_inherit_defaults_keep_sensitive_vars() {
1546
let vars = make_vars(&[

codex-rs/core/src/tools/handlers/shell/shell_command.rs

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ use codex_utils_absolute_path::AbsolutePathBuf;
66
use crate::exec::ExecCapturePolicy;
77
use crate::exec::ExecParams;
88
use crate::exec_env::create_env;
9+
use crate::exec_env::inject_permission_profile_env;
910
use crate::function_tool::FunctionCallError;
1011
use crate::maybe_emit_implicit_skill_invocation;
1112
use crate::session::turn_context::TurnContext;
@@ -99,15 +100,19 @@ impl ShellCommandHandler {
99100
let use_login_shell = Self::resolve_use_login_shell(params.login, allow_login_shell)?;
100101
let command = Self::base_command(shell, &params.command, use_login_shell);
101102

103+
let mut env = create_env(
104+
&turn_context.config.permissions.shell_environment_policy,
105+
Some(session.thread_id),
106+
);
107+
let active_permission_profile = turn_context.config.permissions.active_permission_profile();
108+
inject_permission_profile_env(&mut env, active_permission_profile.as_ref());
109+
102110
Ok(ExecParams {
103111
command,
104112
cwd,
105113
expiration: params.timeout_ms.into(),
106114
capture_policy: ExecCapturePolicy::ShellTool,
107-
env: create_env(
108-
&turn_context.config.permissions.shell_environment_policy,
109-
Some(session.thread_id),
110-
),
115+
env,
111116
network: turn_context.network.clone(),
112117
network_environment_id: Some(turn_environment.environment_id.clone()),
113118
sandbox_permissions: params.sandbox_permissions.unwrap_or_default(),

codex-rs/core/src/tools/handlers/shell_tests.rs

Lines changed: 22 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,14 @@
11
use std::path::PathBuf;
22
use std::sync::Arc;
33

4+
use codex_protocol::models::ActivePermissionProfile;
45
use codex_protocol::models::ShellCommandToolCallParams;
56
use pretty_assertions::assert_eq;
67

8+
use crate::config::PermissionProfileSnapshot;
9+
use crate::exec_env::CODEX_PERMISSION_PROFILE_ENV_VAR;
710
use crate::exec_env::create_env;
11+
use crate::exec_env::inject_permission_profile_env;
812
use crate::sandboxing::SandboxPermissions;
913
use crate::session::step_context::StepContext;
1014
use crate::session::tests::make_session_and_context;
@@ -71,7 +75,15 @@ fn assert_safe(shell: &Shell, command: &str) {
7175

7276
#[tokio::test]
7377
async fn shell_command_handler_to_exec_params_uses_selected_environment() {
74-
let (session, turn_context) = make_session_and_context().await;
78+
let (session, mut turn_context) = make_session_and_context().await;
79+
let permission_profile = turn_context.config.permissions.permission_profile().clone();
80+
Arc::make_mut(&mut turn_context.config)
81+
.permissions
82+
.set_permission_profile_from_session_snapshot(PermissionProfileSnapshot::active(
83+
permission_profile,
84+
ActivePermissionProfile::new("test-profile"),
85+
))
86+
.expect("set active permission profile");
7587

7688
let command = "echo hello".to_string();
7789
let workdir = Some("subdir".to_string());
@@ -99,10 +111,12 @@ async fn shell_command_handler_to_exec_params_uses_selected_environment() {
99111
PathUri::from_abs_path(&selected_cwd),
100112
Some(selected_shell),
101113
);
102-
let expected_env = create_env(
114+
let mut expected_env = create_env(
103115
&turn_context.config.permissions.shell_environment_policy,
104116
Some(session.thread_id),
105117
);
118+
let active_permission_profile = turn_context.config.permissions.active_permission_profile();
119+
inject_permission_profile_env(&mut expected_env, active_permission_profile.as_ref());
106120

107121
let params = ShellCommandToolCallParams {
108122
command,
@@ -129,6 +143,12 @@ async fn shell_command_handler_to_exec_params_uses_selected_environment() {
129143
assert_eq!(exec_params.command, expected_command);
130144
assert_eq!(exec_params.cwd, expected_cwd);
131145
assert_eq!(exec_params.env, expected_env);
146+
assert_eq!(
147+
exec_params.env.get(CODEX_PERMISSION_PROFILE_ENV_VAR),
148+
active_permission_profile
149+
.as_ref()
150+
.map(|profile| &profile.id)
151+
);
132152
assert_eq!(exec_params.network, turn_context.network);
133153
assert_eq!(
134154
exec_params.network_environment_id.as_deref(),

