[draft] first pass at tui integration

Author: zhao-oai

codex-rs/Cargo.lock

@@ -614,6 +614,7 @@ mod tests {
             parsed_cmd: vec![ParsedCommand::Unknown {
                 cmd: "echo hello".to_string(),
             }],
+            allow_prefix: None,
         };
         let request = ServerRequest::ExecCommandApproval {
             request_id: RequestId::Integer(7),

codex-rs/app-server-protocol/src/protocol/common.rs

@@ -228,6 +228,8 @@ pub struct ExecCommandApprovalParams {
     pub reason: Option<String>,
     pub risk: Option<SandboxCommandAssessment>,
     pub parsed_cmd: Vec<ParsedCommand>,
+    #[serde(skip_serializing_if = "Option::is_none", default)]
+    pub allow_prefix: Option<Vec<String>>,
 }
 
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]

codex-rs/app-server-protocol/src/protocol/v1.rs

@@ -960,6 +960,8 @@ pub struct CommandExecutionRequestApprovalParams {
     pub reason: Option<String>,
     /// Optional model-provided risk assessment describing the blocked command.
     pub risk: Option<SandboxCommandAssessment>,
+    #[serde(skip_serializing_if = "Option::is_none", default)]
+    pub allow_prefix: Option<Vec<String>>,
 }
 
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
@@ -969,6 +971,9 @@ pub struct CommandExecutionRequestAcceptSettings {
     /// If true, automatically approve this command for the duration of the session.
     #[serde(default)]
     pub for_session: bool,
+    /// If true, persist an allow rule for the provided prefix.
+    #[serde(default)]
+    pub allow_prefix_rule: bool,
 }
 
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]

codex-rs/app-server-protocol/src/protocol/v2.rs

@@ -96,6 +96,7 @@ pub(crate) async fn apply_bespoke_event_handling(
             reason,
             risk,
             parsed_cmd,
+            allow_prefix,
         }) => match api_version {
             ApiVersion::V1 => {
                 let params = ExecCommandApprovalParams {
@@ -106,6 +107,7 @@ pub(crate) async fn apply_bespoke_event_handling(
                     reason,
                     risk,
                     parsed_cmd,
+                    allow_prefix,
                 };
                 let rx = outgoing
                     .send_request(ServerRequestPayload::ExecCommandApproval(params))
@@ -123,6 +125,7 @@ pub(crate) async fn apply_bespoke_event_handling(
                     item_id: call_id.clone(),
                     reason,
                     risk: risk.map(V2SandboxCommandAssessment::from),
+                    allow_prefix,
                 };
                 let rx = outgoing
                     .send_request(ServerRequestPayload::CommandExecutionRequestApproval(
@@ -540,13 +543,20 @@ async fn on_command_execution_request_approval_response(
         accept_settings,
     } = response;
 
-    let decision = match (decision, accept_settings) {
-        (ApprovalDecision::Accept, Some(settings)) if settings.for_session => {
-            ReviewDecision::ApprovedForSession
-        }
-        (ApprovalDecision::Accept, _) => ReviewDecision::Approved,
-        (ApprovalDecision::Decline, _) => ReviewDecision::Denied,
-        (ApprovalDecision::Cancel, _) => ReviewDecision::Abort,
+    let allow_prefix_rule = accept_settings
+        .as_ref()
+        .is_some_and(|settings| settings.allow_prefix_rule);
+    let for_session = accept_settings
+        .as_ref()
+        .map(|settings| settings.for_session)
+        .unwrap_or(false);
+
+    let decision = match (decision, allow_prefix_rule, for_session) {
+        (ApprovalDecision::Accept, true, _) => ReviewDecision::ApprovedAllowPrefix,
+        (ApprovalDecision::Accept, false, true) => ReviewDecision::ApprovedForSession,
+        (ApprovalDecision::Accept, false, false) => ReviewDecision::Approved,
+        (ApprovalDecision::Decline, _, _) => ReviewDecision::Denied,
+        (ApprovalDecision::Cancel, _, _) => ReviewDecision::Abort,
     };
     if let Err(err) = conversation
         .submit(Op::ExecApproval {

