Add approval allow-prefix flow in core and tui

codex-rs/app-server/src/bespoke_event_handling.rs

@@ -153,6 +153,7 @@ pub(crate) async fn apply_bespoke_event_handling(
             cwd,
             reason,
             risk,
+            allow_prefix: _allow_prefix,
             parsed_cmd,
         }) => match api_version {
             ApiVersion::V1 => {
@@ -610,6 +611,7 @@ async fn on_exec_approval_response(
         .submit(Op::ExecApproval {
             id: event_id,
             decision: response.decision,
+            allow_prefix: None,
         })
         .await
     {
@@ -783,6 +785,7 @@ async fn on_command_execution_request_approval_response(
         .submit(Op::ExecApproval {
             id: event_id,
             decision,
+            allow_prefix: None,
         })
         .await
     {

codex-rs/core/src/codex.rs

@@ -68,6 +68,7 @@ use crate::error::CodexErr;
 use crate::error::Result as CodexResult;
 #[cfg(test)]
 use crate::exec::StreamOutput;
+use crate::exec_policy::ExecPolicyUpdateError;
 use crate::mcp::auth::compute_auth_statuses;
 use crate::mcp_connection_manager::McpConnectionManager;
 use crate::model_family::find_family_for_model;
@@ -845,11 +846,43 @@ impl Session {
         .await
     }
 
+    pub(crate) async fn persist_command_allow_prefix(
+        &self,
+        prefix: &[String],
+    ) -> Result<(), ExecPolicyUpdateError> {
+        let (features, codex_home) = {
+            let state = self.state.lock().await;
+            (
+                state.session_configuration.features.clone(),
+                state
+                    .session_configuration
+                    .original_config_do_not_use
+                    .codex_home
+                    .clone(),
+            )
+        };
+
+        let policy =
+            crate::exec_policy::append_allow_prefix_rule_and_reload(&features, &codex_home, prefix)
+                .await?;
+
+        let mut state = self.state.lock().await;
+        state.session_configuration.exec_policy = policy;
+
+        Ok(())
+    }
+
+    pub(crate) async fn current_exec_policy(&self) -> Arc<ExecPolicy> {
+        let state = self.state.lock().await;
+        state.session_configuration.exec_policy.clone()
+    }
+
     /// Emit an exec approval request event and await the user's decision.
     ///
     /// The request is keyed by `sub_id`/`call_id` so matching responses are delivered
     /// to the correct in-flight turn. If the task is aborted, this returns the
     /// default `ReviewDecision` (`Denied`).
+    #[allow(clippy::too_many_arguments)]
     pub async fn request_command_approval(
         &self,
         turn_context: &TurnContext,
@@ -858,6 +891,7 @@ impl Session {
         cwd: PathBuf,
         reason: Option<String>,
         risk: Option<SandboxCommandAssessment>,
+        allow_prefix: Option<Vec<String>>,
     ) -> ReviewDecision {
         let sub_id = turn_context.sub_id.clone();
         // Add the tx_approve callback to the map before sending the request.
@@ -885,6 +919,7 @@ impl Session {
             cwd,
             reason,
             risk,
+            allow_prefix,
             parsed_cmd,
         });
         self.send_event(turn_context, event).await;
@@ -1383,8 +1418,12 @@ async fn submission_loop(sess: Arc<Session>, config: Arc<Config>, rx_sub: Receiv
                 handlers::user_input_or_turn(&sess, sub.id.clone(), sub.op, &mut previous_context)
                     .await;
             }
-            Op::ExecApproval { id, decision } => {
-                handlers::exec_approval(&sess, id, decision).await;
+            Op::ExecApproval {
+                id,
+                decision,
+                allow_prefix,
+            } => {
+                handlers::exec_approval(&sess, id, decision, allow_prefix).await;
             }
             Op::PatchApproval { id, decision } => {
                 handlers::patch_approval(&sess, id, decision).await;
@@ -1453,6 +1492,7 @@ mod handlers {
     use codex_protocol::protocol::ReviewDecision;
     use codex_protocol::protocol::ReviewRequest;
     use codex_protocol::protocol::TurnAbortReason;
+    use codex_protocol::protocol::WarningEvent;
 
     use codex_protocol::user_input::UserInput;
     use std::sync::Arc;
@@ -1538,7 +1578,28 @@ mod handlers {
         *previous_context = Some(turn_context);
     }
 
