feat: merge skill-level sandbox policy for shell commands in zsh fork mode

[celia-oai]

Summary

This change ensures shell command execution honors skill-level permissions for zsh-fork command flows
when the invoked executable is inside a skill’s scripts directory.

• Skill-aware sandbox extension is applied only in shell_zsh_fork mode.
• Turn-level and skill-level sandbox rules are merged into a single least-privilege effective policy.
• The effective policy is used consistently for both approval checks and execution in the shell path.

A follow-up PR will wire skill-level seatbelt_permissions.

Skill Sandbox Extension Test Plan

1. Create demo files and directories.

  cd /Users/celia/code/codex
  bash .tmp/skill-sandbox-demo/setup_demo.sh

2. Configure skill permissions as read-only.

  # /Users/celia/code/codex/.agents/skills/sandbox-approval-demo/agents/openai.yaml
  permissions:
    network: true
    file_system:
      read:
        - "./workspace"

3. Set and verify custom interceptable zsh.

  INTERCEPTABLE_ZSH=/Users/celia/.local/codex-zsh-77045ef/bin/zsh
  "$INTERCEPTABLE_ZSH" -fc '/usr/bin/true'
  EXEC_WRAPPER=/usr/bin/false "$INTERCEPTABLE_ZSH" -fc '/usr/bin/true'  # should fail if intercept works

4. Build binaries used by the test.

  cd /Users/celia/code/codex/codex-rs
  cargo build -p codex -p codex-app-server-test-client

5. Clean test artifacts.

  cd /Users/celia/code/codex
  rm -f .agents/skills/sandbox-approval-demo/workspace/runs.log
  rm -f .tmp/skill-sandbox-demo/should_be_blocked.txt
  rm -f .tmp/skill-sandbox-demo/should_be_allowed.txt

6. Baseline: zsh fork disabled.

  cd /Users/celia/code/codex/codex-rs
  cargo run -p codex-app-server-test-client -- \
    --codex-bin ./target/debug/codex \
    --config 'features.shell_zsh_fork=false' \
    --config 'approval_policy="on-request"' \
    --config 'sandbox_mode="danger-full-access"' \
    --skill-name sandbox-approval-demo \
    --skill-path ../.agents/skills/sandbox-approval-demo/SKILL.md \
    send-message-v2 'Run this: ../.agents/skills/sandbox-approval-demo/scripts/skill_action.sh && echo should_be_allowed > ../.tmp/skill-sandbox-demo/should_be_allowed.txt'

Expected:

• Command runs successfully.
• ../.tmp/skill-sandbox-demo/should_be_allowed.txt is created.
• No skill sandbox extension behavior is expected in this control path.

7. Main test: zsh fork enabled, skill sandbox enforced (custom interceptable zsh).

  cd /Users/celia/code/codex/codex-rs
  cargo run -p codex-app-server-test-client -- \
    --codex-bin ./target/debug/codex \
    --config 'features.shell_zsh_fork=true' \
    --config "zsh_path=\"$INTERCEPTABLE_ZSH\"" \
    --config 'approval_policy="on-request"' \
    --config 'sandbox_mode="danger-full-access"' \
    --skill-name sandbox-approval-demo \
    --skill-path ../.agents/skills/sandbox-approval-demo/SKILL.md \
    send-message-v2 'Run this: ../.agents/skills/sandbox-approval-demo/scripts/skill_action.sh && echo should_be_blocked > ../.tmp/skill-sandbox-demo/should_be_blocked.txt'

Expected:

• Approval is requested consistently before execution like this:

< {
<   "id": 0,
<   "method": "item/commandExecution/requestApproval",
<   "params": {
<     "command": "/bin/zsh -lc '../.agents/skills/sandbox-approval-demo/scripts/skill_action.sh && echo should_be_blocked > ../.tmp/skill-sandbox-demo/should_be_blocked.txt'",
<     "commandActions": [
<       {
<         "command": "../.agents/skills/sandbox-approval-demo/scripts/skill_action.sh && echo should_be_blocked > ../.tmp/skill-sandbox-demo/should_be_blocked.txt",
<         "type": "unknown"
<       }
<     ],
<     "cwd": "/Users/celia/code/codex/codex-rs",
<     "itemId": "call_2FcXvhGx8ci3XlYQTxDufZus",
<     "proposedExecpolicyAmendment": [
<       "/bin/zsh",
<       "-lc",
<       "../.agents/skills/sandbox-approval-demo/scripts/skill_action.sh && echo should_be_blocked > ../.tmp/skill-sandbox-demo/should_be_blocked.txt"
<     ],
<     "reason": "Do you want me to run your exact sandbox-approval demo command, including the chained write probe, once as requested?",
<     "threadId": "019c7756-81d5-7df0-aa87-df35dacf7728",
<     "turnId": "019c7756-820b-7220-a90c-a128443f691b"
<   }
< }

• Approval request command is "$INTERCEPTABLE_ZSH" -lc ... and references the full command string.
• If approval is declined, command does not execute and should_be_blocked.txt is not created.
• If approval is accepted, command may execute successfully (this test is about approval gating, not deny-on-execute).
• when click "always allow", this is written to the rules:

prefix_rule(pattern=["/bin/zsh", "-lc", "../.agents/skills/sandbox-approval-demo/scripts/skill_action.sh && echo should_be_blocked > ../.tmp/skill-sandbox-demo/should_be_blocked.txt"], decision="allow")

8. Control: non-skill script with zsh fork enabled (custom interceptable zsh).

  cd /Users/celia/code/codex/codex-rs
  cargo run -p codex-app-server-test-client -- \
    --codex-bin ./target/debug/codex \
    --config 'features.shell_zsh_fork=true' \
    --config "zsh_path=\"$INTERCEPTABLE_ZSH\"" \
    --config 'approval_policy="on-request"' \
    --config 'sandbox_mode="danger-full-access"' \
    send-message-v2 'Run this: ../.tmp/skill-sandbox-demo/non_skill_action.sh && echo control_ok > ../.tmp/skill-sandbox-demo/should_be_allowed.txt'

Expected:

• Command succeeds.
• ../.tmp/skill-sandbox-demo/should_be_allowed.txt is created.
• No skill-based approval behavior should be applied.