fix: enforce trusted-before-project ordering for hooks#15936
Open
viyatb-oai wants to merge 47 commits intomainfrom
Open
fix: enforce trusted-before-project ordering for hooks#15936viyatb-oai wants to merge 47 commits intomainfrom
viyatb-oai wants to merge 47 commits intomainfrom
Conversation
viyatb-oai
force-pushed
the
codex/viyatb/hooks-trust-precedence
branch
from
8dfdefd to
a5e69ff
Compare
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 9401e5ff84
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
viyatb-oai
changed the title
Co-authored-by: Codex noreply@openai.com
Co-authored-by: Codex noreply@openai.com
# Conflicts: # codex-rs/core/src/tasks/review.rs
viyatb-oai
force-pushed
the
codex/viyatb/hooks-trust-precedence
branch
from
9401e5f to
f0f222a
Compare
# Conflicts: # codex-rs/core/src/codex_tests.rs # codex-rs/core/src/config/mod.rs # codex-rs/core/src/config_loader/mod.rs
viyatb-oai
force-pushed
the
codex/viyatb/hooks-trust-precedence
branch
from
f0f222a to
456697a
Compare
# Conflicts: # codex-rs/core/src/config/mod.rs
viyatb-oai
force-pushed
the
codex/viyatb/hooks-trust-precedence
branch
from
456697a to
c564cda
Compare
Co-authored-by: Codex <noreply@openai.com>
viyatb-oai
force-pushed
the
codex/viyatb/hooks-trust-precedence
branch
from
c564cda to
647f61a
Compare
Co-authored-by: Codex <noreply@openai.com>
viyatb-oai
force-pushed
the
codex/viyatb/hooks-trust-precedence
branch
from
647f61a to
c22dec5
Compare
Keep canonical project trust keys first so persisted trusted project entries keep their existing lookup shape while still matching symlink aliases. Use the per-thread derived config for app-server thread-initialized analytics and isolate app-server integration subprocesses from host managed config by default. Co-authored-by: Codex <noreply@openai.com>
viyatb-oai
force-pushed
the
codex/viyatb/hooks-trust-precedence
branch
from
15872f2 to
6b3ef89
Compare
Use the production project trust key helper in hook trust tests and normalize the migrated project expectation so Windows canonical path handling matches runtime behavior. Co-authored-by: Codex <noreply@openai.com>
viyatb-oai
force-pushed
the
codex/viyatb/hooks-trust-precedence
branch
from
6b3ef89 to
d22f07a
Compare
Session-start hook discovery is disabled on Windows, so trust-loading assertions for hooks are not meaningful there. Keep the cross-platform project trust normalization regression covered separately. Co-authored-by: Codex <noreply@openai.com>
The session-start hook trust-loading assertions depend on hooks.json lifecycle hook discovery, which is intentionally disabled on Windows. Mark the two coverage tests ignored there so Windows CI stops expecting handlers that cannot load.\n\nCo-authored-by: Codex <noreply@openai.com>
Co-authored-by: Codex <noreply@openai.com>
Co-authored-by: Codex noreply@openai.com
Co-authored-by: Codex <noreply@openai.com>
viyatb-oai
force-pushed
the
codex/viyatb/hooks-trust-precedence
branch
from
d22f07a to
8110afa
Compare
The observer hook precedence tests only need an ASCII stdout fixture. Avoid Windows PowerShell as the test shell so the JSON stop/block payload reaches the hook parser reliably when stdout is piped.\n\nCo-authored-by: Codex <noreply@openai.com>
cmd.exe removes unescaped JSON quotes before echoing. Caret-escape the quotes so the observer hook stop/block tests feed valid JSON to the hook output parser on Windows.\n\nCo-authored-by: Codex <noreply@openai.com>
Re-enable hook discovery on Windows so the trust-gating tests cover the real behavior instead of skipping it. Avoid alias-expanded project maps that can let a configured symlink alias satisfy the canonical project lookup; keep exact/case-normalized matching deterministic instead. Co-authored-by: Codex <noreply@openai.com>
Co-authored-by: Codex <noreply@openai.com>
Co-authored-by: Codex <noreply@openai.com>
Co-authored-by: Codex <noreply@openai.com>
Co-authored-by: Codex <noreply@openai.com>
Co-authored-by: Codex noreply@openai.com
Co-authored-by: Codex noreply@openai.com
Co-authored-by: Codex noreply@openai.com
Co-authored-by: Codex noreply@openai.com
Co-authored-by: Codex noreply@openai.com
…om:openai/codex into codex/viyatb/pr15936-p3
Co-authored-by: Codex noreply@openai.com
…om:openai/codex into codex/viyatb/pr15936-p3
viyatb-oai
added a commit
that referenced
this pull request
Apr 18, 2026
## Summary - trust-gate project `.codex` layers consistently, including repos that have `.codex/hooks.json` or `.codex/execpolicy/*.rules` but no `.codex/config.toml` - keep disabled project layers in the config stack so nested trusted project layers still resolve correctly, while preventing hooks and exec policies from loading until the project is trusted - update app-server/TUI onboarding copy to make the trust boundary explicit and add regressions for loader, hooks, exec-policy, and onboarding coverage ## Security Before this change, an untrusted repo could auto-load project hooks or exec policies from `.codex/` as long as `config.toml` was absent. This makes trust the single gate for project-local config, hooks, and exec policies. ## Stack - Parent of #15936 ## Test - cargo test -p codex-core without_config_toml --------- Co-authored-by: Codex <noreply@openai.com>
Base automatically changed from
codex/viyatb/trusted-project-config-gating
to
main
April 18, 2026 00:57
Co-authored-by: Codex <noreply@openai.com>
Co-authored-by: Codex <noreply@openai.com>
Co-authored-by: Codex noreply@openai.com
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
PreToolUse,SessionStart, andUserPromptSubmitSecurity
PreToolUserace where a project hook could observe or exfiltrate a tool invocation before a higher-precedence non-project hook denied itUserPromptSubmitorSessionStarthooks could observe prompt or startup data before a higher-precedence hook stopped processingStack
mainTest
cargo test -p codex-hookscargo test -p codex-hooks higher_precedence_stop_skips_lower_precedence_handlerscargo clippy -p codex-hooks --tests -- -D warningsjust argument-comment-lint -p codex-hooks -- --tests