feat(exec_allow): whitelist trusted commands with approval + TLS guardrails

[cbusillo]

Summary

• add an exec_allow config section plus runtime matcher so simple commands (e.g. uv run test*, docker compose) can bypass the sandbox while we continue validating that every argv path stays under writable roots
• respect confirm = true on those rules so risky escapes still pause for user approval before leaving the sandbox
• populate SSL_CERT_FILE when inject_ssl_cert_file = true, sourcing from CODEX_DEFAULT_SSL_CERT_FILE or common CA bundle paths so gh and other TLS clients keep working after the bypass
• drop native TLS dependencies and guard the locale detector panic so macOS runners without a login keychain don’t crash when formatting numbers

Testing

• ./build-fast.sh

[cbusillo]

Testing this out now! I have an issue where commands like uv run and docker won't run right in the sandbox on macOS. I also want most git commands to always require confirmation.

Basically I want commands like uv run test* to always run without confirmation and outside the sandbox. I also want gh cli to work but require confirmation. gh wouldn't run without passing it ssl stuff.

I couldn't figure out a way to do this without new code, if I am mistaken, please let me know! I love the system you have created, it's what I was working on trying to build myself. Of course I just canceled my Claude account, but right now I can't find a reason to use it. Maybe with their next model release.

I am still trying to learn how to use the new agents system, I had a nice system with Claude Code, but the CLI tool kept crashing and Codex CLI doesn't support it so I ditched it. Looking forward to learning your system

[zemaj]

Thanks for the PR! So when you run gh in sandbox mode does it fail to run for you? What's the sandbox config you're using?

[cbusillo]

This is what I am using right now. It is never able to auth correctly. It fails with a sandbox error. If you like I can install the stock Code and give you the actual error.

approval_policy = "on-request"
sandbox_mode = "workspace-write"

[cbusillo]

The inject_ssl_cert_file fix I tried to implement is broken after the last release refactor. It worked before the current release. I'll try to get it fixed tomorrow. It's been very useful.