instar 1.2.66 → 1.2.67
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/core/codexCapabilities.d.ts +31 -0
- package/dist/core/codexCapabilities.d.ts.map +1 -0
- package/dist/core/codexCapabilities.js +56 -0
- package/dist/core/codexCapabilities.js.map +1 -0
- package/dist/core/frameworkSessionLaunch.d.ts.map +1 -1
- package/dist/core/frameworkSessionLaunch.js +13 -0
- package/dist/core/frameworkSessionLaunch.js.map +1 -1
- package/package.json +1 -1
- package/src/data/builtin-manifest.json +2 -2
- package/upgrades/1.2.67.md +57 -0
- package/upgrades/side-effects/codex-hook-trust-bypass.md +37 -0
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* codexCapabilities — runtime feature detection for the Codex CLI.
|
|
3
|
+
*
|
|
4
|
+
* Codex's flag surface changes across versions, and instar agents run whatever
|
|
5
|
+
* codex the operator has installed (0.130 → 0.133+ all observed). Rather than
|
|
6
|
+
* track a version matrix, we probe the binary's `--help` once per binary path
|
|
7
|
+
* and cache the answer. Builders gate version-specific flags on these probes so
|
|
8
|
+
* an older codex never receives a flag it would reject (which would fail the
|
|
9
|
+
* whole launch).
|
|
10
|
+
*/
|
|
11
|
+
/**
|
|
12
|
+
* Whether `<binaryPath>` accepts `--dangerously-bypass-hook-trust`.
|
|
13
|
+
*
|
|
14
|
+
* The flag was added in codex 0.133 ("Run enabled hooks without requiring
|
|
15
|
+
* persisted hook trust for this invocation") and is ABSENT in 0.131/0.130.
|
|
16
|
+
* instar launches codex with this flag so its OWN safety hooks
|
|
17
|
+
* (installCodexHooks) run automatically with no interactive "trust these hooks?"
|
|
18
|
+
* prompt — which would otherwise freeze an unattended/autonomous session. It is
|
|
19
|
+
* safe-by-construction here: instar both writes the hooks and owns the launch
|
|
20
|
+
* command, so there is no untrusted third-party hook to guard against, and the
|
|
21
|
+
* agent cannot strip a flag from a launch it doesn't construct.
|
|
22
|
+
*
|
|
23
|
+
* Fails closed: any probe error (missing binary, timeout, non-zero exit) returns
|
|
24
|
+
* false, so an undetectable/older codex simply omits the flag. The hooks still
|
|
25
|
+
* block dangerous actions in that case — they just sit behind codex's interactive
|
|
26
|
+
* trust prompt rather than running unprompted.
|
|
27
|
+
*/
|
|
28
|
+
export declare function codexSupportsHookTrustBypass(binaryPath: string): boolean;
|
|
29
|
+
/** Test-only: clear the memoization cache so a probe re-runs. */
|
|
30
|
+
export declare function __resetCodexCapabilityCache(): void;
|
|
31
|
+
//# sourceMappingURL=codexCapabilities.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"codexCapabilities.d.ts","sourceRoot":"","sources":["../../src/core/codexCapabilities.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAOH;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,4BAA4B,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAiBxE;AAED,iEAAiE;AACjE,wBAAgB,2BAA2B,IAAI,IAAI,CAElD"}
|
|
@@ -0,0 +1,56 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* codexCapabilities — runtime feature detection for the Codex CLI.
|
|
3
|
+
*
|
|
4
|
+
* Codex's flag surface changes across versions, and instar agents run whatever
|
|
5
|
+
* codex the operator has installed (0.130 → 0.133+ all observed). Rather than
|
|
6
|
+
* track a version matrix, we probe the binary's `--help` once per binary path
|
|
7
|
+
* and cache the answer. Builders gate version-specific flags on these probes so
|
|
8
|
+
* an older codex never receives a flag it would reject (which would fail the
|
|
9
|
+
* whole launch).
|
|
10
|
+
*/
|
|
11
|
+
import { execFileSync } from 'node:child_process';
|
|
12
|
+
/** Memoized per binaryPath — `codex --help` is invoked at most once per path per process. */
|
|
13
|
+
const hookTrustBypassCache = new Map();
|
|
14
|
+
/**
|
|
15
|
+
* Whether `<binaryPath>` accepts `--dangerously-bypass-hook-trust`.
