openai · AndrewNikolin · Oct 31, 2025 · Oct 31, 2025 · Oct 31, 2025 · Oct 31, 2025
diff --git a/codex-rs/core/src/tasks/user_shell.rs b/codex-rs/core/src/tasks/user_shell.rs
@@ -82,14 +82,17 @@ impl SessionTask for UserShellCommandTask {
             command: shell_invocation,
             workdir: None,
             timeout_ms: None,
-            with_escalated_permissions: None,
-            justification: None,
+            with_escalated_permissions: Some(true),
-            with_escalated_permissions: Some(true),
+            with_escalated_permissions: Some(false),
-            with_escalated_permissions: Some(true),
+            with_escalated_permissions: Some(false),
+            justification: Some("user-requested shell command".to_string()),
         };
 
         let tool_call = ToolCall {
             tool_name: USER_SHELL_TOOL_NAME.to_string(),
             call_id: Uuid::new_v4().to_string(),
-            payload: ToolPayload::LocalShell { params },
+            payload: ToolPayload::LocalShell {
+                params,
+                is_user_shell_command: true,
+            },
         };
 
         let router = Arc::new(ToolRouter::from_config(&turn_context.tools_config, None));

diff --git a/codex-rs/core/src/tools/context.rs b/codex-rs/core/src/tools/context.rs
@@ -40,6 +40,7 @@ pub enum ToolPayload {
     },
     LocalShell {
         params: ShellToolCallParams,
+        is_user_shell_command: bool,
     },
     UnifiedExec {
         arguments: String,
@@ -56,7 +57,7 @@ impl ToolPayload {
         match self {
             ToolPayload::Function { arguments } => Cow::Borrowed(arguments),
             ToolPayload::Custom { input } => Cow::Borrowed(input),
-            ToolPayload::LocalShell { params } => Cow::Owned(params.command.join(" ")),
+            ToolPayload::LocalShell { params, .. } => Cow::Owned(params.command.join(" ")),
             ToolPayload::UnifiedExec { arguments } => Cow::Borrowed(arguments),
             ToolPayload::Mcp { raw_arguments, .. } => Cow::Borrowed(raw_arguments),
         }

diff --git a/codex-rs/core/src/tools/handlers/shell.rs b/codex-rs/core/src/tools/handlers/shell.rs
@@ -82,7 +82,10 @@ impl ToolHandler for ShellHandler {
                 )
                 .await
             }
-            ToolPayload::LocalShell { params } => {
+            ToolPayload::LocalShell {
+                params,
+                is_user_shell_command,
+            } => {
                 let exec_params = Self::to_exec_params(params, turn.as_ref());
                 Self::run_exec_like(
                     tool_name.as_str(),
@@ -91,7 +94,7 @@ impl ToolHandler for ShellHandler {
                     turn,
                     tracker,
                     call_id,
-                    true,
+                    is_user_shell_command,
                 )
                 .await
             }
@@ -114,6 +117,7 @@ impl ShellHandler {
     ) -> Result<ToolOutput, FunctionCallError> {
         // Approval policy guard for explicit escalation in non-OnRequest modes.
         if exec_params.with_escalated_permissions.unwrap_or(false)
+            && !is_user_shell_command
             && !matches!(
                 turn.approval_policy,
                 codex_protocol::protocol::AskForApproval::OnRequest
@@ -219,6 +223,7 @@ impl ShellHandler {
             env: exec_params.env.clone(),
             with_escalated_permissions: exec_params.with_escalated_permissions,
             justification: exec_params.justification.clone(),
+            is_user_shell_command,
         };
         let mut orchestrator = ToolOrchestrator::new();
         let mut runtime = ShellRuntime::new();

diff --git a/codex-rs/core/src/tools/router.rs b/codex-rs/core/src/tools/router.rs
@@ -120,7 +120,10 @@ impl ToolRouter {
                         Ok(Some(ToolCall {
                             tool_name: "local_shell".to_string(),
                             call_id,
-                            payload: ToolPayload::LocalShell { params },
+                            payload: ToolPayload::LocalShell {
+                                params,
+                                is_user_shell_command: false,
+                            },
                         }))
                     }
                 }

diff --git a/codex-rs/core/src/tools/runtimes/shell.rs b/codex-rs/core/src/tools/runtimes/shell.rs
@@ -34,6 +34,7 @@ pub struct ShellRequest {
     pub env: std::collections::HashMap<String, String>,
     pub with_escalated_permissions: Option<bool>,
     pub justification: Option<String>,
+    pub is_user_shell_command: bool,
 }
 
