Refactor execpolicy fallback evaluation (openai#7544)

## Refactor of the `execpolicy` crate

To illustrate why we need this refactor, consider an agent attempting to
run `apple | rm -rf ./`. Suppose `apple` is allowed by `execpolicy`.
Before this PR, `execpolicy` would consider `apple` and `pear` and only
render one rule match: `Allow`. We would skip any heuristics checks on
`rm -rf ./` and immediately approve `apple | rm -rf ./` to run.

To fix this, we now thread a `fallback` evaluation function into
`execpolicy` that runs when no `execpolicy` rules match a given command.
In our example, we would run `fallback` on `rm -rf ./` and prevent
`apple | rm -rf ./` from being run without approval.

Author: zhao-oai

codex-rs/app-server/src/bespoke_event_handling.rs

@@ -179,7 +179,7 @@ pub(crate) async fn apply_bespoke_event_handling(
             cwd,
             reason,
             risk,
-            allow_prefix: _allow_prefix,
+            proposed_execpolicy_amendment: _,
             parsed_cmd,
         }) => match api_version {
             ApiVersion::V1 => {

codex-rs/cli/tests/execpolicy.rs

@@ -40,17 +40,15 @@ prefix_rule(
     assert_eq!(
         result,
         json!({
-            "match": {
-                "decision": "forbidden",
-                "matchedRules": [
-                    {
-                        "prefixRuleMatch": {
-                            "matchedPrefix": ["git", "push"],
-                            "decision": "forbidden"
-                        }
+            "decision": "forbidden",
+            "matchedRules": [
+                {
+                    "prefixRuleMatch": {
+                        "matchedPrefix": ["git", "push"],
+                        "decision": "forbidden"
                     }
-                ]
-            }
+                }
+            ]
         })
     );
 

codex-rs/core/src/apply_patch.rs

@@ -71,7 +71,7 @@ pub(crate) async fn apply_patch(
                 .await;
             match rx_approve.await.unwrap_or_default() {
                 ReviewDecision::Approved
-                | ReviewDecision::ApprovedAllowPrefix { .. }
+                | ReviewDecision::ApprovedExecpolicyAmendment { .. }
                 | ReviewDecision::ApprovedForSession => {
                     InternalApplyPatchInvocation::DelegateToExec(ApplyPatchExec {
                         action,

codex-rs/core/src/codex.rs

@@ -25,6 +25,7 @@ use crate::util::error_or_panic;
 use async_channel::Receiver;
 use async_channel::Sender;
 use codex_protocol::ConversationId;
+use codex_protocol::approvals::ExecPolicyAmendment;
 use codex_protocol::items::TurnItem;
 use codex_protocol::protocol::FileChange;
 use codex_protocol::protocol::HasLegacyEvent;
@@ -871,13 +872,11 @@ impl Session {
         .await
     }
 
-    /// Adds a prefix rule to the exec policy
-    ///
-    /// This mutates the in-memory execpolicy so the current conversation can use the new
-    /// prefix and persists the change in default.execpolicy so new conversations will also allow the new prefix.
-    pub(crate) async fn persist_command_allow_prefix(
+    /// Adds an execpolicy amendment to both the in-memory and on-disk policies so future
+    /// commands can use the newly approved prefix.
+    pub(crate) async fn persist_execpolicy_amendment(
         &self,
-        prefix: &[String],
+        amendment: &ExecPolicyAmendment,
     ) -> Result<(), ExecPolicyUpdateError> {
         let features = self.features.clone();
         let (codex_home, current_policy) = {
@@ -897,10 +896,10 @@ impl Session {
             return Err(ExecPolicyUpdateError::FeatureDisabled);
         }
 
-        crate::exec_policy::append_allow_prefix_rule_and_update(
+        crate::exec_policy::append_execpolicy_amendment_and_update(
             &codex_home,
             &current_policy,
-            prefix,
+            &amendment.command,
         )
         .await?;
 
@@ -921,7 +920,7 @@ impl Session {
         cwd: PathBuf,
         reason: Option<String>,
         risk: Option<SandboxCommandAssessment>,
-        allow_prefix: Option<Vec<String>>,
+        proposed_execpolicy_amendment: Option<ExecPolicyAmendment>,
     ) -> ReviewDecision {
         let sub_id = turn_context.sub_id.clone();
         // Add the tx_approve callback to the map before sending the request.
@@ -949,7 +948,7 @@ impl Session {
             cwd,
             reason,
             risk,
-            allow_prefix,
+            proposed_execpolicy_amendment,
             parsed_cmd,
         });
         self.send_event(turn_context, event).await;
@@ -1672,13 +1671,17 @@ mod handlers {
         }
     }
 
-    /// Propagate a user's exec approval decision to the session
-    /// Also optionally whitelists command in execpolicy
+    /// Propagate a user's exec approval decision to the session.
+    /// Also optionally applies an execpolicy amendment.
     pub async fn exec_approval(sess: &Arc<Session>, id: String, decision: ReviewDecision) {
-        if let ReviewDecision::ApprovedAllowPrefix { allow_prefix } = &decision
-            && let Err(err) = sess.persist_command_allow_prefix(allow_prefix).await
+        if let ReviewDecision::ApprovedExecpolicyAmendment {
+            proposed_execpolicy_amendment,
+        } = &decision
+            && let Err(err) = sess
+                .persist_execpolicy_amendment(proposed_execpolicy_amendment)
+                .await
         {
-            let message = format!("Failed to update execpolicy allow list: {err}");
+            let message = format!("Failed to apply execpolicy amendment: {err}");
             tracing::warn!("{message}");
             let warning = EventMsg::Warning(WarningEvent { message });
             sess.send_event_raw(Event {

codex-rs/core/src/codex_delegate.rs

@@ -281,7 +281,7 @@ async fn handle_exec_approval(
         event.cwd,
         event.reason,
         event.risk,
-        event.allow_prefix,
+        event.proposed_execpolicy_amendment,
     );
     let decision = await_approval_with_cancel(
         approval_fut,