@pushpalsdev/cli 1.0.49 → 1.0.51

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pushpalsdev/cli",
-  "version": "1.0.49",
+  "version": "1.0.51",
   "description": "PushPals terminal CLI for LocalBuddy -> RemoteBuddy orchestration",
   "license": "MIT",
   "repository": {

package/runtime/sandbox/apps/workerpals/src/backends/openai_codex/openai_codex_executor.py

@@ -77,11 +77,16 @@ _CODEX_WORKAROUND_NEGATION_HINTS = (
 _REJECTED_EXEC_COMMAND_PATTERN = re.compile(r"exec_command failed for `([^`]+)`", re.IGNORECASE)
 _DISALLOWED_SHELL_WRAPPER_PREFIXES = (
     "/bin/bash -lc ",
+    "/bin/bash -c ",
     "bash -lc ",
+    "bash -c ",
     "sh -lc ",
+    "sh -c ",
     "cmd /c ",
     "powershell -command ",
+    "powershell.exe -command ",
     "pwsh -command ",
+    "pwsh.exe -command ",
 )
 
 _VALID_APPROVAL_POLICIES = {"untrusted", "on-failure", "on-request", "never"}
@@ -89,6 +94,12 @@ _VALID_SANDBOX_POLICIES = {"read-only", "workspace-write", "danger-full-access"}
 _VALID_COLORS = {"always", "never", "auto"}
 _VALID_AUTH_MODES = {"auto", "api_key", "chatgpt"}
 _VALID_REASONING_EFFORTS = {"low", "medium", "high", "xhigh"}
+_DIRECT_COMMAND_POLICY_GUIDANCE = (
+    "Command-router policy: use direct commands only. Do not invoke `/bin/bash -lc`, `bash -c`, "
+    "`sh -lc`, `cmd /c`, `powershell -Command`, or `pwsh -Command`. Run the direct command "
+    "instead, such as `pwd`, `git status --porcelain`, `git diff -- path`, `ls dir`, "
+    "`cat file`, `sed -n '1,160p' file`, or `bun test <path>`."
+)
 
 
 def _model_supports_xhigh_reasoning(model: str) -> bool:
@@ -981,6 +992,81 @@ def _collect_disallowed_shell_wrapper_rejections(*texts: str) -> List[str]:
     return rejected
 