codex-rs/app-server/src/bespoke_event_handling.rs

@@ -278,6 +278,7 @@ async fn test_send_user_turn_changes_approval_policy_behavior() -> Result<()> {
             parsed_cmd: vec![ParsedCommand::Unknown {
                 cmd: "python3 -c 'print(42)'".to_string()
             }],
+            allow_prefix: None,
         },
         params
     );

codex-rs/app-server/tests/suite/codex_message_processor_flow.rs

@@ -70,7 +70,9 @@ pub(crate) async fn apply_patch(
                 )
                 .await;
             match rx_approve.await.unwrap_or_default() {
-                ReviewDecision::Approved | ReviewDecision::ApprovedForSession => {
+                ReviewDecision::Approved
+                | ReviewDecision::ApprovedAllowPrefix
+                | ReviewDecision::ApprovedForSession => {
                     InternalApplyPatchInvocation::DelegateToExec(ApplyPatchExec {
                         action,
                         user_explicitly_approved_this_action: true,

codex-rs/core/src/apply_patch.rs

@@ -574,6 +574,7 @@ impl Session {
             auth_manager: Arc::clone(&auth_manager),
             otel_event_manager,
             tool_approvals: Mutex::new(ApprovalStore::default()),
+            exec_policy_overrides: Mutex::new(Vec::new()),
         };
 
         let sess = Arc::new(Session {
@@ -846,11 +847,35 @@ impl Session {
         .await
     }
 
+    pub(crate) async fn remember_allowed_prefix(&self, prefix: &[String]) {
+        {
+            let mut overrides = self.services.exec_policy_overrides.lock().await;
+            if overrides.iter().any(|existing| existing == prefix) {
+                return;
+            }
+            overrides.push(prefix.to_vec());
+        }
+
+        let codex_home = {
+            let state = self.state.lock().await;
+            state
+                .session_configuration
+                .original_config_do_not_use
+                .codex_home
+                .clone()
+        };
+
+        if let Err(err) = crate::exec_policy::persist_allow_rule(&codex_home, prefix).await {
+            warn!("failed to persist execpolicy allow rule: {err}");
+        }
+    }
+
     /// Emit an exec approval request event and await the user's decision.
     ///
     /// The request is keyed by `sub_id`/`call_id` so matching responses are delivered
     /// to the correct in-flight turn. If the task is aborted, this returns the
     /// default `ReviewDecision` (`Denied`).
+    #[allow(clippy::too_many_arguments)]
     pub async fn request_command_approval(
         &self,
         turn_context: &TurnContext,
@@ -859,6 +884,7 @@ impl Session {
         cwd: PathBuf,
         reason: Option<String>,
         risk: Option<SandboxCommandAssessment>,
+        allow_prefix: Option<Vec<String>>,
     ) -> ReviewDecision {
         let sub_id = turn_context.sub_id.clone();
         // Add the tx_approve callback to the map before sending the request.
@@ -887,6 +913,7 @@ impl Session {
             reason,
             risk,
             parsed_cmd,
+            allow_prefix,
         });
         self.send_event(turn_context, event).await;
         rx_approve.await.unwrap_or_default()
@@ -2636,6 +2663,7 @@ mod tests {
             auth_manager: Arc::clone(&auth_manager),
             otel_event_manager: otel_event_manager.clone(),
             tool_approvals: Mutex::new(ApprovalStore::default()),
+            exec_policy_overrides: Mutex::new(Vec::new()),
         };
 
         let turn_context = Session::make_turn_context(
@@ -2714,6 +2742,7 @@ mod tests {
             auth_manager: Arc::clone(&auth_manager),
             otel_event_manager: otel_event_manager.clone(),
             tool_approvals: Mutex::new(ApprovalStore::default()),
+            exec_policy_overrides: Mutex::new(Vec::new()),
         };
 
         let turn_context = Arc::new(Session::make_turn_context(

codex-rs/core/src/codex.rs

@@ -235,6 +235,7 @@ async fn handle_exec_approval(
         event.cwd,
         event.reason,
         event.risk,
+        event.allow_prefix,
     );
     let decision = await_approval_with_cancel(
         approval_fut,