fix(workerpals): harden codex wrapper-shell recovery

Author: PiyushDatta

apps/workerpals/src/backends/openai_codex/openai_codex_executor.py

@@ -95,6 +95,7 @@
 _VALID_COLORS = {"always", "never", "auto"}
 _VALID_AUTH_MODES = {"auto", "api_key", "chatgpt"}
 _VALID_REASONING_EFFORTS = {"low", "medium", "high", "xhigh"}
+_MAX_WRAPPER_RECOVERY_ATTEMPTS = 2
 
 
 def _model_supports_xhigh_reasoning(model: str) -> bool:
@@ -296,6 +297,21 @@ def _command_router_recovery_guidance() -> str:
     )
 
 
+def _command_router_hard_recovery_guidance() -> str:
+    guidance = _load_markdown_h2_section(_COMMAND_ROUTER_POLICY_PATH, "Hard Recovery Guidance")
+    if guidance:
+        return guidance
+    return (
+        "Command-router escalation: the previous retry still attempted disallowed shell wrappers.\n"
+        "Do not invoke `bash`, `/bin/bash`, `sh`, `cmd`, `powershell`, `powershell.exe`, `pwsh`, "
+        "or `pwsh.exe` as the command itself on this attempt.\n"
+        "Your first command invocation on this retry must be one of the direct replacements listed "
+        "below, with no wrapper shell around it.\n"
+        "After you re-establish repo context, continue using ordinary shell commands directly "
+        "without wrapper shells."
+    )
+
+
 def _command_router_rejection_detail_intro() -> str:
     guidance = _load_markdown_h2_section(_COMMAND_ROUTER_POLICY_PATH, "Rejection Detail")
     if guidance:
@@ -1066,7 +1082,7 @@ def _unwrap_shell_wrapper_command(command: str) -> str:
     return ""
 
 
-def _build_wrapper_recovery_guidance(rejected_commands: List[str]) -> str:
+def _build_wrapper_direct_replacements(rejected_commands: List[str]) -> List[str]:
     direct_equivalents: List[str] = []
     seen: set[str] = set()
     for command in rejected_commands:
@@ -1076,7 +1092,16 @@ def _build_wrapper_recovery_guidance(rejected_commands: List[str]) -> str:
             continue
         seen.add(lowered)
         direct_equivalents.append(f"- `{command}` -> `{direct}`")
-    guidance_lines = [_command_router_recovery_guidance()]
+    return direct_equivalents
+
+
+def _build_wrapper_recovery_guidance(rejected_commands: List[str], *, hard: bool = False) -> str:
+    guidance_lines = [
+        _command_router_hard_recovery_guidance()
+        if hard
+        else _command_router_recovery_guidance()
+    ]
+    direct_equivalents = _build_wrapper_direct_replacements(rejected_commands)
     if direct_equivalents:
         guidance_lines.append("Use these direct replacements for the rejected commands:")
         guidance_lines.extend(direct_equivalents[:6])
@@ -1515,11 +1540,20 @@ def _drain_stderr() -> None:
         log_git_status(repo, log)
 
         if command_policy_rejection_loop:
-            if wrapper_recovery_attempt < 1:
-                recovery_guidance = _build_wrapper_recovery_guidance(rejected_shell_wrappers)
+            if wrapper_recovery_attempt < _MAX_WRAPPER_RECOVERY_ATTEMPTS:
+                hard_recovery = wrapper_recovery_attempt >= 1
+                recovery_guidance = _build_wrapper_recovery_guidance(
+                    rejected_shell_wrappers,
+                    hard=hard_recovery,
+                )
                 if recovery_guidance:
                     log.warning(
-                        "Codex hit a shell-wrapper rejection loop; retrying once with direct-command recovery guidance."
+                        "Codex hit a shell-wrapper rejection loop; retrying once with "
+                        + (
+                            "strict no-wrapper recovery guidance."
+                            if hard_recovery
+                            else "direct-command recovery guidance."
+                        )
                     )
                     retry_result = _run_codex_task(
                         repo,
@@ -1529,19 +1563,19 @@ def _drain_stderr() -> None:
                         baseline_changes=baseline_snapshot,
                     )
                     retry_result["usage"] = _merge_usage_records(usage, retry_result.get("usage"))
-                    if retry_result.get("ok"):
+                    if wrapper_recovery_attempt == 0 and retry_result.get("ok"):
                         recovered_stdout = str(retry_result.get("stdout") or "").strip()
                         retry_result["stdout"] = _truncate(
                             (
-                                "Recovered after the first Codex attempt hit command-router shell-wrapper rejections.\n\n"
+                                "Recovered after Codex attempts hit command-router shell-wrapper rejections.\n\n"
                                 f"{recovered_stdout}"
                             ).strip()
                         )
-                    else:
+                    elif wrapper_recovery_attempt == 0:
                         retry_stderr = str(retry_result.get("stderr") or "").strip()
                         retry_result["stderr"] = _truncate(
                             (
-                                "The first Codex attempt hit command-router shell-wrapper rejections and was retried once with direct-command recovery guidance.\n\n"
+                                "Earlier Codex attempts hit command-router shell-wrapper rejections and were retried with stricter recovery guidance.\n\n"
                                 f"{retry_stderr}"
                             ).strip()
                         )