-    pub async fn exec_approval(sess: &Arc<Session>, id: String, decision: ReviewDecision) {
+    pub async fn exec_approval(
+        sess: &Arc<Session>,
+        id: String,
+        decision: ReviewDecision,
+        allow_prefix: Option<Vec<String>>,
+    ) {
+        if let Some(prefix) = allow_prefix
+            && matches!(
+                decision,
+                ReviewDecision::Approved | ReviewDecision::ApprovedForSession
+            )
+            && let Err(err) = sess.persist_command_allow_prefix(&prefix).await
+        {
+            let message = format!("Failed to update execpolicy allow list: {err}");
+            tracing::warn!("{message}");
+            let warning = EventMsg::Warning(WarningEvent { message });
+            sess.send_event_raw(Event {
+                id: id.clone(),
+                msg: warning,
+            })
+            .await;
+        }
         match decision {
             ReviewDecision::Abort => {
                 sess.interrupt_task().await;

codex-rs/core/src/codex_delegate.rs

@@ -235,6 +235,7 @@ async fn handle_exec_approval(
         event.cwd,
         event.reason,
         event.risk,
+        event.allow_prefix,
     );
     let decision = await_approval_with_cancel(
         approval_fut,
@@ -244,7 +245,13 @@ async fn handle_exec_approval(
     )
     .await;
 
-    let _ = codex.submit(Op::ExecApproval { id, decision }).await;
+    let _ = codex
+        .submit(Op::ExecApproval {
+            id,
+            decision,
+            allow_prefix: None,
+        })
+        .await;
 }
 
 /// Handle an ApplyPatchApprovalRequest by consulting the parent session and replying.

codex-rs/core/src/tools/handlers/shell.rs

@@ -297,6 +297,7 @@ impl ShellHandler {
         let event_ctx = ToolEventCtx::new(session.as_ref(), turn.as_ref(), &call_id, None);
         emitter.begin(event_ctx).await;
 
+        let exec_policy = session.current_exec_policy().await;
         let req = ShellRequest {
             command: exec_params.command.clone(),
             cwd: exec_params.cwd.clone(),
@@ -305,7 +306,7 @@ impl ShellHandler {
             with_escalated_permissions: exec_params.with_escalated_permissions,
             justification: exec_params.justification.clone(),
             approval_requirement: create_approval_requirement_for_command(
-                &turn.exec_policy,
+                exec_policy.as_ref(),
                 &exec_params.command,
                 turn.approval_policy,
                 &turn.sandbox_policy,

codex-rs/core/src/tools/orchestrator.rs

@@ -63,7 +63,7 @@ impl ToolOrchestrator {
             ApprovalRequirement::Forbidden { reason } => {
                 return Err(ToolError::Rejected(reason));
             }
-            ApprovalRequirement::NeedsApproval { reason } => {
+            ApprovalRequirement::NeedsApproval { reason, .. } => {
                 let mut risk = None;
 
                 if let Some(metadata) = req.sandbox_retry_data() {

codex-rs/core/src/tools/runtimes/apply_patch.rs

@@ -127,6 +127,7 @@ impl Approvable<ApplyPatchRequest> for ApplyPatchRuntime {
                             cwd,
                             Some(reason),
                             risk,
+                            None,
                         )
                         .await
                 } else if user_explicitly_approved {

codex-rs/core/src/tools/runtimes/shell.rs

@@ -106,7 +106,15 @@ impl Approvable<ShellRequest> for ShellRuntime {
         Box::pin(async move {
             with_cached_approval(&session.services, key, move || async move {
                 session
-                    .request_command_approval(turn, call_id, command, cwd, reason, risk)
+                    .request_command_approval(
+                        turn,
+                        call_id,
+                        command,
+                        cwd,
+                        reason,
+                        risk,
+                        req.approval_requirement.allow_prefix().cloned(),
+                    )
                     .await
             })
             .await

codex-rs/core/src/tools/runtimes/unified_exec.rs

@@ -123,7 +123,15 @@ impl Approvable<UnifiedExecRequest> for UnifiedExecRuntime<'_> {
         Box::pin(async move {
             with_cached_approval(&session.services, key, || async move {
                 session
-                    .request_command_approval(turn, call_id, command, cwd, reason, risk)
+                    .request_command_approval(
+                        turn,
+                        call_id,
+                        command,
+                        cwd,
+                        reason,
+                        risk,
+                        req.approval_requirement.allow_prefix().cloned(),
+                    )
                     .await
             })
             .await

codex-rs/core/src/tools/sandboxing.rs

@@ -92,11 +92,26 @@ pub(crate) enum ApprovalRequirement {
     /// No approval required for this tool call
     Skip,
     /// Approval required for this tool call
-    NeedsApproval { reason: Option<String> },
+    NeedsApproval {
+        reason: Option<String>,
+        allow_prefix: Option<Vec<String>>,
+    },
     /// Execution forbidden for this tool call
     Forbidden { reason: String },
 }
 