codex-rs/core/src/tools/runtimes/mod.rs

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ Module: runtimes
44
Concrete ToolRuntime implementations for specific tools. Each runtime stays
55
small and focused and reuses the orchestrator for approvals + sandbox + retry.
66
*/
7+
use crate::exec_env::CODEX_PERMISSION_PROFILE_ENV_VAR;
78
use crate::exec_env::CODEX_THREAD_ID_ENV_VAR;
89
use crate::sandboxing::SandboxPermissions;
910
use crate::shell::Shell;
@@ -287,8 +288,10 @@ pub(crate) fn maybe_wrap_shell_lc_with_snapshot(
287288
.map(|arg| format!(" '{}'", shell_single_quote(arg)))
288289
.collect::<String>();
289290
let mut override_env = explicit_env_overrides.clone();
290-
if let Some(thread_id) = env.get(CODEX_THREAD_ID_ENV_VAR) {
291-
override_env.insert(CODEX_THREAD_ID_ENV_VAR.to_string(), thread_id.clone());
291+
for key in [CODEX_THREAD_ID_ENV_VAR, CODEX_PERMISSION_PROFILE_ENV_VAR] {
292+
if let Some(value) = env.get(key) {
293+
override_env.insert(key.to_string(), value.clone());
294+
}
292295
}
293296
let (override_captures, override_exports) = build_override_exports(&override_env);
294297
let (proxy_captures, proxy_exports) = build_proxy_env_exports();

codex-rs/core/src/tools/runtimes/mod_tests.rs

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -534,6 +534,44 @@ fn maybe_wrap_shell_lc_with_snapshot_restores_codex_thread_id_from_env() {
534534
assert_eq!(String::from_utf8_lossy(&output.stdout), "nested-thread");
535535
}
536536

537+
#[test]
538+
fn maybe_wrap_shell_lc_with_snapshot_restores_permission_profile_from_env() {
539+
let dir = tempdir().expect("create temp dir");
540+
let snapshot_path = dir.path().join("snapshot.sh");
541+
std::fs::write(
542+
&snapshot_path,
543+
"# Snapshot file\nexport CODEX_PERMISSION_PROFILE='parent-profile'\n",
544+
)
545+
.expect("write snapshot");
546+
let (session_shell, shell_snapshot) =
547+
shell_with_snapshot(ShellType::Bash, "/bin/bash", snapshot_path.abs());
548+
let command = vec![
549+
"/bin/bash".to_string(),
550+
"-lc".to_string(),
551+
"printenv CODEX_PERMISSION_PROFILE".to_string(),
552+
];
553+
let env = HashMap::from([(
554+
CODEX_PERMISSION_PROFILE_ENV_VAR.to_string(),
555+
"current-profile".to_string(),
556+
)]);
557+
let rewritten = maybe_wrap_shell_lc_with_snapshot(
558+
&command,
559+
&session_shell,
560+
Some(&shell_snapshot),
561+
&HashMap::new(),
562+
&env,
563+
&RuntimePathPrepends::default(),
564+
);
565+
let output = Command::new(&rewritten[0])
566+
.args(&rewritten[1..])
567+
.env(CODEX_PERMISSION_PROFILE_ENV_VAR, "current-profile")
568+
.output()
569+
.expect("run rewritten command");
570+
571+
assert!(output.status.success(), "command failed: {output:?}");
572+
assert_eq!(String::from_utf8_lossy(&output.stdout), "current-profile\n");
573+
}
574+
537575
#[test]
538576
fn maybe_wrap_shell_lc_with_snapshot_restores_proxy_env_from_process_env() {
539577
let dir = tempdir().expect("create temp dir");

codex-rs/core/src/unified_exec/process_manager.rs

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ use uuid::Uuid;
1515
use crate::codex_thread::BackgroundTerminalInfo;
1616
use crate::exec_env::CODEX_THREAD_ID_ENV_VAR;
1717
use crate::exec_env::create_env;
18+
use crate::exec_env::inject_permission_profile_env;
1819
use crate::exec_policy::ExecApprovalRequest;
1920
use crate::sandboxing::ExecOptions;
2021
use crate::sandboxing::ExecRequest;
@@ -1110,6 +1111,8 @@ impl UnifiedExecProcessManager {
11101111
CODEX_THREAD_ID_ENV_VAR.to_string(),
11111112
context.session.thread_id.to_string(),
11121113
);
1114+
let active_permission_profile = context.turn.config.permissions.active_permission_profile();
1115+
inject_permission_profile_env(&mut env, active_permission_profile.as_ref());
11131116
let env = apply_unified_exec_env(env);
11141117
let exec_server_env_config = ExecServerEnvConfig {
11151118
policy: exec_env_policy_from_shell_policy(

0 commit comments

Comments
 (0)