apps/workerpals/src/backends/openai_codex/test_openai_codex_runtime_config.py

@@ -1,8 +1,11 @@
 import os
 import re
+import json
+import subprocess
 import sys
 import unittest
 import tempfile
+from unittest import mock
 from pathlib import Path
 
 _HERE = Path(__file__).resolve().parent
@@ -22,6 +25,7 @@
     OpenAICodexRuntimeConfig,
     _augment_supplemental_guidance,
     _build_wrapper_recovery_guidance,
+    _run_codex_task,
     _resolve_reasoning_effort,
     _build_instruction,
     _collect_disallowed_shell_wrapper_rejections,
@@ -280,6 +284,103 @@ def test_wrapper_recovery_guidance_allows_arbitrary_shell_commands_without_wrapp
         self.assertIn("not limited to a fixed allowlist", lowered)
         self.assertIn("`/bin/bash -lc 'git status --porcelain'` -> `git status --porcelain`", guidance)
 
+    def test_wrapper_hard_recovery_guidance_requires_direct_replacements_first(self) -> None:
+        guidance = _build_wrapper_recovery_guidance(
+            ["/bin/bash -lc 'git status --porcelain'", "/bin/bash -lc pwd"],
+            hard=True,
+        )
+        lowered = guidance.lower()
+        self.assertIn("previous retry still attempted disallowed shell wrappers", lowered)
+        self.assertIn("do not invoke `bash`", lowered)
+        self.assertIn("first command invocation on this retry must be one of the direct replacements", lowered)
+        self.assertIn("`/bin/bash -lc 'git status --porcelain'` -> `git status --porcelain`", guidance)
+
+    def test_run_codex_task_escalates_wrapper_recovery_and_recovers(self) -> None:
+        with tempfile.TemporaryDirectory(prefix="pushpals-codex-wrapper-recovery-") as temp_dir:
+            repo = Path(temp_dir) / "repo"
+            repo.mkdir(parents=True, exist_ok=True)
+            (repo / "README.md").write_text("# wrapper recovery test\n", encoding="utf-8")
+            subprocess.run(["git", "init"], cwd=repo, check=True, capture_output=True, text=True)
+            subprocess.run(
+                ["git", "config", "user.name", "PushPals Test"],
+                cwd=repo,
+                check=True,
+                capture_output=True,
+                text=True,
+            )
+            subprocess.run(
+                ["git", "config", "user.email", "pushpals-tests@example.com"],
+                cwd=repo,
+                check=True,
+                capture_output=True,
+                text=True,
+            )
+            subprocess.run(["git", "add", "README.md"], cwd=repo, check=True, capture_output=True, text=True)
+            subprocess.run(
+                ["git", "commit", "-m", "chore: seed wrapper recovery repo"],
+                cwd=repo,
+                check=True,
+                capture_output=True,
+                text=True,
+            )
+
+            stub_path = Path(temp_dir) / "fake_codex_wrapper_recovery.py"
+            stub_path.write_text(
+                "\n".join(
+                    [
+                        "from pathlib import Path",
+                        "import sys",
+                        "import time",
+                        "",
+                        "argv = sys.argv[1:]",
+                        "last_message_path = None",
+                        "for index, arg in enumerate(argv):",
+                        "    if arg == '--output-last-message' and index + 1 < len(argv):",
+                        "        last_message_path = argv[index + 1]",
+                        "        break",
+                        "",
+                        "prompt = sys.stdin.read()",
+                        "hard_marker = 'Your first command invocation on this retry must be one of the direct replacements listed below'",
+                        "if hard_marker in prompt:",
+                        "    if last_message_path:",
+                        "        Path(last_message_path).write_text(",
+                        "            'Recovered by switching to direct commands after strict wrapper recovery.',",
+                        "            encoding='utf-8',",
+                        "        )",
+                        "    print('item.completed | Used direct commands after strict recovery guidance.', flush=True)",
+                        "    sys.exit(0)",
+                        "",
+                        "for line in (",
+                        "    'error=exec_command failed for `/bin/bash -lc pwd`: CreateProcess { message: \"Rejected\" }',",
+                        "    'error=exec_command failed for `/bin/bash -lc \\'git branch --show-current\\'`: CreateProcess { message: \"Rejected\" }',",
+                        "    'error=exec_command failed for `/bin/bash -lc ls`: CreateProcess { message: \"Rejected\" }',",
+                        "    'error=exec_command failed for `/bin/bash -lc \\'git status --porcelain\\'`: CreateProcess { message: \"Rejected\" }',",
+                        "):",
+                        "    print(line, file=sys.stderr, flush=True)",
+                        "time.sleep(10)",
+                    ]
+                ),
+                encoding="utf-8",
+            )
+
+            env_overrides = {
+                "PUSHPALS_OPENAI_CODEX_BIN_JSON": json.dumps([sys.executable, str(stub_path)]),
+                "PUSHPALS_OPENAI_CODEX_AUTH_MODE": "api_key",
+                "OPENAI_API_KEY": "pushpals-wrapper-recovery-test-key",
+                "WORKERPALS_OPENAI_CODEX_TIMEOUT_S": "10",
+                "WORKERPALS_OPENAI_CODEX_PROGRESS_LOG_INTERVAL_S": "1",
+            }
+            with mock.patch.dict(os.environ, env_overrides, clear=False):
+                result = _run_codex_task(
+                    str(repo),
+                    "Inspect the repo and report the current branch.",
+                    [],
+                )
+
+        self.assertTrue(result.get("ok"), result)
+        self.assertIn("Recovered after Codex attempts hit command-router shell-wrapper rejections.", str(result.get("stdout") or ""))
+        self.assertIn("strict wrapper recovery", str(result.get("stdout") or "").lower())
+
     def test_usage_falls_back_to_estimate_when_trace_has_no_usage(self) -> None:
         usage = _usage_from_trace_or_estimate({}, "abc" * 30, "done", model="gpt-5.4")
         self.assertTrue(usage["estimated"])

