Skip to content

[codex] Centralize process launch policy for workers#4088

Merged
Widthdom merged 1 commit into
mainfrom
fix-issue4075
Jun 28, 2026
Merged

[codex] Centralize process launch policy for workers#4088
Widthdom merged 1 commit into
mainfrom
fix-issue4075

Conversation

@Widthdom

Copy link
Copy Markdown
Owner

Summary

  • Centralizes isolated worker command/protocol argument construction in ProcessLaunchPolicy.
  • Keeps symbol and post-extraction hook worker launch argument ordering unchanged while sharing the protocol option constant.
  • Documents the production subprocess launch policy in both English and Japanese developer-guide sections.

Launch-Site Classification

  • Git: GitHelper uses trusted git resolution, no shell, git-specific environment allowlist, bounded capture, and timeout/cancellation.
  • Program dispatch / installer handoff: ProgramRunner uses trusted bash resolution, no shell, installer environment allowlist, timeout/cancellation, and bounded suppressed output capture.
  • Symbol worker: SymbolExtractionWorker uses isolated worker defaults and shared worker command/protocol arguments.
  • Hook callback worker: PostExtractionHookCallbackWorker uses isolated worker defaults, hook assembly/type arguments, and shared worker command/protocol arguments.
  • Isolated worker launcher: IsolatedWorkerProcessLauncher centralizes worker stdio/UTF-8/no-shell defaults and dotnet host preparation.
  • Subprocess environment policy: SubprocessEnvironmentPolicy owns git, installer, and isolated-worker environment allowlists.
  • Shared launch policy: ProcessLaunchPolicy owns no-shell start-info defaults and worker protocol argument construction.

Validation

  • dotnet test tests/CodeIndex.Tests/CodeIndex.Tests.csproj --filter "FullyQualifiedName~ProcessLaunchPolicyTests|FullyQualifiedName~SymbolExtractionWorker_StartInfo|FullyQualifiedName~PostExtractionHookCallbackWorker_StartInfo|FullyQualifiedName~IsolatedWorkers_StartInfo"
  • dotnet run --project tools/CodeIndex.Changelog -- check
  • dotnet build CodeIndex.sln -c Release -p:UseSharedCompilation=false
  • dotnet format CodeIndex.sln --verify-no-changes --no-restore
  • dotnet build
  • dotnet ./src/CodeIndex/bin/Debug/net8.0/cdidx.dll status --check --json
  • dotnet ./src/CodeIndex/bin/Debug/net8.0/cdidx.dll search --recipe risky-code/process-start-info --path src/ --exclude-tests --count-by file --limit 80

Documentation and Changelog

  • Updated DEVELOPER_GUIDE.md in English and Japanese.
  • Added changelog.d/unreleased/4075.security.md.

Review

  • Adversarial review: No blocking/actionable issues found.

Follow-up Candidates

  • None.

Fixes #4075

@Widthdom Widthdom marked this pull request as ready for review June 28, 2026 03:00
@Widthdom Widthdom merged commit 17a9757 into main Jun 28, 2026
10 checks passed
@Widthdom Widthdom deleted the fix-issue4075 branch June 28, 2026 03:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Audit process launch sites for argument, environment, cwd, timeout, and shell policy

1 participant