core(exec): use libc signals + cfg(target_family="unix"); robust SIGSYS gating; fix sandbox detection; correct macOS test

  - Replace hardcoded signal numbers with libc on Unix:
      - SIGINT/SIGABRT/SIGBUS/SIGFPE/SIGKILL/SIGSEGV/SIGPIPE/SIGTERM/SIGSYS now come from libc.
      - Grouped under a unix_sig module and re-exported; eliminates repeated per-line cfgs.
      - Keep non‑Unix fallback SIGKILL_CODE=9 for synthesized 128+9 behavior.
  - Gate platform logic cleanly:
      - Use cfg(target_family = "unix") around Unix-only paths.
      - All SIGSYS uses now compile on every Unix, avoiding previous linux/macos-only symbol gaps.
      - Tests updated to gate the SIGSYS codepath on target_family = "unix".
  - Improve sandbox classification:
      - Prefer stderr hints first: treat “sandbox: deny”, “seccomp”, and common OS errors (“operation not permitted”, “permission denied”, “read-only file system”) as LikelySandbox.
      - Defer SIGSYS handling only when a sandbox was requested; otherwise treat non-timeout signals as immediate errors.
      - Shell-style SIGSYS exit (128 + SIGSYS) recognized on all Unix targets.
  - Formatting/truncation remains centralized:
      - No changes to output shaping other than classifying sandbox denials earlier so user-facing messages are consistent (“failed in sandbox: …”).
  - Tests:
      - Correct an especially egregious path typo in macOS seatbelt exec test:
          - core/tests/suite/exec.rs: "/user/bin/touch" → "/usr/bin/touch".
          - This was likely a typo; if it was intentional for a specific scenario, we can reintroduce it behind an explicit comment/cfg. As‑is it prevented the test from exercising the intended read‑only denial
            and instead looked like a missing-binary edge case.
  - Misc:
      - Ran just fmt and just fix -p codex-core; clippy autofixed exec.rs (9 fixes).
      - Verified codex-core builds; project tests run, with unrelated existing failures unchanged.

  Rationale

  - Avoids Windows/*BSD build breaks from SIGSYS references while keeping behavior correct on Linux/macOS.
  - libc keeps signal numbers portable; grouping reduces cfg noise and maintenance risk.
  - Earlier stderr-based sandbox detection makes the shell tool denial UX match expectations even when the sandbox blocks before the child produces long output.

Author: imajes

codex-rs/core/src/exec.rs

@@ -39,15 +39,15 @@ const EXIT_NOT_EXECUTABLE_CODE: i32 = 126; // "found but not executable"/shebang
 // Unix signal constants via libc (grouped), including SIGSYS. These are only available on Unix.
 #[cfg(target_family = "unix")]
 mod unix_sig {
-    pub const SIGINT_CODE: i32 = libc::SIGINT as i32; // Ctrl-C / interrupt
-    pub const SIGABRT_CODE: i32 = libc::SIGABRT as i32; // abort
-    pub const SIGBUS_CODE: i32 = libc::SIGBUS as i32; // bus error
-    pub const SIGFPE_CODE: i32 = libc::SIGFPE as i32; // floating point exception
-    pub const SIGSEGV_CODE: i32 = libc::SIGSEGV as i32; // segmentation fault
-    pub const SIGPIPE_CODE: i32 = libc::SIGPIPE as i32; // broken pipe
-    pub const SIGTERM_CODE: i32 = libc::SIGTERM as i32; // termination
-    pub const SIGKILL_CODE: i32 = libc::SIGKILL as i32;
-    pub const SIGSYS_CODE: i32 = libc::SIGSYS as i32;
+    pub const SIGINT_CODE: i32 = libc::SIGINT; // Ctrl-C / interrupt
+    pub const SIGABRT_CODE: i32 = libc::SIGABRT; // abort
+    pub const SIGBUS_CODE: i32 = libc::SIGBUS; // bus error
+    pub const SIGFPE_CODE: i32 = libc::SIGFPE; // floating point exception
+    pub const SIGSEGV_CODE: i32 = libc::SIGSEGV; // segmentation fault
+    pub const SIGPIPE_CODE: i32 = libc::SIGPIPE; // broken pipe
+    pub const SIGTERM_CODE: i32 = libc::SIGTERM; // termination
+    pub const SIGKILL_CODE: i32 = libc::SIGKILL;
+    pub const SIGSYS_CODE: i32 = libc::SIGSYS;
 }
 #[cfg(target_family = "unix")]
 use unix_sig::*;
@@ -106,6 +106,11 @@ fn stderr_hints_sandbox(stderr: &str) -> bool {
         || s.contains("not permitted by sandbox")
         || s.contains("bad system call")
         || s.contains("seccomp")
+        // Less explicit, but commonly emitted by shells and tools when a seatbelt
+        // or seccomp policy blocks a write/open. Tests rely on these.
+        || s.contains("operation not permitted")
+        || s.contains("permission denied")
+        || s.contains("read-only file system")
 }
 
 fn sandbox_verdict(sandbox_type: SandboxType, status: ExitStatus, stderr: &str) -> SandboxVerdict {
@@ -134,6 +139,13 @@ fn sandbox_verdict(sandbox_type: SandboxType, status: ExitStatus, stderr: &str)
 
     let code = status.code().unwrap_or(-1);
 
+    // If stderr strongly hints at sandbox denial, prefer that classification even
+    // when the exit code is within generic BSD sysexits. This handles cases like
+    // macOS seatbelt failing early with "Operation not permitted".
+    if stderr_hints_sandbox(stderr) {
+        return SandboxVerdict::LikelySandbox;
+    }
+
     // Immediate NotSandbox codes
     // - 0: success
     // - 2: common "misuse of shell builtins"

codex-rs/core/tests/suite/exec.rs

@@ -118,7 +118,7 @@ async fn write_file_fails_as_sandbox_error() {
     let tmp = TempDir::new().expect("should be able to create temp dir");
     let path = tmp.path().join("test.txt");
     let cmd = vec![
-        "/user/bin/touch",
+        "/usr/bin/touch",
         path.to_str().expect("should be able to get path"),
     ];