|
|
16
|
+
*
|
|
17
|
+
* The flag was added in codex 0.133 ("Run enabled hooks without requiring
|
|
18
|
+
* persisted hook trust for this invocation") and is ABSENT in 0.131/0.130.
|
|
19
|
+
* instar launches codex with this flag so its OWN safety hooks
|
|
20
|
+
* (installCodexHooks) run automatically with no interactive "trust these hooks?"
|
|
21
|
+
* prompt — which would otherwise freeze an unattended/autonomous session. It is
|
|
22
|
+
* safe-by-construction here: instar both writes the hooks and owns the launch
|
|
23
|
+
* command, so there is no untrusted third-party hook to guard against, and the
|
|
24
|
+
* agent cannot strip a flag from a launch it doesn't construct.
|
|
25
|
+
*
|
|
26
|
+
* Fails closed: any probe error (missing binary, timeout, non-zero exit) returns
|
|
27
|
+
* false, so an undetectable/older codex simply omits the flag. The hooks still
|
|
28
|
+
* block dangerous actions in that case — they just sit behind codex's interactive
|
|
29
|
+
* trust prompt rather than running unprompted.
|
|
30
|
+
*/
|
|
31
|
+
export function codexSupportsHookTrustBypass(binaryPath) {
|
|
32
|
+
if (!binaryPath)
|
|
33
|
+
return false;
|
|
34
|
+
const cached = hookTrustBypassCache.get(binaryPath);
|
|
35
|
+
if (cached !== undefined)
|
|
36
|
+
return cached;
|
|
37
|
+
let supported = false;
|
|
38
|
+
try {
|
|
39
|
+
const help = execFileSync(binaryPath, ['--help'], {
|
|
40
|
+
encoding: 'utf-8',
|
|
41
|
+
timeout: 5000,
|
|
42
|
+
stdio: ['ignore', 'pipe', 'ignore'],
|
|
43
|
+
});
|
|
44
|
+
supported = help.includes('--dangerously-bypass-hook-trust');
|
|
45
|
+
}
|
|
46
|
+
catch {
|
|
47
|
+
supported = false;
|
|
48
|
+
}
|
|
49
|
+
hookTrustBypassCache.set(binaryPath, supported);
|
|
50
|
+
return supported;
|
|
51
|
+
}
|
|
52
|
+
/** Test-only: clear the memoization cache so a probe re-runs. */
|
|
53
|
+
export function __resetCodexCapabilityCache() {
|
|
54
|
+
hookTrustBypassCache.clear();
|
|
55
|
+
}
|
|
56
|
+
//# sourceMappingURL=codexCapabilities.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"codexCapabilities.js","sourceRoot":"","sources":["../../src/core/codexCapabilities.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,6FAA6F;AAC7F,MAAM,oBAAoB,GAAG,IAAI,GAAG,EAAmB,CAAC;AAExD;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,4BAA4B,CAAC,UAAkB;IAC7D,IAAI,CAAC,UAAU;QAAE,OAAO,KAAK,CAAC;IAC9B,MAAM,MAAM,GAAG,oBAAoB,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACpD,IAAI,MAAM,KAAK,SAAS;QAAE,OAAO,MAAM,CAAC;IACxC,IAAI,SAAS,GAAG,KAAK,CAAC;IACtB,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,YAAY,CAAC,UAAU,EAAE,CAAC,QAAQ,CAAC,EAAE;YAChD,QAAQ,EAAE,OAAO;YACjB,OAAO,EAAE,IAAI;YACb,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC;SACpC,CAAC,CAAC;QACH,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,iCAAiC,CAAC,CAAC;IAC/D,CAAC;IAAC,MAAM,CAAC;QACP,SAAS,GAAG,KAAK,CAAC;IACpB,CAAC;IACD,oBAAoB,CAAC,GAAG,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;IAChD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,iEAAiE;AACjE,MAAM,UAAU,2BAA2B;IACzC,oBAAoB,CAAC,KAAK,EAAE,CAAC;AAC/B,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"frameworkSessionLaunch.d.ts","sourceRoot":"","sources":["../../src/core/frameworkSessionLaunch.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,kCAAkC,CAAC;
