Improve approval and sandbox flows

2026-05-28 11:17:40 +00:00
parent 44384a90c7
commit 372d5831fa
4 changed files with 496 additions and 47 deletions
--- a/scripts/start-codex-app-server
+++ b/scripts/start-codex-app-server
@@ -1,6 +1,14 @@
 #!/usr/bin/env bash
 set -euo pipefail

+SYSTEM_PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+if [[ -n "${PATH:-}" ]]; then
+  PATH="$PATH:$SYSTEM_PATH"
+else
+  PATH="$SYSTEM_PATH"
+fi
+export PATH
+
 ROOT="$(cd "$(dirname "$0")/.." && pwd)"
 ENV_FILE="$ROOT/.env"
 RUN_DIR="$ROOT/run"
@@ -301,7 +309,9 @@ import json
 import sys

 target, path = sys.argv[1], sys.argv[2]
-asset_name = f"codex-{target}.tar.gz"
+needs_bwrap = "linux" in target
+codex_asset_name = f"codex-{target}.tar.gz"
+bwrap_asset_name = f"bwrap-{target}.tar.gz" if needs_bwrap else None
 with open(path, "r", encoding="utf-8") as f:
    release = json.load(f)
 tag = release.get("tag_name", "")
@@ -310,15 +320,26 @@ if version.startswith("rust-v"):
    version = version[6:]
 elif version.startswith("v"):
    version = version[1:]
-for asset in release.get("assets", []):
-    if asset.get("name") == asset_name:
-        print(version)
-        print(tag)
-        print(asset.get("browser_download_url", ""))
-        print(asset.get("digest", ""))
-        raise SystemExit(0)
-print(f"release {tag or '<unknown>'} has no asset named {asset_name}", file=sys.stderr)
-raise SystemExit(1)
+assets = {asset.get("name"): asset for asset in release.get("assets", [])}
+codex_asset = assets.get(codex_asset_name)
+bwrap_asset = assets.get(bwrap_asset_name) if needs_bwrap else None
+required_assets = [(codex_asset_name, codex_asset)]
+if needs_bwrap:
+    required_assets.append((bwrap_asset_name, bwrap_asset))
+missing = [name for name, asset in required_assets if asset is None]
+if missing:
+    print(f"release {tag or '<unknown>'} has no asset named {', '.join(missing)}", file=sys.stderr)
+    raise SystemExit(1)
+print(codex_asset.get("browser_download_url", ""))
+print(codex_asset.get("digest", ""))
+if bwrap_asset is not None:
+    print(bwrap_asset.get("browser_download_url", ""))
+    print(bwrap_asset.get("digest", ""))
+else:
+    print("")
+    print("")
+print(version)
+print(tag)
 PY
 }

@@ -361,6 +382,38 @@ extract_codex_binary() {
  printf '%s\n' "$found"
 }

+
+extract_bwrap_binary() {
+  local archive="$1" dest="$2" found
+  mkdir -p "$dest/bwrap-extract"
+  tar -xzf "$archive" -C "$dest/bwrap-extract"
+  found="$(find "$dest/bwrap-extract" -type f -name bwrap -print | head -n 1)"
+  if [[ -z "$found" ]]; then
+    found="$(find "$dest/bwrap-extract" -type f -name 'bwrap-*' -perm -u+x -print | head -n 1)"
+  fi
+  if [[ -z "$found" ]]; then
+    echo "downloaded archive does not contain a bwrap executable" >&2
+    return 1
+  fi
+  chmod +x "$found"
+  printf '%s\n' "$found"
+}
+
+bundled_bwrap_path() {
+  local bin="$1"
+  printf '%s/codex-resources/bwrap\n' "$(dirname "$bin")"
+}
+
+bundled_bwrap_installed() {
+  local bin="$1" bundled
+  bundled="$(bundled_bwrap_path "$bin")"
+  [[ -x "$bundled" && ! -L "$bundled" ]]
+}
+
+bwrap_required_for_target() {
+  [[ "$1" == *linux* ]]
+}
+
 run_install() {
  if [[ "${#INSTALL_PREFIX[@]}" -gt 0 ]]; then
    "${INSTALL_PREFIX[@]}" "$@"
@@ -385,16 +438,37 @@ choose_install_prefix() {
  return 1
 }

+install_bundled_bwrap() {
+  local candidate="$1" bin="$2" backup="$3" bundled resources_dir tmp_new bwrap_backup bwrap_missing
+  bundled="$(bundled_bwrap_path "$bin")"
+  resources_dir="$(dirname "$bundled")"
+  tmp_new="$bundled.new.$$"
+  bwrap_backup="$backup.bwrap"
+  bwrap_missing="$backup.bwrap.missing"
+
+  run_install mkdir -p "$resources_dir"
+  if [[ -e "$bundled" ]]; then
+    run_install cp -p "$bundled" "$bwrap_backup"
+  else
+    run_install touch "$bwrap_missing"
+  fi
+  run_install install -m 0755 "$candidate" "$tmp_new"
+  run_install mv -f "$tmp_new" "$bundled"
+}
+
 install_candidate() {
-  local candidate="$1" bin="$2" backup="$3" tmp_new="$bin.new.$$"
+  local candidate="$1" bwrap_candidate="$2" bin="$3" backup="$4" tmp_new="$bin.new.$$"
  choose_install_prefix "$bin"
  run_install cp -p "$bin" "$backup"
  run_install install -m 0755 "$candidate" "$tmp_new"
  run_install mv -f "$tmp_new" "$bin"
+  if [[ -n "$bwrap_candidate" ]]; then
+    install_bundled_bwrap "$bwrap_candidate" "$bin" "$backup"
+  fi
 }

