use crate::product::protocol::models::ShellCommandToolCallParams;
use crate::product::protocol::models::ShellToolCallParams;
use async_trait::async_trait;
use std::sync::Arc;
use crate::product::agent::codex::TurnContext;
use crate::product::agent::exec::ExecParams;
use crate::product::agent::exec_env::create_env;
use crate::product::agent::exec_policy::ExecApprovalRequest;
use crate::product::agent::function_tool::FunctionCallError;
use crate::product::agent::is_safe_command::is_known_safe_command;
use crate::product::agent::protocol::ExecCommandSource;
use crate::product::agent::shell::Shell;
use crate::product::agent::tools::context::ToolInvocation;
use crate::product::agent::tools::context::ToolOutput;
use crate::product::agent::tools::context::ToolPayload;
use crate::product::agent::tools::events::ToolEmitter;
use crate::product::agent::tools::events::ToolEventCtx;
use crate::product::agent::tools::handlers::apply_patch::intercept_apply_patch;
use crate::product::agent::tools::handlers::parse_arguments;
use crate::product::agent::tools::orchestrator::ToolOrchestrator;
use crate::product::agent::tools::registry::ToolHandler;
use crate::product::agent::tools::registry::ToolKind;
use crate::product::agent::tools::runtimes::shell::ShellRequest;
use crate::product::agent::tools::runtimes::shell::ShellRuntime;
use crate::product::agent::tools::sandboxing::ToolCtx;
pub struct ShellHandler;
pub struct ShellCommandHandler;
struct RunExecLikeArgs {
tool_name: String,
exec_params: ExecParams,
prefix_rule: Option<Vec<String>>,
session: Arc<crate::product::agent::codex::Session>,
turn: Arc<TurnContext>,
tracker: crate::product::agent::tools::context::SharedTurnDiffTracker,
call_id: String,
freeform: bool,
}
impl ShellHandler {
fn to_exec_params(params: &ShellToolCallParams, turn_context: &TurnContext) -> ExecParams {
ExecParams {
command: params.command.clone(),
cwd: turn_context.resolve_path(params.workdir.clone()),
expiration: params.timeout_ms.into(),
env: create_env(&turn_context.shell_environment_policy),
sandbox_permissions: params.sandbox_permissions.unwrap_or_default(),
windows_sandbox_level: turn_context.windows_sandbox_level,
justification: params.justification.clone(),
arg0: None,
}
}
}
impl ShellCommandHandler {
fn base_command(shell: &Shell, command: &str, login: Option<bool>) -> Vec<String> {
let use_login_shell = login.unwrap_or(true);
shell.derive_exec_args(command, use_login_shell)
}
fn to_exec_params(
params: &ShellCommandToolCallParams,
session: &crate::product::agent::codex::Session,
turn_context: &TurnContext,
) -> ExecParams {
let shell = session.user_shell();
let command = Self::base_command(shell.as_ref(), ¶ms.command, params.login);
ExecParams {
command,
cwd: turn_context.resolve_path(params.workdir.clone()),
expiration: params.timeout_ms.into(),
env: create_env(&turn_context.shell_environment_policy),
sandbox_permissions: params.sandbox_permissions.unwrap_or_default(),
windows_sandbox_level: turn_context.windows_sandbox_level,
justification: params.justification.clone(),
arg0: None,
}
}
}
#[async_trait]
impl ToolHandler for ShellHandler {
fn kind(&self) -> ToolKind {
ToolKind::Function
}
fn matches_kind(&self, payload: &ToolPayload) -> bool {
matches!(
payload,
ToolPayload::Function { .. } | ToolPayload::LocalShell { .. }
)
}
async fn is_mutating(&self, invocation: &ToolInvocation) -> bool {
match &invocation.payload {
ToolPayload::Function { arguments } => {
serde_json::from_str::<ShellToolCallParams>(arguments)
.map(|params| !is_known_safe_command(¶ms.command))
.unwrap_or(true)
}
ToolPayload::LocalShell { params } => !is_known_safe_command(¶ms.command),
_ => true, }
}
async fn handle(&self, invocation: ToolInvocation) -> Result<ToolOutput, FunctionCallError> {
let ToolInvocation {
session,
turn,
tracker,
call_id,
tool_name,
payload,
} = invocation;
match payload {