|
|
1
|
+
{"version":3,"file":"frameworkSessionLaunch.d.ts","sourceRoot":"","sources":["../../src/core/frameworkSessionLaunch.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,kCAAkC,CAAC;AAG9E;;;;;;GAMG;AACH,MAAM,MAAM,gBAAgB,GAAG,MAAM,GAAG,UAAU,GAAG,SAAS,CAAC;AAE/D;;;;;;;;;GASG;AACH,wBAAgB,wBAAwB,CACtC,SAAS,EAAE,qBAAqB,EAChC,WAAW,EAAE,MAAM,GAAG,SAAS,GAC9B,MAAM,GAAG,SAAS,CA6BpB;AAmBD,MAAM,WAAW,wBAAwB;IACvC,kEAAkE;IAClE,UAAU,EAAE,MAAM,CAAC;IACnB;;;;OAIG;IACH,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,WAAW,GAAG,iBAAiB,GAAG,oBAAoB,CAAC;IAC1E;;;;;;OAMG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,QAAQ,GAAG,UAAU,CAAC;IAC3C;;;;;;OAMG;IACH,kBAAkB,CAAC,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;CAC1D;AAED,MAAM,WAAW,qBAAqB;IACpC,kFAAkF;IAClF,IAAI,EAAE,MAAM,EAAE,CAAC;IACf;;;;OAIG;IACH,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACtC;AA8GD;;;;;;;;GAQG;AACH,wBAAgB,sBAAsB,CACpC,SAAS,EAAE,qBAAqB,EAChC,OAAO,EAAE,wBAAwB,GAChC,qBAAqB,CAMvB;AAED;;;;;GAKG;AACH,wBAAgB,2BAA2B,CAAC,KAAK,EAAE;IACjD,OAAO,CAAC,EAAE,qBAAqB,CAAC;IAChC,eAAe,CAAC,EAAE,qBAAqB,CAAC;IACxC,YAAY,CAAC,EAAE,qBAAqB,GAAG,IAAI,CAAC;CAC7C,GAAG,qBAAqB,CAExB;AAED;;;;;GAKG;AACH,MAAM,WAAW,qBAAqB;IACpC,kEAAkE;IAClE,UAAU,EAAE,MAAM,CAAC;IACnB,mCAAmC;IACnC,MAAM,EAAE,MAAM,CAAC;IACf;;;;;;;OAOG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;;;;OAKG;IACH,gBAAgB,CAAC,EAAE,WAAW,GAAG,iBAAiB,GAAG,oBAAoB,CAAC;IAC1E;;;;;;;;OAQG;IACH,kBAAkB,CAAC,EAAE,QAAQ,GAAG,UAAU,CAAC;IAC3C;;;;;OAKG;IACH,kBAAkB,CAAC,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IACzD;;;;;;;OAOG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAC;CAC9B;AAED,MAAM,WAAW,kBAAkB;IACjC,kFAAkF;IAClF,IAAI,EAAE,MAAM,EAAE,CAAC;IACf;;;;OAIG;IACH,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACtC;AAyFD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,mBAAmB,CACjC,SAAS,EAAE,qBAAqB,EAChC,OAAO,EAAE,qBAAqB,GAC7B,kBAAkB,CAMpB"}
|
|
@@ -12,6 +12,7 @@
|
|
|
12
12
|
* `BUILDERS`. The exhaustiveness check in `buildInteractiveLaunch`
|
|
13
13
|
* forces a compile error if a case is missed.
|
|
14
14
|
*/
|
|
15
|
+
import { codexSupportsHookTrustBypass } from './codexCapabilities.js';
|
|
15
16
|
/**
|
|
16
17
|
* Map a generic tier or framework-specific name to the concrete model
|
|
17
18
|
* string that should be passed to the framework's CLI. Pass-through for
|
|
@@ -155,6 +156,13 @@ const codexCliBuilder = (options) => {
|
|
|
155
156
|
else {
|
|
156
157
|
argv.push('--dangerously-bypass-approvals-and-sandbox');
|
|
157
158
|
}
|
|
159
|
+
// Run instar's own safety hooks (installCodexHooks) without the interactive
|
|
160
|
+
// "trust these hooks?" prompt that would otherwise freeze an unattended
|
|
161
|
+
// session. Gated on a capability probe — codex <0.133 lacks the flag and would
|
|
162
|
+
// reject it. Safe-by-construction: instar writes the hooks and owns the launch.
