runok exec
runok exec evaluates a command against your runok rules and, if allowed, executes it — optionally within a sandbox. If the command is denied (or requires confirmation), it is not executed and exit code 3 is returned.
runok exec [options] -- <command> [arguments...]The -- separator distinguishes runok flags from the command’s own flags. Any unrecognized flag before -- is rejected with an error to prevent typos from being silently absorbed into the command arguments.
A single argument after -- is interpreted as a shell command (passed to the shell). Multiple arguments are interpreted as an argv array (executed directly).
--sandbox <preset>
Section titled “--sandbox <preset>”Apply a named sandbox preset from your runok configuration. Overrides any sandbox defined in the matching rule.
--dry-run
Section titled “--dry-run”Show what would happen without executing the command. Prints diagnostic information to stderr and always exits with code 0.
--verbose
Section titled “--verbose”Output detailed rule matching information to stderr.
Examples
Section titled “Examples”Execute a command with permission checks:
runok exec -- npm testExecute with a sandbox preset:
runok exec --sandbox strict -- npm installPreview what would happen without executing:
runok exec --dry-run -- git push --forceRun a shell expression (single argument, passed to shell):
runok exec -- 'echo hello && echo world'Exit codes
Section titled “Exit codes”| Code | Meaning |
|---|---|
| N | Command’s own exit code (on successful execution). |
1 | An error occurred (config error, sandbox setup failure, etc.). |
3 | Command was denied or requires confirmation (ask). |
Related
Section titled “Related”runok check— Evaluate commands without executing them.- Sandbox — Configure sandbox presets.
- Denial Feedback — Configure feedback for denied commands.