+impl ApprovalRequirement {
+    pub fn allow_prefix(&self) -> Option<&Vec<String>> {
+        match self {
+            Self::NeedsApproval {
+                allow_prefix: Some(prefix),
+                ..
+            } => Some(prefix),
+            _ => None,
+        }
+    }
+}
+
 /// - Never, OnFailure: do not ask
 /// - OnRequest: ask unless sandbox policy is DangerFullAccess
 /// - UnlessTrusted: always ask
@@ -111,7 +126,10 @@ pub(crate) fn default_approval_requirement(
     };
 
     if needs_approval {
-        ApprovalRequirement::NeedsApproval { reason: None }
+        ApprovalRequirement::NeedsApproval {
+            reason: None,
+            allow_prefix: None,
+        }
     } else {
         ApprovalRequirement::Skip
     }

codex-rs/core/src/unified_exec/session_manager.rs

@@ -445,14 +445,15 @@ impl UnifiedExecSessionManager {
     ) -> Result<UnifiedExecSession, UnifiedExecError> {
         let mut orchestrator = ToolOrchestrator::new();
         let mut runtime = UnifiedExecRuntime::new(self);
+        let exec_policy = context.session.current_exec_policy().await;
         let req = UnifiedExecToolRequest::new(
             command.to_vec(),
             cwd,
             create_env(&context.turn.shell_environment_policy),
             with_escalated_permissions,
             justification,
             create_approval_requirement_for_command(
-                &context.turn.exec_policy,
+                exec_policy.as_ref(),
                 command,
                 context.turn.approval_policy,
                 &context.turn.sandbox_policy,

codex-rs/core/tests/suite/approvals.rs

@@ -1524,6 +1524,7 @@ async fn run_scenario(scenario: &ScenarioSpec) -> Result<()> {
                 .submit(Op::ExecApproval {
                     id: "0".into(),
                     decision: *decision,
+                    allow_prefix: None,
                 })
                 .await?;
             wait_for_completion(&test).await;

codex-rs/core/tests/suite/codex_delegate.rs

@@ -93,6 +93,7 @@ async fn codex_delegate_forwards_exec_approval_and_proceeds_on_approval() {
         .submit(Op::ExecApproval {
             id: "0".into(),
             decision: ReviewDecision::Approved,
+            allow_prefix: None,
         })
         .await
         .expect("submit exec approval");

codex-rs/core/tests/suite/otel.rs

@@ -843,6 +843,7 @@ async fn handle_container_exec_user_approved_records_tool_decision() {
         .submit(Op::ExecApproval {
             id: "0".into(),
             decision: ReviewDecision::Approved,
+            allow_prefix: None,
         })
         .await
         .unwrap();
@@ -901,6 +902,7 @@ async fn handle_container_exec_user_approved_for_session_records_tool_decision()
         .submit(Op::ExecApproval {
             id: "0".into(),
             decision: ReviewDecision::ApprovedForSession,
+            allow_prefix: None,
         })
         .await
         .unwrap();
@@ -959,6 +961,7 @@ async fn handle_sandbox_error_user_approves_retry_records_tool_decision() {
         .submit(Op::ExecApproval {
             id: "0".into(),
             decision: ReviewDecision::Approved,
+            allow_prefix: None,
         })
         .await
         .unwrap();
@@ -1017,6 +1020,7 @@ async fn handle_container_exec_user_denies_records_tool_decision() {
         .submit(Op::ExecApproval {
             id: "0".into(),
             decision: ReviewDecision::Denied,
+            allow_prefix: None,
         })
         .await
         .unwrap();
@@ -1075,6 +1079,7 @@ async fn handle_sandbox_error_user_approves_for_session_records_tool_decision()
         .submit(Op::ExecApproval {
             id: "0".into(),
             decision: ReviewDecision::ApprovedForSession,
+            allow_prefix: None,
         })
         .await
         .unwrap();
@@ -1134,6 +1139,7 @@ async fn handle_sandbox_error_user_denies_records_tool_decision() {
         .submit(Op::ExecApproval {
             id: "0".into(),
             decision: ReviewDecision::Denied,
+            allow_prefix: None,
         })
         .await
         .unwrap();

codex-rs/execpolicy/Cargo.toml

@@ -27,3 +27,4 @@ thiserror = { workspace = true }
 
 [dev-dependencies]
 pretty_assertions = { workspace = true }
+tempfile = { workspace = true }