|
|
163
|
+
if (codexSupportsHookTrustBypass(options.binaryPath)) {
|
|
164
|
+
argv.push('--dangerously-bypass-hook-trust');
|
|
165
|
+
}
|
|
158
166
|
argv.push(...codexThreadlineMcpFlags(options.codexThreadlineMcp));
|
|
159
167
|
return {
|
|
160
168
|
argv,
|
|
@@ -255,6 +263,11 @@ const codexCliHeadlessBuilder = (options) => {
|
|
|
255
263
|
else {
|
|
256
264
|
argv.push('-s', 'workspace-write');
|
|
257
265
|
}
|
|
266
|
+
// Run instar's own safety hooks without a persisted-trust requirement (same
|
|
267
|
+
// rationale as the interactive builder; capability-gated for codex <0.133).
|
|
268
|
+
if (codexSupportsHookTrustBypass(options.binaryPath)) {
|
|
269
|
+
argv.push('--dangerously-bypass-hook-trust');
|
|
270
|
+
}
|
|
258
271
|
// -c overrides must precede the positional prompt in `codex exec`.
|
|
259
272
|
argv.push(...codexThreadlineMcpFlags(options.codexThreadlineMcp));
|
|
260
273
|
argv.push('-m', model, options.prompt);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"frameworkSessionLaunch.js","sourceRoot":"","sources":["../../src/core/frameworkSessionLaunch.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;
|
|
1
|
+
{"version":3,"file":"frameworkSessionLaunch.js","sourceRoot":"","sources":["../../src/core/frameworkSessionLaunch.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAGH,OAAO,EAAE,4BAA4B,EAAE,MAAM,wBAAwB,CAAC;AAWtE;;;;;;;;;GASG;AACH,MAAM,UAAU,wBAAwB,CACtC,SAAgC,EAChC,WAA+B;IAE/B,IAAI,CAAC,WAAW;QAAE,OAAO,SAAS,CAAC;IACnC,MAAM,GAAG,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;IAEtC,IAAI,SAAS,KAAK,aAAa,EAAE,CAAC;QAChC,iEAAiE;QACjE,kEAAkE;QAClE,8DAA8D;QAC9D,IAAI,GAAG,KAAK,MAAM;YAAE,OAAO,OAAO,CAAC;QACnC,IAAI,GAAG,KAAK,UAAU;YAAE,OAAO,QAAQ,CAAC;QACxC,IAAI,GAAG,KAAK,SAAS;YAAE,OAAO,MAAM,CAAC;QACrC,OAAO,WAAW,CAAC;IACrB,CAAC;IACD,IAAI,SAAS,KAAK,WAAW,EAAE,CAAC;QAC9B,iEAAiE;QACjE,+DAA+D;QAC/D,4DAA4D;QAC5D,0DAA0D;QAC1D,6DAA6D;QAC7D,2BAA2B;QAC3B,yEAAyE;QACzE,0EAA0E;QAC1E,mEAAmE;QACnE,IAAI,GAAG,KAAK,MAAM,IAAI,GAAG,KAAK,OAAO;YAAE,OAAO,SAAS,CAAC,CAAQ,wBAAwB;QACxF,IAAI,GAAG,KAAK,UAAU,IAAI,GAAG,KAAK,QAAQ;YAAE,OAAO,cAAc,CAAC,CAAC,8BAA8B;QACjG,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,MAAM;YAAE,OAAO,SAAS,CAAC,CAAM,6BAA6B;QAC7F,OAAO,WAAW,CAAC;IACrB,CAAC;IACD,OAAO,WAAW,CAAC;AACrB,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,uBAAuB,CAAC,GAAyC;IACxE,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,CAAC;IACpB,OAAO;QACL,IAAI,EAAE,kCAAkC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE;QACrE,IAAI,EAAE,+BAA+B,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE;QAC/D,IAAI,EAAE,+BAA+B,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE;KAC/D,CAAC;AACJ,CAAC;AAsDD,MAAM,iBAAiB,GAAY,CAAC,OAAO,EAAE,EAAE;IAC7C,MAAM,IAAI,GAAa,CAAC,OAAO,CAAC,UAAU,EAAE,gCAAgC,CAAC,CAAC;IAC9E,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;QAC5B,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;IACjD,CAAC;IACD,OAAO;QACL,IAAI;QACJ,YAAY,EAAE;YACZ,qEAAqE;YACrE,UAAU,EAAE,EAAE;SACf;KACF,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,eAAe,GAAY,CAAC,OAAO,EAAE,EAAE;IAC3C,oEAAoE;IACpE,mEAAmE;IACnE,8DAA8D;IAC9D,kEAAkE;IAClE,kEAAkE;IAClE,2DAA2D;IAC3D,+DAA+D;IAC/D,iEAAiE;IACjE,gEAAgE;IAChE,gEAAgE;IAChE,kEAAkE;IAClE,kEAAkE;IAClE,qCAAqC;IACrC,qEAAqE;IACrE,iEAAiE;IACjE,2DAA2D;IAC3D,qEAAqE;IACrE,kEAAkE;IAClE,uDAAuD;IACvD,oEAAoE;IACpE,kEAAkE;IAClE,oEAAoE;IACpE,oBAAoB;IACpB,mEAAmE;IACnE,mEAAmE;IACnE,qEAAqE;IACrE,gEAAgE;IAChE,kEAAkE;IAClE,4DAA4D;IAC5D,gEAAgE;IAChE,oCAAoC;IACpC,MAAM,OAAO,GAAG,OAAO,CAAC,kBAAkB,KAAK,SAAS,CAAC;IACzD,MAAM,aAAa,GAAG,OAAO;QAC3B,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,IAAI,iBAAiB,CAAC;QAC7C,CAAC,CAAC,CAAC,wBAAwB,CAAC,WAAW,EAAE,OAAO,CAAC,YAAY,CAAC,IAAI,SAAS,CAAC,CAAC;IAE/E,wEAAwE;IACxE,wEAAwE;IACxE,wEAAwE;IACxE,oEAAoE;IACpE,iEAAiE;IACjE,2DAA2D;IAC3D,EAAE;IACF,mEAAmE;IACnE,sEAAsE;IACtE,yEAAyE;IACzE,sEAAsE;IACtE,qEAAqE;IACrE,uEAAuE;IACvE,mDAAmD;IACnD,MAAM,YAAY,GAAa,OAAO,CAAC,eAAe;QACpD,CAAC,CAAC,CAAC,QAAQ,EAAE,OAAO,CAAC,eAAe,CAAC;QACrC,CAAC,CAAC,EAAE,CAAC;IAEP,MAAM,IAAI,GAAa;QACrB,OAAO,CAAC,UAAU;QAClB,GAAG,YAAY;QACf,SAAS,EAAE,aAAa;KACzB,CAAC;IACF,IAAI,OAAO,EAAE,CAAC;QACZ,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,kBAAkB,EAAE,OAAO,CAAC,kBAAmB,CAAC,CAAC;IACtE,CAAC;IACD,IAAI,OAAO,CAAC,gBAAgB,EAAE,CAAC;QAC7B,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,OAAO,CAAC,gBAAgB,EAAE,oBAAoB,EAAE,OAAO,CAAC,CAAC;IAClF,CAAC;SAAM,CAAC;QACN,IAAI,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;IAC1D,CAAC;IACD,4EAA4E;IAC5E,wEAAwE;IACxE,+EAA+E;IAC/E,gFAAgF;IAChF,IAAI,4BAA4B,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;QACrD,IAAI,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;IAC/C,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,GAAG,uBAAuB,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC,CAAC;IAClE,OAAO;QACL,IAAI;QACJ,YAAY,EAAE;YACZ,uDAAuD;YACvD,+DAA+D;YAC/D,2DAA2D;YAC3D,UAAU,EAAE,EAAE;SACf;KACF,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,QAAQ,GAA2C;IACvD,aAAa,EAAE,iBAAiB;IAChC,WAAW,EAAE,eAAe;CAC7B,CAAC;AAEF;;;;;;;;GAQG;AACH,MAAM,UAAU,sBAAsB,CACpC,SAAgC,EAChC,OAAiC;IAEjC,MAAM,OAAO,GAAG,QAAQ,CAAC,SAAS,CAAC,CAAC;IACpC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,2DAA2D,SAAS,GAAG,CAAC,CAAC;IAC3F,CAAC;IACD,OAAO,OAAO,CAAC,OAAO,CAAC,CAAC;AAC1B,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,2BAA2B,CAAC,KAI3C;IACC,OAAO,KAAK,CAAC,OAAO,IAAI,KAAK,CAAC,eAAe,IAAI,KAAK,CAAC,YAAY,IAAI,aAAa,CAAC;AACvF,CAAC;AAsED,MAAM,yBAAyB,GAAoB,CAAC,OAAO,EAAE,EAAE;IAC7D,MAAM,IAAI,GAAa,CAAC,OAAO,CAAC,UAAU,EAAE,gCAAgC,CAAC,CAAC;IAC9E,MAAM,QAAQ,GAAG,wBAAwB,CAAC,aAAa,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IACxE,IAAI,QAAQ,EAAE,CAAC;QACb,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IACjC,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;IAChC,OAAO;QACL,IAAI;QACJ,YAAY,EAAE;YACZ,4DAA4D;YAC5D,UAAU,EAAE,EAAE;SACf;KACF,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,uBAAuB,GAAoB,CAAC,OAAO,EAAE,EAAE;IAC3D,2DAA2D;IAC3D,qFAAqF;IACrF,oEAAoE;IACpE,oEAAoE;IACpE,sCAAsC;IACtC,kEAAkE;IAClE,gEAAgE;IAChE,6DAA6D;IAC7D,sEAAsE;IACtE,wCAAwC;IACxC,MAAM,OAAO,GAAG,OAAO,CAAC,kBAAkB,KAAK,SAAS,CAAC;IACzD,MAAM,KAAK,GAAG,OAAO;QACnB,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,IAAI,iBAAiB,CAAC;QACtC,CAAC,CAAC,CAAC,wBAAwB,CAAC,WAAW,EAAE,OAAO,CAAC,KAAK,CAAC,IAAI,SAAS,CAAC,CAAC;IACxE,MAAM,IAAI,GAAa;QACrB,OAAO,CAAC,UAAU;QAClB,MAAM;QACN,QAAQ;QACR,uBAAuB;KACxB,CAAC;IACF,IAAI,OAAO,EAAE,CAAC;QACZ,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,kBAAkB,EAAE,OAAO,CAAC,kBAAmB,CAAC,CAAC;IACtE,CAAC;IACD,8BAA8B;IAC9B,wEAAwE;IACxE,iFAAiF;IACjF,yDAAyD;IACzD,EAAE;IACF,yEAAyE;IACzE,4EAA4E;IAC5E,6EAA6E;IAC7E,8EAA8E;IAC9E,6EAA6E;IAC7E,4EAA4E;IAC5E,yEAAyE;IACzE,IAAI,OAAO,CAAC,gBAAgB,EAAE,CAAC;QAC7B,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,gBAAgB,EAAE,oBAAoB,EAAE,OAAO,CAAC,CAAC;IAC3E,CAAC;SAAM,IAAI,OAAO,CAAC,kBAAkB,EAAE,CAAC;QACtC,IAAI,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;IAC1D,CAAC;SAAM,CAAC;QACN,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,iBAAiB,CAAC,CAAC;IACrC,CAAC;IACD,4EAA4E;IAC5E,4EAA4E;IAC5E,IAAI,4BAA4B,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;QACrD,IAAI,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;IAC/C,CAAC;IACD,mEAAmE;IACnE,IAAI,CAAC,IAAI,CAAC,GAAG,uBAAuB,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC,CAAC;IAClE,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;IACvC,OAAO;QACL,IAAI;QACJ,YAAY,EAAE;YACZ,kEAAkE;YAClE,iEAAiE;YACjE,kEAAkE;YAClE,gEAAgE;YAChE,6CAA6C;YAC7C,UAAU,EAAE,EAAE;SACf;KACF,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,iBAAiB,GAAmD;IACxE,aAAa,EAAE,yBAAyB;IACxC,WAAW,EAAE,uBAAuB;CACrC,CAAC;AAEF;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,mBAAmB,CACjC,SAAgC,EAChC,OAA8B;IAE9B,MAAM,OAAO,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;IAC7C,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,wDAAwD,SAAS,GAAG,CAAC,CAAC;IACxF,CAAC;IACD,OAAO,OAAO,CAAC,OAAO,CAAC,CAAC;AAC1B,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
{
|
|
2
2
|
"$schema": "./builtin-manifest.schema.json",
|
|
3
3
|
"schemaVersion": 1,
|
|
4
|
-
"generatedAt": "2026-05-
|
|
5
|
-
"instarVersion": "1.2.
