Skip to content

Commit 6a02ed1

Browse files
aibrahim-oaiaibrahim-oai
committed
shell-esdc
1 parent 3c8fc04 commit 6a02ed1

File tree

1 file changed

+32
-32
lines changed

1 file changed

+32
-32
lines changed

codex-rs/core/src/safety.rs

Lines changed: 32 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -19,38 +19,6 @@ pub enum SafetyCheck {
1919
Reject { reason: String },
2020
}
2121

22-
/// Forbidden escalation is when the model asks for escalated permissions when it should not have to
23-
/// Rules:
24-
/// The model shouldn't ask for escalated permissions if the command is trusted
25-
/// The model shouldn't ask for escalated permissions if the approval policy is Never
26-
/// The model shouldn't ask for escalated permissions if the approval policy is OnFailure and it hasn't failed
27-
fn reject_forbidden_escalation(
28-
approval_policy: AskForApproval,
29-
with_escalated_permissions: bool,
30-
command_is_trusted: bool,
31-
) -> Option<SafetyCheck> {
32-
if !with_escalated_permissions {
33-
return None;
34-
}
35-
36-
let reason = match approval_policy {
37-
Never => Some(
38-
"auto-rejected. You should not ask for escalated permissions if the approval policy is Never".to_string(),
39-
),
40-
OnFailure => Some(
41-
"auto-rejected. You should not ask for escalated permissions if the approval policy is OnFailure and it hasn't failed"
42-
.to_string(),
43-
),
44-
UnlessTrusted if command_is_trusted => Some(
45-
"auto-rejected. The command is already trusted under the UnlessTrusted approval policy. You do not need to ask for escalated permissions"
46-
.to_string(),
47-
),
48-
OnRequest | UnlessTrusted => None,
49-
}?;
50-
51-
Some(SafetyCheck::Reject { reason })
52-
}
53-
5422
pub fn assess_patch_safety(
5523
action: &ApplyPatchAction,
5624
policy: AskForApproval,
@@ -226,6 +194,38 @@ pub fn get_platform_sandbox() -> Option<SandboxType> {
226194
}
227195
}
228196

197+
/// Forbidden escalation is when the model asks for escalated permissions when it should not have to
198+
/// Rules:
199+
/// The model shouldn't ask for escalated permissions if the command is trusted
200+
/// The model shouldn't ask for escalated permissions if the approval policy is Never
201+
/// The model shouldn't ask for escalated permissions if the approval policy is OnFailure and it hasn't failed
202+
fn reject_forbidden_escalation(
203+
approval_policy: AskForApproval,
204+
with_escalated_permissions: bool,
205+
command_is_trusted: bool,
206+
) -> Option<SafetyCheck> {
207+
if !with_escalated_permissions {
208+
return None;
209+
}
210+
211+
let reason = match approval_policy {
212+
Never => Some(
213+
"auto-rejected. You should not ask for escalated permissions if the approval policy is Never".to_string(),
214+
),
215+
OnFailure => Some(
216+
"auto-rejected. You should not ask for escalated permissions if the approval policy is OnFailure and it hasn't failed"
217+
.to_string(),
218+
),
219+
UnlessTrusted if command_is_trusted => Some(
220+
"auto-rejected. The command is already trusted under the UnlessTrusted approval policy. You do not need to ask for escalated permissions"
221+
.to_string(),
222+
),
223+
OnRequest | UnlessTrusted => None,
224+
}?;
225+
226+
Some(SafetyCheck::Reject { reason })
227+
}
228+
229229
fn is_write_patch_constrained_to_writable_paths(
230230
action: &ApplyPatchAction,
231231
sandbox_policy: &SandboxPolicy,

0 commit comments

Comments
 (0)