 restore_backup() {
-  local bin="$1" backup="$2" tmp_failed="$bin.failed.$$"
+  local bin="$1" backup="$2" tmp_failed="$bin.failed.$$" bundled bwrap_backup bwrap_missing
  if [[ ! -e "$backup" ]]; then
    echo "backup missing; cannot restore $bin" >&2
    return 1
@@ -404,6 +478,17 @@ restore_backup() {
    run_install mv -f "$bin" "$tmp_failed" || true
  fi
  run_install mv -f "$backup" "$bin"
+
+  bundled="$(bundled_bwrap_path "$bin")"
+  bwrap_backup="$backup.bwrap"
+  bwrap_missing="$backup.bwrap.missing"
+  if [[ -e "$bwrap_backup" ]]; then
+    run_install mkdir -p "$(dirname "$bundled")"
+    run_install mv -f "$bwrap_backup" "$bundled"
+  elif [[ -e "$bwrap_missing" ]]; then
+    run_install rm -f "$bundled"
+    run_install rm -f "$bwrap_missing"
+  fi
 }

 confirm_upgrade() {
@@ -421,13 +506,13 @@ confirm_upgrade() {
 }

 apply_upgrade() {
-  local candidate="$1" bin="$2" backup="$3" local_version="$4" latest_version="$5" was_running=0
+  local candidate="$1" bwrap_candidate="$2" bin="$3" backup="$4" local_version="$5" latest_version="$6" was_running=0
  if is_running; then
    was_running=1
    stop_server
  fi

-  if ! install_candidate "$candidate" "$bin" "$backup"; then
+  if ! install_candidate "$candidate" "$bwrap_candidate" "$bin" "$backup"; then
    echo "failed to install Codex update" >&2
    if [[ "$was_running" == "1" ]]; then
      start_server || true
@@ -449,12 +534,12 @@ apply_upgrade() {
 }

 handoff_upgrade() {
-  local candidate="$1" bin="$2" backup="$3" update_dir="$4" local_version="$5" latest_version="$6"
+  local candidate="$1" bwrap_candidate="$2" bin="$3" backup="$4" update_dir="$5" local_version="$6" latest_version="$7"
  : > "$UPGRADE_LOG_FILE"
  setsid -f bash -c '
    sleep 1
-    "$0" __apply-upgrade "$1" "$2" "$3" "$4" "$5" "$6"
-  ' "$0" "$candidate" "$bin" "$backup" "$update_dir" "$local_version" "$latest_version" >> "$UPGRADE_LOG_FILE" 2>&1
+    "$0" __apply-upgrade "$1" "$2" "$3" "$4" "$5" "$6" "$7"
+  ' "$0" "$candidate" "$bwrap_candidate" "$bin" "$backup" "$update_dir" "$local_version" "$latest_version" >> "$UPGRADE_LOG_FILE" 2>&1
  echo "Codex upgrade handoff started; app-server will restart if replacement succeeds. log=$UPGRADE_LOG_FILE"
 }

@@ -474,7 +559,8 @@ check_updates() {
  require_cmd python3
  require_cmd ps

-  local bin local_version target json latest_version latest_tag download_url digest archive tmp candidate candidate_version backup
+  local bin local_version target json latest_version latest_tag codex_download_url codex_digest bwrap_download_url bwrap_digest
+  local codex_archive bwrap_archive tmp candidate bwrap_candidate candidate_version backup
  bin="$(codex_bin)"
  if [[ -z "$bin" ]]; then
    echo "codex executable not found; set CODEX_BIN" >&2
@@ -495,28 +581,60 @@ check_updates() {
  json="$tmp/latest.json"
  curl -fsSL "https://api.github.com/repos/$CODEX_RELEASE_REPO/releases/latest" -o "$json"
  mapfile -t release_info < <(latest_release_info "$target" "$json")
-  latest_version="${release_info[0]:-}"
-  latest_tag="${release_info[1]:-}"
-  download_url="${release_info[2]:-}"
-  digest="${release_info[3]:-}"
-  if [[ -z "$latest_version" || -z "$download_url" ]]; then
+  codex_download_url="${release_info[0]:-}"
+  codex_digest="${release_info[1]:-}"
+  bwrap_download_url="${release_info[2]:-}"
+  bwrap_digest="${release_info[3]:-}"
+  latest_version="${release_info[4]:-}"
+  latest_tag="${release_info[5]:-}"
+  if [[ -z "$latest_version" || -z "$codex_download_url" ]]; then
    rm -rf "$tmp"
    echo "could not determine latest Codex release for $target" >&2
    return 1
  fi
+  if bwrap_required_for_target "$target" && [[ -z "$bwrap_download_url" ]]; then
+    rm -rf "$tmp"
+    echo "could not determine latest bundled bwrap release for $target" >&2
+    return 1
+  fi