|
|
4
|
+
"generatedAt": "2026-05-25T02:30:22.480Z",
|
|
5
|
+
"instarVersion": "1.2.67",
|
|
6
6
|
"entryCount": 191,
|
|
7
7
|
"entries": {
|
|
8
8
|
"hook:session-start": {
|
|
@@ -0,0 +1,57 @@
|
|
|
1
|
+
# Upgrade Guide — Codex safety hooks run unprompted in autonomous sessions
|
|
2
|
+
|
|
3
|
+
<!-- bump: patch -->
|
|
4
|
+
<!-- patch = bug fixes, refactors, test additions, doc updates -->
|
|
5
|
+
|
|
6
|
+
## What Changed
|
|
7
|
+
|
|
8
|
+
**Codex (codex-cli) agents now run instar's safety hooks without the interactive
|
|
9
|
+
"trust these hooks?" prompt that would otherwise freeze an unattended session.**
|
|
10
|
+
|
|
11
|
+
Codex requires a one-time review/trust of any command hook before it runs. In an
|
|
12
|
+
interactive session that prompt blocks until answered — and it even offers a
|
|
13
|
+
"continue without trusting (hooks won't run)" option, so an agent could decline its
|
|
14
|
+
own guards. instar now launches codex with `--dangerously-bypass-hook-trust` (added
|
|
15
|
+
in codex 0.133), which runs the already-vetted instar hooks with no prompt.
|
|
16
|
+
|
|
17
|
+
This is safe-by-construction: instar both writes the hooks (`installCodexHooks`) and
|
|
18
|
+
owns the launch command, so there's no untrusted third-party hook to guard against,
|
|
19
|
+
and the agent can't strip a flag from a launch it doesn't construct. It's a per-agent
|
|
20
|
+
launch setting — it touches nothing system-wide and does not affect the operator's own
|
|
21
|
+
personal codex sessions (those still prompt normally).
|
|
22
|
+
|
|
23
|
+
The flag is **capability-gated**: instar probes `codex --help` once per binary and only
|
|
24
|
+
adds the flag when present. On codex <0.133 (which lacks the flag and would reject it),
|
|
25
|
+
it's omitted and behaviour degrades to the safe-by-blocking trust-prompt path.
|
|
26
|
+
|
|
27
|
+
## What to Tell Your User
|
|
28
|
+
|
|
29
|
+
If I'm running on Codex without you watching, my safety guard now kicks in on its own
|
|
30
|
+
instead of stopping to ask you "do you trust this guard?" first — a question that would
|
|
31
|
+
have frozen me mid-task, and that technically let me wave my own guard off. Now the
|
|
32
|
+
guard just runs. This only applies to how I launch Codex; when you use Codex yourself it
|
|
33
|
+
behaves exactly as before.
|
|
34
|
+
|
|
35
|
+
## Summary of New Capabilities
|
|
36
|
+
|
|
37
|
+
No new user-facing capabilities — this completes the Codex enforcement-hook layer so its
|
|
38
|
+
guards work in unattended/autonomous sessions, not just interactive ones where a human can
|
|
39
|
+
answer the trust prompt. Internal: `codexCapabilities.codexSupportsHookTrustBypass()`
|
|
40
|
+
(memoized feature probe) + both codex launch builders append the flag when supported.
|
|
41
|
+
|
|
42
|
+
## Evidence
|
|
43
|
+
|
|
44
|
+
**Live reproduction (real codex 0.133, no trust ever granted).** Launched interactive
|
|
45
|
+
codex with `--dangerously-bypass-hook-trust` and a hook whose trust hash had been
|
|
46
|
+
invalidated:
|
|
47
|
+
|
|
48
|
+
- Codex launched **straight to the prompt — no "trust these hooks?" review** (banner:
|
|
49
|
+
`⚠ Enabled hooks may run without review for this invocation`).
|
|
50
|
+
- Told it to run `echo 'rm -rf /'` — the guard fired and blocked it; codex itself reported
|
|
51
|
+
it was blocked for the catastrophic `rm -rf /` pattern, and the guard's debug trace
|
|
52
|
+
logged the fire. Before this, the same setup either blocked on the trust prompt or ran
|
|
53
|
+
unguarded.
|
|
54
|
+
|
|
55
|
+
Also verified instar's builder emits the flag for the real codex binary, and the
|
|
56
|
+
capability probe correctly omits it for a binary whose `--help` lacks it. Unit coverage:
|
|
57
|
+
`codexCapabilities` (5) + `frameworkSessionLaunch` (+4). `tsc` clean.