 
+def _unwrap_shell_wrapper_command(command: str) -> str:
+    normalized = _normalize_command_text(command)
+    if not normalized:
+        return ""
+    try:
+        parts = shlex.split(normalized, posix=True)
+    except ValueError:
+        return ""
+    if len(parts) < 3:
+        return ""
+    executable = str(parts[0] or "").strip().lower()
+    flag = str(parts[1] or "").strip().lower()
+    if executable in {"/bin/bash", "bash", "sh"} and flag in {"-lc", "-c"}:
+        return _normalize_command_text(" ".join(parts[2:]))
+    if executable == "cmd" and flag == "/c":
+        return _normalize_command_text(" ".join(parts[2:]))
+    if executable in {"powershell", "powershell.exe", "pwsh", "pwsh.exe"} and flag == "-command":
+        return _normalize_command_text(" ".join(parts[2:]))
+    return ""
+
+
+def _build_wrapper_recovery_guidance(rejected_commands: List[str]) -> str:
+    direct_equivalents: List[str] = []
+    seen: set[str] = set()
+    for command in rejected_commands:
+        direct = _unwrap_shell_wrapper_command(command)
+        lowered = direct.lower()
+        if not direct or lowered in seen:
+            continue
+        seen.add(lowered)
+        direct_equivalents.append(f"- `{command}` -> `{direct}`")
+    guidance_lines = [
+        "Command-router recovery: the previous attempt retried disallowed shell wrappers.",
+        "Retry once using direct commands only. Do not use `/bin/bash -lc`, `bash -c`, `sh -lc`, `cmd /c`, `powershell -Command`, `pwsh -Command`, pipelines, or chained shell snippets.",
+        "If you need to inspect files or git state, run the direct command itself (for example `git diff --name-only`, `git status --porcelain`, `ls path`, `cat file`, or `sed -n '1,120p' file`).",
+    ]
+    if direct_equivalents:
+        guidance_lines.append("Use these direct replacements for the rejected commands:")
+        guidance_lines.extend(direct_equivalents[:6])
+    return "\n".join(guidance_lines)
+
+
+def _merge_usage_records(first: Any, second: Any) -> Dict[str, Any]:
+    first_record = first if isinstance(first, dict) else {}
+    second_record = second if isinstance(second, dict) else {}
+    if not first_record:
+        return dict(second_record)
+    if not second_record:
+        return dict(first_record)
+    prompt_tokens = to_int(first_record.get("promptTokens"), 0) + to_int(
+        second_record.get("promptTokens"), 0
+    )
+    completion_tokens = to_int(first_record.get("completionTokens"), 0) + to_int(
+        second_record.get("completionTokens"), 0
+    )
+    merged = dict(second_record)
+    merged["promptTokens"] = prompt_tokens
+    merged["completionTokens"] = completion_tokens
+    merged["totalTokens"] = prompt_tokens + completion_tokens
+    merged["estimated"] = bool(first_record.get("estimated")) or bool(second_record.get("estimated"))
+    if not merged.get("backend"):
+        merged["backend"] = first_record.get("backend")
+    if not merged.get("modelId"):
+        merged["modelId"] = first_record.get("modelId")
+    return merged
+
+
+def _augment_supplemental_guidance(supplemental_guidance: List[str]) -> List[str]:
+    normalized = [str(item or "").strip() for item in supplemental_guidance if str(item or "").strip()]
+    joined = "\n".join(normalized).lower()
+    if "direct commands only" in joined or "shell-wrapper" in joined or "/bin/bash -lc" in joined:
+        return normalized
+    return [_DIRECT_COMMAND_POLICY_GUIDANCE, *normalized]
+
+
 def _read_text_if_exists(path: Path) -> str:
     try:
         if not path.exists():
@@ -1008,6 +1094,9 @@ def _run_codex_task(
     repo: str,
     instruction: str,
     supplemental_guidance: List[str],
+    *,
+    wrapper_recovery_attempt: int = 0,
+    baseline_changes: Optional[List[str]] = None,
 ) -> Dict[str, Any]:
     global _ACTIVE_CHILD, _INTERRUPTED_SIGNAL
     _INTERRUPTED_SIGNAL = None
@@ -1064,8 +1153,9 @@ def _run_codex_task(
     use_json = runtime_config.json_output
     reasoning_effort = _resolve_reasoning_effort(runtime_config, model)
     communicate_timeout_s = _resolve_communicate_timeout_seconds(runtime_config)
-    prompt = _build_instruction(instruction, supplemental_guidance)
-    baseline_changes = summarize_git_changes(repo)
+    effective_supplemental_guidance = _augment_supplemental_guidance(supplemental_guidance)
+    prompt = _build_instruction(instruction, effective_supplemental_guidance)
+    baseline_snapshot = list(baseline_changes) if baseline_changes is not None else summarize_git_changes(repo)
 
     with tempfile.TemporaryDirectory(prefix="pushpals-codex-") as tmp_dir:
         last_message_path = Path(tmp_dir) / "codex-last-message.txt"
@@ -1376,6 +1466,37 @@ def _run_codex_task(
         log_git_status(repo, log)
 
         if command_policy_rejection_loop:
+            if wrapper_recovery_attempt < 1:
+                recovery_guidance = _build_wrapper_recovery_guidance(rejected_shell_wrappers)
+                if recovery_guidance:
+                    log.warning(
+                        "Codex hit a shell-wrapper rejection loop; retrying once with direct-command recovery guidance."
+                    )
+                    retry_result = _run_codex_task(
+                        repo,
+                        instruction,
+                        [*effective_supplemental_guidance, recovery_guidance],
+                        wrapper_recovery_attempt=wrapper_recovery_attempt + 1,
+                        baseline_changes=baseline_snapshot,
+                    )
+                    retry_result["usage"] = _merge_usage_records(usage, retry_result.get("usage"))
+                    if retry_result.get("ok"):
+                        recovered_stdout = str(retry_result.get("stdout") or "").strip()
+                        retry_result["stdout"] = _truncate(
+                            (
+                                "Recovered after the first Codex attempt hit command-router shell-wrapper rejections.\n\n"
+                                f"{recovered_stdout}"
+                            ).strip()
+                        )
+                    else:
+                        retry_stderr = str(retry_result.get("stderr") or "").strip()
+                        retry_result["stderr"] = _truncate(
+                            (
+                                "The first Codex attempt hit command-router shell-wrapper rejections and was retried once with direct-command recovery guidance.\n\n"
+                                f"{retry_stderr}"
+                            ).strip()
+                        )
+                    return retry_result
             command_lines = (
                 "\n".join(f"- {command}" for command in rejected_shell_wrappers[:6])
                 if rejected_shell_wrappers
@@ -1460,7 +1581,7 @@ def _run_codex_task(
             }
 