ToolPayload::Function { arguments } => {
let params: ShellToolCallParams = parse_arguments(&arguments)?;
validate_argv_command(¶ms.command)?;
let prefix_rule = params.prefix_rule.clone();
let exec_params = Self::to_exec_params(¶ms, turn.as_ref());
Self::run_exec_like(RunExecLikeArgs {
tool_name: tool_name.clone(),
exec_params,
prefix_rule,
session,
turn,
tracker,
call_id,
freeform: false,
})
.await
}
ToolPayload::LocalShell { params } => {
validate_argv_command(¶ms.command)?;
let exec_params = Self::to_exec_params(¶ms, turn.as_ref());
Self::run_exec_like(RunExecLikeArgs {
tool_name: tool_name.clone(),
exec_params,
prefix_rule: None,
session,
turn,
tracker,
call_id,
freeform: false,
})
.await
}
_ => Err(FunctionCallError::RespondToModel(format!(
"unsupported payload for shell handler: {tool_name}"
))),
}
}
}
#[async_trait]
impl ToolHandler for ShellCommandHandler {
fn kind(&self) -> ToolKind {
ToolKind::Function
}
fn matches_kind(&self, payload: &ToolPayload) -> bool {
matches!(payload, ToolPayload::Function { .. })
}
async fn is_mutating(&self, invocation: &ToolInvocation) -> bool {
let ToolPayload::Function { arguments } = &invocation.payload else {
return true;
};
serde_json::from_str::<ShellCommandToolCallParams>(arguments)
.map(|params| {
let shell = invocation.session.user_shell();
let command = Self::base_command(shell.as_ref(), ¶ms.command, params.login);
!is_known_safe_command(&command)
})
.unwrap_or(true)
}
async fn handle(&self, invocation: ToolInvocation) -> Result<ToolOutput, FunctionCallError> {
let ToolInvocation {
session,
turn,
tracker,
call_id,
tool_name,
payload,
} = invocation;
let ToolPayload::Function { arguments } = payload else {
return Err(FunctionCallError::RespondToModel(format!(
"unsupported payload for shell_command handler: {tool_name}"
)));
};
let params: ShellCommandToolCallParams = parse_arguments(&arguments)?;
validate_shell_command(¶ms.command)?;
let prefix_rule = params.prefix_rule.clone();
let exec_params = Self::to_exec_params(¶ms, session.as_ref(), turn.as_ref());
ShellHandler::run_exec_like(RunExecLikeArgs {
tool_name,
exec_params,
prefix_rule,
session,
turn,
tracker,
call_id,
freeform: true,
})
.await
}
}
fn validate_shell_command(command: &str) -> Result<(), FunctionCallError> {
if command.trim().is_empty() {
Err(FunctionCallError::RespondToModel(
"command must be non-empty".to_string(),
))
} else {
Ok(())
}
}
fn validate_argv_command(command: &[String]) -> Result<(), FunctionCallError> {
if command.first().is_none_or(String::is_empty) {
Err(FunctionCallError::RespondToModel(
"command must be non-empty".to_string(),
))
} else {
Ok(())
}
}
impl ShellHandler {
async fn run_exec_like(args: RunExecLikeArgs) -> Result<ToolOutput, FunctionCallError> {
let RunExecLikeArgs {
tool_name,
exec_params,
prefix_rule,
session,
turn,
tracker,
call_id,
freeform,
} = args;
let features = session.features();
let request_rule_enabled =
features.enabled(crate::product::agent::features::Feature::RequestRule);
let prefix_rule = if request_rule_enabled {
prefix_rule
} else {
None
};
let mut exec_params = exec_params;
let dependency_env = session.dependency_env().await;
if !dependency_env.is_empty() {
exec_params.env.extend(dependency_env);
}
if exec_params
.sandbox_permissions
.requires_escalated_permissions()
&& !matches!(
turn.approval_policy,
crate::product::protocol::protocol::AskForApproval::OnRequest
)
{
let approval_policy = turn.approval_policy;
return Err(FunctionCallError::RespondToModel(format!(
"approval policy is {approval_policy:?}; reject command — you should not ask for escalated permissions if the approval policy is {approval_policy:?}"
)));
}
if let Some(output) = intercept_apply_patch(
&exec_params.command,
&exec_params.cwd,
exec_params.expiration.timeout_ms(),
session.as_ref(),
turn.as_ref(),
Some(&tracker),
&call_id,
tool_name.as_str(),
)
.await?