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
# Side-Effects Review: Codex hook-trust bypass (P6a — autonomy)
|
|
2
|
+
|
|
3
|
+
## Change
|
|
4
|
+
- **New** `src/core/codexCapabilities.ts`: memoized `codexSupportsHookTrustBypass(binaryPath)` — probes `codex --help` once per binary path, returns whether `--dangerously-bypass-hook-trust` is supported. Fails closed on any error.
|
|
5
|
+
- **`src/core/frameworkSessionLaunch.ts`**: both the interactive (`codexCliBuilder`) and headless (`codexCliHeadlessBuilder`) codex builders append `--dangerously-bypass-hook-trust` when the probe passes.
|
|
6
|
+
|
|
7
|
+
## Why
|
|
8
|
+
Codex requires interactive trust of command hooks before they run; that prompt freezes an unattended/autonomous session and offers a "continue without trusting" escape that lets an agent decline its own guards. The flag (codex 0.133) runs instar's already-vetted hooks with no prompt. Per Justin's delegation ("choose what's best for Instar", 2026-05-24), chosen as a **per-agent launch flag** over system-managed hooks — see spec §10 P6a for the full rationale.
|
|
9
|
+
|
|
10
|
+
## Scope / blast radius
|
|
11
|
+
- **Codex launches only.** Claude launches are untouched (separate builder). The flag is appended only to codex argv, and only when the probed binary supports it.
|
|
12
|
+
- **Safe-by-construction:** instar writes the hooks (`installCodexHooks`) AND owns the launch command — there is no untrusted third-party hook this prompt would have protected against. The "danger" of the flag (running arbitrary untrusted hooks) does not apply.
|
|
13
|
+
- **No system-wide effect:** unlike managed hooks, this changes nothing outside instar's own spawned codex processes. The operator's personal `codex` launches do not get the flag and still prompt normally.
|
|
14
|
+
- **Older codex (<0.133):** the probe returns false → flag omitted → the launch still succeeds (an unknown flag would otherwise fail the whole launch) and degrades to the safe-by-blocking interactive trust-prompt path.
|
|
15
|
+
|
|
16
|
+
## Signal vs Authority / over-block
|
|
17
|
+
- No change to what the hooks block. This only affects whether they run unprompted. No new authority, no new patterns.
|
|
18
|
+
|
|
19
|
+
## Performance
|
|
20
|
+
- The probe runs `codex --help` at most once per binary path per process (memoized), at session-spawn time (infrequent), 5s timeout. Negligible.
|
|
21
|
+
|
|
22
|
+
## Migration parity
|
|
23
|
+
- **None required.** This is instar's own dist code (the launch builders), not an agent-installed file (`.claude/settings.json` / `.codex/hooks.json` / hook scripts / config defaults). Existing agents receive it on the normal npm update + server restart. (The P5c hooks.json/guard changes that this depends on already shipped in v1.2.66 with their own migration.)
|
|
24
|
+
|
|
25
|
+
## Unbypassability (honest bound)
|
|
26
|
+
- The agent cannot remove the flag from a launch instar constructs → it cannot turn off the trust-bypass. It could still attempt to edit `.codex/hooks.json` / the guard script to neuter the hook itself; that residual vector is covered by always-overwrite-on-update of instar-owned hooks + the file-edit gates, not by this change. Absolute unbypassability would require system-managed hooks, deliberately not chosen (see spec §10 P6a).
|
|
27
|
+
|
|
28
|
+
## Tests
|
|
29
|
+
- `tests/unit/codexCapabilities.test.ts` (5): supported/unsupported `--help`, fail-closed on missing + empty path, memoization (cached true survives binary deletion).
|
|
30
|
+
- `tests/unit/frameworkSessionLaunch.test.ts` (+4): interactive & headless builders append the flag when the fake binary advertises it, omit it when it doesn't; prompt stays the final positional arg in headless.
|
|
31
|
+
- Live-proven end-to-end on real codex 0.133 (no trust granted → no prompt → guard still blocked `rm -rf /`). `tsc` clean; 53 launch/capability tests green.
|
|
32
|
+
|
|
33
|
+
## Rollback
|
|
34
|
+
- Remove the two `if (codexSupportsHookTrustBypass(...)) argv.push(...)` blocks and delete `codexCapabilities.ts`. No data migration. (Rollback re-introduces the autonomous-hang on the trust prompt.)
|
|
35
|
+
|
|
36
|
+
## Publish
|
|
37
|
+
- Branch `echo/codex-hook-trust-bypass`. Patch → next release.
|