packages/cli/runtime/prompts/workerpals/openai_codex_command_router_policy.md

@@ -6,5 +6,11 @@ Command-router recovery: the previous attempt retried disallowed shell wrappers.
 Retry once using shell commands normally, but invoke the inner command directly instead of wrapping it in `/bin/bash -lc`, `bash -c`, `sh -lc`, `cmd /c`, `powershell -Command`, or `pwsh -Command`.
 You are not limited to a fixed allowlist of commands. The constraint is only that command execution must target the actual program/argv directly rather than a wrapper shell.
 
+## Hard Recovery Guidance
+Command-router escalation: the previous retry still attempted disallowed shell wrappers.
+Do not invoke `bash`, `/bin/bash`, `sh`, `cmd`, `powershell`, `powershell.exe`, `pwsh`, or `pwsh.exe` as the command itself on this attempt.
+Your first command invocation on this retry must be one of the direct replacements listed below, with no wrapper shell around it.
+After you re-establish repo context, continue using ordinary shell commands directly without wrapper shells.
+
 ## Rejection Detail
 Codex repeatedly attempted disallowed shell-wrapper commands that the command router rejected. Shell commands are allowed, but wrapper shells are not; invoke the inner command directly and avoid wrapper retries.

packages/cli/runtime/sandbox/apps/workerpals/src/backends/openai_codex/openai_codex_executor.py

@@ -95,6 +95,7 @@
 _VALID_COLORS = {"always", "never", "auto"}
 _VALID_AUTH_MODES = {"auto", "api_key", "chatgpt"}
 _VALID_REASONING_EFFORTS = {"low", "medium", "high", "xhigh"}
+_MAX_WRAPPER_RECOVERY_ATTEMPTS = 2
 
 
 def _model_supports_xhigh_reasoning(model: str) -> bool:
@@ -296,6 +297,21 @@ def _command_router_recovery_guidance() -> str:
     )
 