{
return Ok(output);
}
let source = ExecCommandSource::Agent;
let emitter = ToolEmitter::shell(
exec_params.command.clone(),
exec_params.cwd.clone(),
source,
freeform,
);
let event_ctx = ToolEventCtx::new(session.as_ref(), turn.as_ref(), &call_id, None);
emitter.begin(event_ctx).await;
let exec_approval_requirement = session
.services
.exec_policy
.create_exec_approval_requirement_for_command(ExecApprovalRequest {
features: &features,
command: &exec_params.command,
approval_policy: turn.approval_policy,
sandbox_policy: &turn.sandbox_policy,
sandbox_permissions: exec_params.sandbox_permissions,
prefix_rule,
})
.await;
let req = ShellRequest {
command: exec_params.command.clone(),
cwd: exec_params.cwd.clone(),
timeout_ms: exec_params.expiration.timeout_ms(),
env: exec_params.env.clone(),
sandbox_permissions: exec_params.sandbox_permissions,
justification: exec_params.justification.clone(),
exec_approval_requirement,
};
let mut orchestrator = ToolOrchestrator::new();
let mut runtime = ShellRuntime::new();
let tool_ctx = ToolCtx {
session: session.as_ref(),
turn: turn.as_ref(),
call_id: call_id.clone(),
tool_name,
};
let out = orchestrator
.run(&mut runtime, &req, &tool_ctx, &turn, turn.approval_policy)
.await;
let event_ctx = ToolEventCtx::new(session.as_ref(), turn.as_ref(), &call_id, None);
let content = emitter.finish(event_ctx, out).await?;
Ok(ToolOutput::Function {
content,
content_items: None,
success: Some(true),
})
}
}
#[cfg(test)]
mod tests {
use std::path::PathBuf;
use std::sync::Arc;
use crate::product::protocol::models::ShellCommandToolCallParams;
use crate::product::protocol::models::ShellToolCallParams;
use pretty_assertions::assert_eq;
use super::validate_argv_command;
use super::validate_shell_command;
use crate::product::agent::codex::make_session_and_context;
use crate::product::agent::exec_env::create_env;
use crate::product::agent::function_tool::FunctionCallError;
use crate::product::agent::is_safe_command::is_known_safe_command;
use crate::product::agent::powershell::try_find_powershell_executable_blocking;
use crate::product::agent::powershell::try_find_pwsh_executable_blocking;
use crate::product::agent::sandboxing::SandboxPermissions;
use crate::product::agent::shell::Shell;
use crate::product::agent::shell::ShellType;
use crate::product::agent::shell_snapshot::ShellSnapshot;
use crate::product::agent::tools::handlers::ShellCommandHandler;
use tokio::sync::watch;
fn shell_command_params(command: &str) -> ShellCommandToolCallParams {
ShellCommandToolCallParams {
command: command.to_string(),
workdir: None,
login: None,
timeout_ms: None,
sandbox_permissions: None,
prefix_rule: None,
justification: None,
}
}
fn shell_params(command: Vec<String>) -> ShellToolCallParams {
ShellToolCallParams {
command,
workdir: None,
timeout_ms: None,
sandbox_permissions: None,
prefix_rule: None,
justification: None,
}
}
fn non_empty_command_error() -> FunctionCallError {
FunctionCallError::RespondToModel("command must be non-empty".to_string())
}
#[test]
fn validate_shell_command_rejects_empty_command() {
let params = shell_command_params("");
assert_eq!(
validate_shell_command(¶ms.command),
Err(non_empty_command_error())
);
}
#[test]
fn validate_shell_command_rejects_whitespace_command() {
let params = shell_command_params(" \n\t");
assert_eq!(
validate_shell_command(¶ms.command),
Err(non_empty_command_error())
);
}
#[test]
fn validate_argv_command_rejects_empty_command() {
let params = shell_params(Vec::new());
assert_eq!(
validate_argv_command(¶ms.command),
Err(non_empty_command_error())
);
}
#[test]
fn validate_argv_command_rejects_empty_program_name() {
let params = shell_params(vec!["".to_string()]);
assert_eq!(
validate_argv_command(¶ms.command),
Err(non_empty_command_error())
);
let params = shell_params(vec!["".to_string(), "arg".to_string()]);
assert_eq!(
validate_argv_command(¶ms.command),