  if ! version_gt "$latest_version" "$local_version"; then
+    if ! bwrap_required_for_target "$target" || bundled_bwrap_installed "$bin"; then
+      rm -rf "$tmp"
+      echo "Codex is already current: $local_version (latest $latest_version)"
+      return 0
+    fi
+    echo "Codex is already current: $local_version (latest $latest_version); installing missing bundled bwrap"
+    bwrap_archive="$tmp/bwrap-$target.tar.gz"
+    curl -fL "$bwrap_download_url" -o "$bwrap_archive"
+    verify_digest "$bwrap_archive" "$bwrap_digest"
+    bwrap_candidate="$(extract_bwrap_binary "$bwrap_archive" "$tmp")"
+    backup="$bin.bak.$(date -u +%Y%m%d%H%M%S)"
+    choose_install_prefix "$bin"
+    if install_bundled_bwrap "$bwrap_candidate" "$bin" "$backup"; then
+      run_install rm -f "$backup.bwrap.missing"
+      rm -rf "$tmp"
+      echo "Bundled bwrap installed: $(bundled_bwrap_path "$bin")"
+      return 0
+    fi
    rm -rf "$tmp"
-    echo "Codex is already current: $local_version (latest $latest_version)"
-    return 0
+    return 1
  fi
  echo "Codex update available: $local_version -> $latest_version ($latest_tag)"
  confirm_upgrade "$local_version" "$latest_version" "$bin"

-  archive="$tmp/codex-$target.tar.gz"
-  curl -fL "$download_url" -o "$archive"
-  verify_digest "$archive" "$digest"
-  candidate="$(extract_codex_binary "$archive" "$tmp")"
+  codex_archive="$tmp/codex-$target.tar.gz"
+  curl -fL "$codex_download_url" -o "$codex_archive"
+  verify_digest "$codex_archive" "$codex_digest"
+  candidate="$(extract_codex_binary "$codex_archive" "$tmp")"
+  if bwrap_required_for_target "$target"; then
+    bwrap_archive="$tmp/bwrap-$target.tar.gz"
+    curl -fL "$bwrap_download_url" -o "$bwrap_archive"
+    verify_digest "$bwrap_archive" "$bwrap_digest"
+    bwrap_candidate="$(extract_bwrap_binary "$bwrap_archive" "$tmp")"
+  else
+    bwrap_candidate=""
+  fi
  candidate_version="$(codex_version_from "$candidate")"
  if [[ "$candidate_version" != "$latest_version" ]]; then
    rm -rf "$tmp"
@@ -528,11 +646,11 @@ check_updates() {
  choose_install_prefix "$bin"

  if is_running; then
-    handoff_upgrade "$candidate" "$bin" "$backup" "$tmp" "$local_version" "$latest_version"
+    handoff_upgrade "$candidate" "$bwrap_candidate" "$bin" "$backup" "$tmp" "$local_version" "$latest_version"
    return 0
  fi

-  if apply_upgrade "$candidate" "$bin" "$backup" "$local_version" "$latest_version"; then
+  if apply_upgrade "$candidate" "$bwrap_candidate" "$bin" "$backup" "$local_version" "$latest_version"; then
    rm -rf "$tmp"
    return 0
  fi
@@ -541,13 +659,18 @@ check_updates() {
 }

 apply_upgrade_worker() {
-  local candidate="$1" bin="$2" backup="$3" update_dir="$4" local_version="$5" latest_version="$6" rc=0
+  local candidate="$1" bwrap_candidate="$2" bin="$3" backup="$4" update_dir="$5" local_version="$6" latest_version="$7" rc=0
  if [[ ! -x "$candidate" ]]; then
    echo "upgrade candidate is missing or not executable: $candidate" >&2
    rm -rf "$update_dir"
    return 1
  fi
-  if ! apply_upgrade "$candidate" "$bin" "$backup" "$local_version" "$latest_version"; then
+  if [[ -n "$bwrap_candidate" && ! -x "$bwrap_candidate" ]]; then
+    echo "bundled bwrap candidate is missing or not executable: $bwrap_candidate" >&2
+    rm -rf "$update_dir"
+    return 1
+  fi
+  if ! apply_upgrade "$candidate" "$bwrap_candidate" "$bin" "$backup" "$local_version" "$latest_version"; then
    rc=1
  fi
  rm -rf "$update_dir"
@@ -577,7 +700,7 @@ case "$cmd" in
    ;;
  __apply-upgrade)
    shift || true
-    if [[ $# -ne 6 ]]; then echo "invalid upgrade worker arguments" >&2; exit 2; fi
+    if [[ $# -ne 7 ]]; then echo "invalid upgrade worker arguments" >&2; exit 2; fi
    apply_upgrade_worker "$@"
    ;;
  -h|--help|help)