Skip to content

Build remote exec env from exec-server policy#17216

Merged
jif-oai merged 11 commits into
mainfrom
codex/remote-exec-env-overlay
Apr 13, 2026
Merged

Build remote exec env from exec-server policy#17216
jif-oai merged 11 commits into
mainfrom
codex/remote-exec-env-overlay

Conversation

@jif-oai

@jif-oai jif-oai commented Apr 9, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • add an exec-server envPolicy field; when present, the server starts from its own process env and applies the shell environment policy there
  • keep env as the exact environment for local/embedded starts, but make it an overlay for remote unified-exec starts
  • move the shell-environment-policy builder into codex-config so Core and exec-server share the inherit/filter/set/include behavior
  • overlay only runtime/sandbox/network deltas from Core onto the exec-server-derived env

Why

Remote unified exec was materializing the shell env inside Core and forwarding the whole map to exec-server, so remote processes could inherit the orchestrator machine's HOME, PATH, etc. This keeps the base env on the executor while preserving Core-owned runtime additions like CODEX_THREAD_ID, unified-exec defaults, network proxy env, and sandbox marker env.

Validation

  • just fmt
  • git diff --check
  • cargo test -p codex-exec-server --lib
  • cargo test -p codex-core --lib unified_exec::process_manager::tests
  • cargo test -p codex-core --lib exec_env::tests
  • cargo test -p codex-core --lib exec_env_tests (compile-only; filter matched 0 tests)
  • cargo test -p codex-config --lib shell_environment (compile-only; filter matched 0 tests)
  • just bazel-lock-update

Known local validation issue

  • just bazel-lock-check is not runnable in this checkout: it invokes ./scripts/check-module-bazel-lock.sh, which is missing.

jif-oai and others added 4 commits April 9, 2026 12:29
@jif-oai @codex
Derive remote exec env on the exec-server
3040717 
Add an exec-server env policy contract and send only the env overlay needed for runtime/sandbox transforms when Core starts remote unified-exec processes. Keep local process startup on the existing exact-env path, and share the shell-environment-policy builder from codex-config so the executor can apply the same inherit/filter/set/include rules against its own process environment.

Co-authored-by: Codex <noreply@openai.com>
@jif-oai
fixes
170be59
@jif-oai @codex
Fix remote exec env CI failures
9747e85 
Co-authored-by: Codex <noreply@openai.com>
@jif-oai
Fix exec process tests for env policy
a545d42
@jif-oai jif-oai marked this pull request as ready for review April 9, 2026 12:19
pakrym-oai and others added 3 commits April 10, 2026 18:40
@pakrym-oai
Fix remote exec env overlay CI failures
05f23ae
@pakrym-oai
Revert "Fix remote exec env overlay CI failures"
71279f0 
This reverts commit 05f23ae.
@jif-oai @codex
Merge origin/main into codex/remote-exec-env-overlay
ca38d92 
Restore remote exec env CI fixes after the merge.

Co-authored-by: Codex <noreply@openai.com>
@jif-oai jif-oai merged commit bacb92b into main Apr 13, 2026
20 of 22 checks passed
@jif-oai jif-oai deleted the codex/remote-exec-env-overlay branch April 13, 2026 08:59
@github-actions github-actions Bot locked and limited conversation to collaborators Apr 13, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@starr-openai starr-openai starr-openai approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jif-oai @starr-openai @pakrym-oai