Err(non_empty_command_error())
);
}
#[test]
fn validate_argv_command_accepts_empty_arguments() {
let params = shell_params(vec!["printf".to_string(), "%s".to_string(), "".to_string()]);
assert_eq!(validate_argv_command(¶ms.command), Ok(()));
let params = shell_params(vec!["test".to_string(), "-z".to_string(), "".to_string()]);
assert_eq!(validate_argv_command(¶ms.command), Ok(()));
}
#[test]
fn validate_commands_accept_non_empty_commands() {
let shell_command = shell_command_params("echo hello");
let argv_command = shell_params(vec!["echo".to_string(), "hello".to_string()]);
assert_eq!(validate_shell_command(&shell_command.command), Ok(()));
assert_eq!(validate_argv_command(&argv_command.command), Ok(()));
}
#[test]
fn commands_generated_by_shell_command_handler_can_be_matched_by_is_known_safe_command() {
let bash_shell = Shell {
shell_type: ShellType::Bash,
shell_path: PathBuf::from("/bin/bash"),
shell_snapshot: crate::product::agent::shell::empty_shell_snapshot_receiver(),
};
assert_safe(&bash_shell, "ls -la");
let zsh_shell = Shell {
shell_type: ShellType::Zsh,
shell_path: PathBuf::from("/bin/zsh"),
shell_snapshot: crate::product::agent::shell::empty_shell_snapshot_receiver(),
};
assert_safe(&zsh_shell, "ls -la");
if let Some(path) = try_find_powershell_executable_blocking() {
let powershell = Shell {
shell_type: ShellType::PowerShell,
shell_path: path.to_path_buf(),
shell_snapshot: crate::product::agent::shell::empty_shell_snapshot_receiver(),
};
assert_safe(&powershell, "ls -Name");
}
if let Some(path) = try_find_pwsh_executable_blocking() {
let pwsh = Shell {
shell_type: ShellType::PowerShell,
shell_path: path.to_path_buf(),
shell_snapshot: crate::product::agent::shell::empty_shell_snapshot_receiver(),
};
assert_safe(&pwsh, "ls -Name");
}
}
fn assert_safe(shell: &Shell, command: &str) {
assert!(is_known_safe_command(
&shell.derive_exec_args(command, true)
));
assert!(is_known_safe_command(
&shell.derive_exec_args(command, false)
));
}
#[tokio::test]
async fn shell_command_handler_to_exec_params_uses_session_shell_and_turn_context() {
let (session, turn_context) = make_session_and_context().await;
let command = "echo hello".to_string();
let workdir = Some("subdir".to_string());
let login = None;
let timeout_ms = Some(1234);
let sandbox_permissions = SandboxPermissions::RequireEscalated;
let justification = Some("because tests".to_string());
let expected_command = session.user_shell().derive_exec_args(&command, true);
let expected_cwd = turn_context.resolve_path(workdir.clone());
let expected_env = create_env(&turn_context.shell_environment_policy);
let params = ShellCommandToolCallParams {
command,
workdir,
login,
timeout_ms,
sandbox_permissions: Some(sandbox_permissions),
prefix_rule: None,
justification: justification.clone(),
};
let exec_params = ShellCommandHandler::to_exec_params(¶ms, &session, &turn_context);
assert_eq!(exec_params.command, expected_command);
assert_eq!(exec_params.cwd, expected_cwd);
assert_eq!(exec_params.env, expected_env);
assert_eq!(exec_params.expiration.timeout_ms(), timeout_ms);
assert_eq!(exec_params.sandbox_permissions, sandbox_permissions);
assert_eq!(exec_params.justification, justification);
assert_eq!(exec_params.arg0, None);
}
#[test]
fn shell_command_handler_respects_explicit_login_flag() {
let (_tx, shell_snapshot) = watch::channel(Some(Arc::new(ShellSnapshot {
path: PathBuf::from("/tmp/snapshot.sh"),
})));
let shell = Shell {
shell_type: ShellType::Bash,
shell_path: PathBuf::from("/bin/bash"),
shell_snapshot,
};
let login_command =
ShellCommandHandler::base_command(&shell, "echo login shell", Some(true));
assert_eq!(
login_command,
shell.derive_exec_args("echo login shell", true)
);
let non_login_command =
ShellCommandHandler::base_command(&shell, "echo non login shell", Some(false));
assert_eq!(
non_login_command,
shell.derive_exec_args("echo non login shell", false)
);
}
}