export function execWithSeatbelt()

in codex-cli/src/utils/agent/sandbox/macos-seatbelt.ts [23:76]

• 48 lines of code
• 2 McCabe index (conditional complexity)

export function execWithSeatbelt(
  cmd: Array<string>,
  opts: SpawnOptions,
  writableRoots: ReadonlyArray<string>,
  abortSignal?: AbortSignal,
): Promise<ExecResult> {
  let scopedWritePolicy: string;
  let policyTemplateParams: Array<string>;

  const fullWritableRoots = [...writableRoots, ...getCommonRoots()];
  // In practice, fullWritableRoots will be non-empty, but we check just in
  // case the logic to build up fullWritableRoots changes.
  if (fullWritableRoots.length > 0) {
    const { policies, params } = fullWritableRoots
      .map((root, index) => ({
        policy: `(subpath (param "WRITABLE_ROOT_${index}"))`,
        param: `-DWRITABLE_ROOT_${index}=${root}`,
      }))
      .reduce(
        (
          acc: { policies: Array<string>; params: Array<string> },
          { policy, param },
        ) => {
          acc.policies.push(policy);
          acc.params.push(param);
          return acc;
        },
        { policies: [], params: [] },
      );

    scopedWritePolicy = `\n(allow file-write*\n${policies.join(" ")}\n)`;
    policyTemplateParams = params;
  } else {
    scopedWritePolicy = "";
    policyTemplateParams = [];
  }

  const fullPolicy = READ_ONLY_SEATBELT_POLICY + scopedWritePolicy;
  log(
    `Running seatbelt with policy: ${fullPolicy} and ${
      policyTemplateParams.length
    } template params: ${policyTemplateParams.join(", ")}`,
  );

  const fullCommand = [
    PATH_TO_SEATBELT_EXECUTABLE,
    "-p",
    fullPolicy,
    ...policyTemplateParams,
    "--",
    ...cmd,
  ];
  return exec(fullCommand, opts, abortSignal);
}