Skip to content

Use a unified shell tell to not break cache #3814

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Sep 19, 2025
Merged

Use a unified shell tell to not break cache #3814

merged 9 commits into from
Sep 19, 2025
+133 −128

Conversation

aibrahim-oai
Copy link
Collaborator

@aibrahim-oai aibrahim-oai commented Sep 17, 2025
edited
Loading

Currently, we change the tool description according to the sandbox policy and approval policy. This breaks the cache when the user hits /approvals. This PR does the following:

  • Always use the shell with escalation parameter:
  • removes create_shell_tool_for_sandbox and always uses unified tool via create_shell_tool
  • Reject the func call when the model uses escalation parameter when it cannot.

@aibrahim-oai aibrahim-oai requested review from bolinfest, dylan-hurd-oai and fouad-openai and removed request for bolinfest September 17, 2025 20:45
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Sep 17, 2025
View reviewed changes
Copy link
Contributor

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Codex Review: Here are some suggestions.

Reply with @codex fix comments to fix any unresolved comments.

About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you open a pull request for review, mark a draft as ready, or comment "@codex review". If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex fix this CI failure" or "@codex address that feedback".

codex-rs/core/src/safety.rs Outdated
Comment on lines 157 to 165
if let Some(decision) =
reject_forbidden_escalation(approval_policy, with_escalated_permissions, false)
{
return decision;
}

match (approval_policy, sandbox_policy) {
(UnlessTrusted, _) => {
// Even though the user may have opted into DangerFullAccess,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[P1] Reject escalated commands even when sandboxing is disabled

In assess_safety_for_untrusted_command the new reject_forbidden_escalation call returns SafetyCheck::Reject for OnFailure or Never whenever with_escalated_permissions is true (lines 157‑160). This happens before the match that handles SandboxPolicy::DangerFullAccess (lines 170‑174). As a result, in sessions where the user has explicitly opted into DangerFullAccess (no sandbox available), any model invocation that includes with_escalated_permissions: true is now rejected with the message “sandbox retry is required…”, even though there is no sandbox to retry and the previous behavior auto‑approved these commands. This means escalated commands can no longer run in DangerFullAccess when the model sets the flag, defeating the purpose of that mode. Consider skipping the rejection when the sandbox policy is DangerFullAccess or when sandboxing is otherwise unavailable.

Useful? React with 👍 / 👎.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should reject commands with escalated params in DangerFullAccess mode. Curious what others think?

@bolinfest
Copy link
Collaborator

@aibrahim-oai can you please update the PR body to explain the "why" behind this change?

@aibrahim-oai
Copy link
Collaborator Author

@bolinfest done

bolinfest
bolinfest reviewed Sep 17, 2025
View reviewed changes
bolinfest
bolinfest requested changes Sep 18, 2025
View reviewed changes
bolinfest
bolinfest requested changes Sep 18, 2025
View reviewed changes
Copy link
Collaborator

@bolinfest bolinfest left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, this seems much better than touching safety.rs, but I think there is still a little work to do?

bolinfest
bolinfest approved these changes Sep 18, 2025
View reviewed changes
@aibrahim-oai aibrahim-oai enabled auto-merge (squash) September 18, 2025 23:57
@aibrahim-oai aibrahim-oai merged commit a7fda70 into main Sep 19, 2025
19 checks passed
@aibrahim-oai aibrahim-oai deleted the shell-esdc branch September 19, 2025 00:08
@github-actions github-actions bot locked and limited conversation to collaborators Sep 19, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@bolinfest bolinfest bolinfest approved these changes

@dylan-hurd-oai dylan-hurd-oai Awaiting requested review from dylan-hurd-oai

@fouad-openai fouad-openai Awaiting requested review from fouad-openai

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@aibrahim-oai @bolinfest