 impl ProvidesSandboxRetryData for ShellRequest {
@@ -121,6 +122,9 @@ impl Approvable<ShellRequest> for ShellRuntime {
         policy: AskForApproval,
         sandbox_policy: &SandboxPolicy,
     ) -> bool {
+        if req.is_user_shell_command {
+            return false;
-            return false;
+            // Only bypass approval for user shell commands that are not dangerous and do not request escalation.
+            let wants_escalation = req.with_escalated_permissions.unwrap_or(false);
+            if !wants_escalation && !command_might_be_dangerous(&req.command) {
+                return false;
+            }
+            // Otherwise, fall through to approval logic for dangerous/escalated user commands.
-            return false;
+            // Only bypass approval for user shell commands that are not dangerous and do not request escalation.
+            let wants_escalation = req.with_escalated_permissions.unwrap_or(false);
+            if !wants_escalation && !command_might_be_dangerous(&req.command) {
+                return false;
+            }
+            // Otherwise, fall through to approval logic for dangerous/escalated user commands.
+        }
         if is_known_safe_command(&req.command) {
             return false;
         }

diff --git a/codex-rs/core/tests/suite/user_shell_cmd.rs b/codex-rs/core/tests/suite/user_shell_cmd.rs
@@ -1,5 +1,6 @@
 use codex_core::ConversationManager;
 use codex_core::NewConversation;
+use codex_core::protocol::AskForApproval;
 use codex_core::protocol::EventMsg;
 use codex_core::protocol::ExecCommandEndEvent;
 use codex_core::protocol::Op;
@@ -138,3 +139,93 @@ async fn user_shell_cmd_can_be_interrupted() {
     };
     assert_eq!(ev.reason, TurnAbortReason::Interrupted);
 }
+
+#[tokio::test]
+async fn user_shell_cmd_runs_under_non_on_request_policy() {
+    let Some(python) = detect_python_executable() else {
+        eprintln!("skipping test: python3 not found in PATH");
+        return;
+    };
+
+    let codex_home = TempDir::new().unwrap();
+    let mut config = load_default_config_for_test(&codex_home);
+    config.approval_policy = AskForApproval::Never;
+
+    let conversation_manager =
+        ConversationManager::with_auth(codex_core::CodexAuth::from_api_key("dummy"));
+    let NewConversation {
+        conversation: codex,
+        ..
+    } = conversation_manager
+        .new_conversation(config)
+        .await
+        .expect("create new conversation");
+
+    let command = format!("{python} -c \"import sys; sys.stdout.write('bang-ok')\"");
+    codex
+        .submit(Op::RunUserShellCommand { command })
+        .await
+        .unwrap();
+
+    let msg = wait_for_event(&codex, |ev| matches!(ev, EventMsg::ExecCommandEnd(_))).await;
+    let EventMsg::ExecCommandEnd(ExecCommandEndEvent {
+        stdout, exit_code, ..
+    }) = msg
+    else {
+        unreachable!()
+    };
+    assert_eq!(exit_code, 0);
+    assert_eq!(stdout, "bang-ok");
+}
+
+#[tokio::test]
+async fn user_shell_cmd_creates_directory_under_read_only_policy() {
+    let Some(python) = detect_python_executable() else {
+        eprintln!("skipping test: python3 not found in PATH");
+        return;
+    };
+
+    let codex_home = TempDir::new().unwrap();
+    let cwd = TempDir::new().unwrap();
+    let mut config = load_default_config_for_test(&codex_home);
+    config.approval_policy = AskForApproval::Never;
+    config.sandbox_policy = codex_core::protocol::SandboxPolicy::new_read_only_policy();
+    config.cwd = cwd.path().to_path_buf();
+
+    let conversation_manager =
+        ConversationManager::with_auth(codex_core::CodexAuth::from_api_key("dummy"));
+    let NewConversation {
+        conversation: codex,
+        ..
+    } = conversation_manager
+        .new_conversation(config)
+        .await
+        .expect("create new conversation");
+
+    let dir_name = "bang-mkdir";
+    let dir_path = cwd.path().join(dir_name);
+    assert!(
+        !dir_path.exists(),
+        "expected {dir_path:?} not to exist before command"
+    );
+
+    let command = format!("{python} -c \"import pathlib; pathlib.Path('{dir_name}').mkdir()\"");
+    codex
+        .submit(Op::RunUserShellCommand { command })
+        .await
+        .unwrap();
+
+    let msg = wait_for_event(&codex, |ev| matches!(ev, EventMsg::ExecCommandEnd(_))).await;
+    let EventMsg::ExecCommandEnd(ExecCommandEndEvent {
+        stdout, exit_code, ..
+    }) = msg
+    else {
+        unreachable!()
+    };
+    assert_eq!(exit_code, 0);
+    assert!(stdout.is_empty(), "expected no stdout, got {stdout:?}");
+    assert!(
+        dir_path.exists(),
+        "expected {dir_path:?} to be created by the command"
+    );
+}