         changed_paths = summarize_git_changes(repo)
-        delta = [p for p in changed_paths if p not in baseline_changes]
+        delta = [p for p in changed_paths if p not in baseline_snapshot]
         effective = delta if delta else changed_paths
         stdout_parts: List[str] = []
         if last_message:

package/runtime/sandbox/apps/workerpals/src/backends/openai_codex/test_openai_codex_runtime_config.py

@@ -13,6 +13,7 @@ for path in (_HERE, _SHARED):
 from executor_base import SettingsResolver, config_dir_for_runtime_config, runtime_config
 from openai_codex_executor import (
     OpenAICodexRuntimeConfig,
+    _augment_supplemental_guidance,
     _resolve_reasoning_effort,
     _build_instruction,
     _collect_disallowed_shell_wrapper_rejections,
@@ -20,6 +21,7 @@ from openai_codex_executor import (
     _extract_usage_counts,
     _load_prompt_template,
     _repo_root_for_prompt_loading,
+    _unwrap_shell_wrapper_command,
     _usage_from_trace_or_estimate,
 )
 
@@ -200,10 +202,35 @@ class OpenAICodexRuntimeConfigTests(unittest.TestCase):
     def test_collects_disallowed_shell_wrapper_rejections(self) -> None:
         commands = _collect_disallowed_shell_wrapper_rejections(
             "error=exec_command failed for `/bin/bash -lc pwd`: CreateProcess { message: \"Rejected\" }",
+            "error=exec_command failed for `/bin/bash -c \"git status --porcelain\"`: Rejected",
             "error=exec_command failed for `sh -lc \"git diff\"`: Rejected",
             "error=exec_command failed for `pwd`: Rejected",
         )
-        self.assertEqual(commands, ["/bin/bash -lc pwd", 'sh -lc "git diff"'])
+        self.assertEqual(
+            commands,
+            ["/bin/bash -lc pwd", '/bin/bash -c "git status --porcelain"', 'sh -lc "git diff"'],
+        )
+
+    def test_unwraps_disallowed_shell_wrapper_commands_to_direct_commands(self) -> None:
+        self.assertEqual(
+            _unwrap_shell_wrapper_command("/bin/bash -lc 'git diff --name-only'"),
+            "git diff --name-only",
+        )
+        self.assertEqual(
+            _unwrap_shell_wrapper_command('cmd /c dir /b'),
+            "dir /b",
+        )
+        self.assertEqual(
+            _unwrap_shell_wrapper_command('pwsh -Command "Get-ChildItem src"'),
+            "Get-ChildItem src",
+        )
+
+    def test_augments_guidance_with_direct_command_policy_once(self) -> None:
+        guidance = _augment_supplemental_guidance(["Run bun test tests/example.test.ts"])
+        self.assertGreaterEqual(len(guidance), 2)
+        self.assertIn("direct commands only", guidance[0].lower())
+        guidance_again = _augment_supplemental_guidance(guidance)
+        self.assertEqual(guidance_again, guidance)
 
     def test_usage_falls_back_to_estimate_when_trace_has_no_usage(self) -> None:
         usage = _usage_from_trace_or_estimate({}, "abc" * 30, "done", model="gpt-5.4")

package/runtime/sandbox/package.json

@@ -45,6 +45,7 @@
     "test:prompt-policy": "bun test tests/prompt-policy.enforcement.test.ts",
     "test:cli:integration": "bun test tests/cli.invocation-logging.test.ts tests/cli.runtime-bootstrap.test.ts tests/client.runtime-bootstrap.test.ts tests/shared.client-preflight.test.ts",
     "test:cli:e2e": "bun test ./tests/integration/cli.e2e.ts",
+    "test:workerpals:e2e": "bun test ./tests/integration/workerpals.control-plane.e2e.ts",
     "test:start:e2e": "bun test ./tests/integration/start.e2e.ts",
     "test:root": "bun test tests",
     "test:protocol": "bun run tests/protocol.integration.ts",