 
+def _command_router_hard_recovery_guidance() -> str:
+    guidance = _load_markdown_h2_section(_COMMAND_ROUTER_POLICY_PATH, "Hard Recovery Guidance")
+    if guidance:
+        return guidance
+    return (
+        "Command-router escalation: the previous retry still attempted disallowed shell wrappers.\n"
+        "Do not invoke `bash`, `/bin/bash`, `sh`, `cmd`, `powershell`, `powershell.exe`, `pwsh`, "
+        "or `pwsh.exe` as the command itself on this attempt.\n"
+        "Your first command invocation on this retry must be one of the direct replacements listed "
+        "below, with no wrapper shell around it.\n"
+        "After you re-establish repo context, continue using ordinary shell commands directly "
+        "without wrapper shells."
+    )
+
+
 def _command_router_rejection_detail_intro() -> str:
     guidance = _load_markdown_h2_section(_COMMAND_ROUTER_POLICY_PATH, "Rejection Detail")
     if guidance:
@@ -1066,7 +1082,7 @@ def _unwrap_shell_wrapper_command(command: str) -> str:
     return ""
 
 
-def _build_wrapper_recovery_guidance(rejected_commands: List[str]) -> str:
+def _build_wrapper_direct_replacements(rejected_commands: List[str]) -> List[str]:
     direct_equivalents: List[str] = []
     seen: set[str] = set()
     for command in rejected_commands:
@@ -1076,7 +1092,16 @@ def _build_wrapper_recovery_guidance(rejected_commands: List[str]) -> str:
             continue
         seen.add(lowered)
         direct_equivalents.append(f"- `{command}` -> `{direct}`")
-    guidance_lines = [_command_router_recovery_guidance()]
+    return direct_equivalents
+
+
+def _build_wrapper_recovery_guidance(rejected_commands: List[str], *, hard: bool = False) -> str:
+    guidance_lines = [
+        _command_router_hard_recovery_guidance()
+        if hard
+        else _command_router_recovery_guidance()
+    ]
+    direct_equivalents = _build_wrapper_direct_replacements(rejected_commands)
     if direct_equivalents:
         guidance_lines.append("Use these direct replacements for the rejected commands:")
         guidance_lines.extend(direct_equivalents[:6])
@@ -1515,11 +1540,20 @@ def _drain_stderr() -> None:
         log_git_status(repo, log)
 
         if command_policy_rejection_loop:
-            if wrapper_recovery_attempt < 1:
-                recovery_guidance = _build_wrapper_recovery_guidance(rejected_shell_wrappers)
+            if wrapper_recovery_attempt < _MAX_WRAPPER_RECOVERY_ATTEMPTS:
+                hard_recovery = wrapper_recovery_attempt >= 1
+                recovery_guidance = _build_wrapper_recovery_guidance(
+                    rejected_shell_wrappers,
+                    hard=hard_recovery,
+                )
                 if recovery_guidance:
                     log.warning(
-                        "Codex hit a shell-wrapper rejection loop; retrying once with direct-command recovery guidance."
+                        "Codex hit a shell-wrapper rejection loop; retrying once with "
+                        + (
+                            "strict no-wrapper recovery guidance."
+                            if hard_recovery
+                            else "direct-command recovery guidance."
+                        )
                     )
                     retry_result = _run_codex_task(
                         repo,
@@ -1529,19 +1563,19 @@ def _drain_stderr() -> None:
                         baseline_changes=baseline_snapshot,
                     )
                     retry_result["usage"] = _merge_usage_records(usage, retry_result.get("usage"))
-                    if retry_result.get("ok"):
+                    if wrapper_recovery_attempt == 0 and retry_result.get("ok"):
                         recovered_stdout = str(retry_result.get("stdout") or "").strip()
                         retry_result["stdout"] = _truncate(
                             (
-                                "Recovered after the first Codex attempt hit command-router shell-wrapper rejections.\n\n"
+                                "Recovered after Codex attempts hit command-router shell-wrapper rejections.\n\n"
                                 f"{recovered_stdout}"
                             ).strip()
                         )
-                    else:
+                    elif wrapper_recovery_attempt == 0:
                         retry_stderr = str(retry_result.get("stderr") or "").strip()
                         retry_result["stderr"] = _truncate(
                             (
-                                "The first Codex attempt hit command-router shell-wrapper rejections and was retried once with direct-command recovery guidance.\n\n"
+                                "Earlier Codex attempts hit command-router shell-wrapper rejections and were retried with stricter recovery guidance.\n\n"
                                 f"{retry_stderr}"
                             ).strip()
                         )