Skip to content

Centralize repository authority for Git helper launches#30896

Open
bookholt-oai wants to merge 10 commits into
codex/psec-4394-git-03-path-containmentfrom
codex/psec-4394-repository-authority
Open

Centralize repository authority for Git helper launches#30896
bookholt-oai wants to merge 10 commits into
codex/psec-4394-git-03-path-containmentfrom
codex/psec-4394-repository-authority

Conversation

@bookholt-oai

@bookholt-oai bookholt-oai commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Why

Choosing a trusted Git executable is not enough if the repository or its Git metadata can change after the check. Rebuilding that trust separately for every child also made multi-step operations slow enough to time out on Windows.

Approach

Create one operation-scoped authority that records the worktree, Git metadata, linked-worktree registration, filesystem identity, and pinned native Git executable.

Build every Git child through that authority. Bind it to a canonical working directory, sanitize executable lookup, revalidate the active Git metadata immediately before launch, and reapply the local-only transport policy.

Reuse the same runner across multi-step operations such as merge-base resolution, while still rechecking metadata before every child. Never cache the runner across separate operations.

This PR is stacked on #30844. #30848 builds on it.

Testing

  • 103 codex-git-utils tests passed.
  • Focused tests cover single-runner reuse, unborn repositories, non-repositories, and metadata retargeting between child commands.
  • Clippy, formatting, and diff checks passed.
  • Native Windows junction, reparse-path, linked-worktree, and base-branch variants run in CI.

@bookholt-oai bookholt-oai marked this pull request as ready for review July 2, 2026 19:34

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e8e8178e3a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment on lines +129 to +135
fn explicit_boolean(value: &[u8]) -> Option<bool> {
if value.eq_ignore_ascii_case(b"true") {
Some(true)
} else if value.eq_ignore_ascii_case(b"false") {
Some(false)
} else {
None

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Parse all Git boolean spellings

When a common config uses Git's valid boolean spellings such as core.bare = yes or extensions.worktreeConfig = 0, this helper returns None because it only recognizes true/false ([Git config's bool type also accepts yes/on/numbers and no/off/0](https://git-scm.com/docs/git-config#Documentation/git-config.txt---typelt typegt)). In a linked worktree backed by a bare repository with core.bare = yes, inspect_plain_common_config_authority() returns Unproven, so GitRunner::for_cwd rejects otherwise valid operations with UnprovenPrimaryAuthority; please parse the full Git boolean grammar.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant