feat: introduce Permissions (#11633)

## Why We currently carry multiple permission-related concepts directly on `Config` for shell/unified-exec behavior (`approval_policy`, `sandbox_policy`, `network`, `shell_environment_policy`, `windows_sandbox_mode`). Consolidating these into one in-memory struct makes permission handling easier to reason about and sets up the next step: supporting named permission profiles (`[permissions.PROFILE_NAME]`) without changing behavior now. This change is mostly mechanical: it updates existing callsites to go through `config.permissions`, but it does not yet refactor those callsites to take a single `Permissions` value in places where multiple permission fields are still threaded separately. This PR intentionally **does not** change the on-disk `config.toml` format yet and keeps compatibility with legacy config keys. ## What Changed - Introduced `Permissions` in `core/src/config/mod.rs`. - Added `Config::permissions` and moved effective runtime permission fields under it: - `approval_policy` - `sandbox_policy` - `network` - `shell_environment_policy` - `windows_sandbox_mode` - Updated config loading/building so these effective values are still derived from the same existing config inputs and constraints. - Updated Windows sandbox helpers/resolution to read/write via `permissions`. - Threaded the new field through all permission consumers across core runtime, app-server, CLI/exec, TUI, and sandbox summary code. - Updated affected tests to reference `config.permissions.*`. - Renamed the struct/field from `EffectivePermissions`/`effective_permissions` to `Permissions`/`permissions` and aligned variable naming accordingly. ## Verification - `just fix -p codex-core -p codex-tui -p codex-cli -p codex-app-server -p codex-exec -p codex-utils-sandbox-summary` - `cargo build -p codex-core -p codex-tui -p codex-cli -p codex-app-server -p codex-exec -p codex-utils-sandbox-summary`
2026-05-01 03:42:05 +03:00 · 2026-02-12 14:42:54 -08:00
parent d7cb70ed26
commit a4cc1a4a85
30 changed files with 280 additions and 193 deletions
--- a/codex-rs/core/tests/suite/approvals.rs
+++ b/codex-rs/core/tests/suite/approvals.rs
@@ -1467,8 +1467,8 @@ async fn run_scenario(scenario: &ScenarioSpec) -> Result<()> {
    let model = model_override.unwrap_or("gpt-5.1");

    let mut builder = test_codex().with_model(model).with_config(move |config| {
-        config.approval_policy = Constrained::allow_any(approval_policy);
-        config.sandbox_policy = Constrained::allow_any(sandbox_policy.clone());
+        config.permissions.approval_policy = Constrained::allow_any(approval_policy);
+        config.permissions.sandbox_policy = Constrained::allow_any(sandbox_policy.clone());
        for feature in features {
            config.features.enable(feature);
        }
@@ -1585,8 +1585,8 @@ async fn approving_apply_patch_for_session_skips_future_prompts_for_same_file()
    let mut builder = test_codex()
        .with_model("gpt-5.1-codex")
        .with_config(move |config| {
-            config.approval_policy = Constrained::allow_any(approval_policy);
-            config.sandbox_policy = Constrained::allow_any(sandbox_policy_for_config);
+            config.permissions.approval_policy = Constrained::allow_any(approval_policy);
+            config.permissions.sandbox_policy = Constrained::allow_any(sandbox_policy_for_config);
        });
    let test = builder.build(&server).await?;

@@ -1692,8 +1692,8 @@ async fn approving_execpolicy_amendment_persists_policy_and_skips_future_prompts
    let sandbox_policy = SandboxPolicy::new_read_only_policy();
    let sandbox_policy_for_config = sandbox_policy.clone();
    let mut builder = test_codex().with_config(move |config| {
-        config.approval_policy = Constrained::allow_any(approval_policy);
-        config.sandbox_policy = Constrained::allow_any(sandbox_policy_for_config);
+        config.permissions.approval_policy = Constrained::allow_any(approval_policy);
+        config.permissions.sandbox_policy = Constrained::allow_any(sandbox_policy_for_config);
    });
    let test = builder.build(&server).await?;
    let allow_prefix_path = test.cwd.path().join("allow-prefix.txt");
--- a/codex-rs/core/tests/suite/client.rs
+++ b/codex-rs/core/tests/suite/client.rs
@@ -973,8 +973,8 @@ async fn user_turn_collaboration_mode_overrides_model_and_effort() -> anyhow::Re
                text_elements: Vec::new(),
            }],
            cwd: config.cwd.clone(),
-            approval_policy: config.approval_policy.value(),
-            sandbox_policy: config.sandbox_policy.get().clone(),
+            approval_policy: config.permissions.approval_policy.value(),
+            sandbox_policy: config.permissions.sandbox_policy.get().clone(),
            model: session_configured.model.clone(),
            effort: Some(ReasoningEffort::Low),
            summary: config.model_reasoning_summary,
--- a/codex-rs/core/tests/suite/codex_delegate.rs
+++ b/codex-rs/core/tests/suite/codex_delegate.rs
@@ -63,8 +63,9 @@ async fn codex_delegate_forwards_exec_approval_and_proceeds_on_approval() {
    // Build a conversation configured to require approvals so the delegate
    // routes ExecApprovalRequest via the parent.
    let mut builder = test_codex().with_model("gpt-5.1").with_config(|config| {
-        config.approval_policy = Constrained::allow_any(AskForApproval::OnRequest);
-        config.sandbox_policy = Constrained::allow_any(SandboxPolicy::new_read_only_policy());
+        config.permissions.approval_policy = Constrained::allow_any(AskForApproval::OnRequest);
+        config.permissions.sandbox_policy =
+            Constrained::allow_any(SandboxPolicy::new_read_only_policy());
    });
    let test = builder.build(&server).await.expect("build test codex");

@@ -144,9 +145,10 @@ async fn codex_delegate_forwards_patch_approval_and_proceeds_on_decision() {
    mount_sse_sequence(&server, vec![sse1, sse2]).await;

    let mut builder = test_codex().with_model("gpt-5.1").with_config(|config| {
-        config.approval_policy = Constrained::allow_any(AskForApproval::OnRequest);
+        config.permissions.approval_policy = Constrained::allow_any(AskForApproval::OnRequest);
        // Use a restricted sandbox so patch approval is required
-        config.sandbox_policy = Constrained::allow_any(SandboxPolicy::new_read_only_policy());
+        config.permissions.sandbox_policy =
+            Constrained::allow_any(SandboxPolicy::new_read_only_policy());
        config.include_apply_patch_tool = true;
    });
    let test = builder.build(&server).await.expect("build test codex");
--- a/codex-rs/core/tests/suite/collaboration_instructions.rs
+++ b/codex-rs/core/tests/suite/collaboration_instructions.rs
@@ -165,8 +165,8 @@ async fn collaboration_instructions_added_on_user_turn() -> Result<()> {
                text_elements: Vec::new(),
            }],
            cwd: test.config.cwd.clone(),
-            approval_policy: test.config.approval_policy.value(),
-            sandbox_policy: test.config.sandbox_policy.get().clone(),
+            approval_policy: test.config.permissions.approval_policy.value(),
+            sandbox_policy: test.config.permissions.sandbox_policy.get().clone(),
            model: test.session_configured.model.clone(),
            effort: None,
            summary: test.config.model_reasoning_summary,
@@ -271,8 +271,8 @@ async fn user_turn_overrides_collaboration_instructions_after_override() -> Resu
                text_elements: Vec::new(),
            }],
            cwd: test.config.cwd.clone(),
-            approval_policy: test.config.approval_policy.value(),
-            sandbox_policy: test.config.sandbox_policy.get().clone(),
+            approval_policy: test.config.permissions.approval_policy.value(),
+            sandbox_policy: test.config.permissions.sandbox_policy.get().clone(),
            model: test.session_configured.model.clone(),
            effort: None,
            summary: test.config.model_reasoning_summary,
--- a/codex-rs/core/tests/suite/otel.rs
+++ b/codex-rs/core/tests/suite/otel.rs
@@ -964,8 +964,9 @@ async fn handle_container_exec_autoapprove_from_config_records_tool_decision() {

    let TestCodex { codex, .. } = test_codex()
        .with_config(|config| {
-            config.approval_policy = Constrained::allow_any(AskForApproval::OnRequest);
-            config.sandbox_policy = Constrained::allow_any(SandboxPolicy::DangerFullAccess);
+            config.permissions.approval_policy = Constrained::allow_any(AskForApproval::OnRequest);
+            config.permissions.sandbox_policy =
+                Constrained::allow_any(SandboxPolicy::DangerFullAccess);
        })
        .build(&server)
        .await
@@ -1015,7 +1016,8 @@ async fn handle_container_exec_user_approved_records_tool_decision() {

    let TestCodex { codex, .. } = test_codex()
        .with_config(|config| {
-            config.approval_policy = Constrained::allow_any(AskForApproval::UnlessTrusted);
+            config.permissions.approval_policy =
+                Constrained::allow_any(AskForApproval::UnlessTrusted);
        })
        .build(&server)
        .await
@@ -1080,7 +1082,8 @@ async fn handle_container_exec_user_approved_for_session_records_tool_decision()

    let TestCodex { codex, .. } = test_codex()
        .with_config(|config| {
-            config.approval_policy = Constrained::allow_any(AskForApproval::UnlessTrusted);
+            config.permissions.approval_policy =
+                Constrained::allow_any(AskForApproval::UnlessTrusted);
        })
        .build(&server)
        .await
@@ -1145,7 +1148,8 @@ async fn handle_sandbox_error_user_approves_retry_records_tool_decision() {

    let TestCodex { codex, .. } = test_codex()
        .with_config(|config| {
-            config.approval_policy = Constrained::allow_any(AskForApproval::UnlessTrusted);
+            config.permissions.approval_policy =
+                Constrained::allow_any(AskForApproval::UnlessTrusted);
        })
        .build(&server)
        .await
@@ -1210,7 +1214,8 @@ async fn handle_container_exec_user_denies_records_tool_decision() {
    .await;
    let TestCodex { codex, .. } = test_codex()
        .with_config(|config| {
-            config.approval_policy = Constrained::allow_any(AskForApproval::UnlessTrusted);
+            config.permissions.approval_policy =
+                Constrained::allow_any(AskForApproval::UnlessTrusted);
        })
        .build(&server)
        .await
@@ -1275,7 +1280,8 @@ async fn handle_sandbox_error_user_approves_for_session_records_tool_decision()

    let TestCodex { codex, .. } = test_codex()
        .with_config(|config| {
-            config.approval_policy = Constrained::allow_any(AskForApproval::UnlessTrusted);
+            config.permissions.approval_policy =
+                Constrained::allow_any(AskForApproval::UnlessTrusted);
        })
        .build(&server)
        .await
@@ -1341,7 +1347,8 @@ async fn handle_sandbox_error_user_denies_records_tool_decision() {

    let TestCodex { codex, .. } = test_codex()
        .with_config(|config| {
-            config.approval_policy = Constrained::allow_any(AskForApproval::UnlessTrusted);
+            config.permissions.approval_policy =
+                Constrained::allow_any(AskForApproval::UnlessTrusted);
        })
        .build(&server)
        .await
--- a/codex-rs/core/tests/suite/override_updates.rs
+++ b/codex-rs/core/tests/suite/override_updates.rs
@@ -108,7 +108,7 @@ async fn override_turn_context_without_user_turn_does_not_record_permissions_upd

    let server = start_mock_server().await;
    let mut builder = test_codex().with_config(|config| {
-        config.approval_policy = Constrained::allow_any(AskForApproval::OnRequest);
+        config.permissions.approval_policy = Constrained::allow_any(AskForApproval::OnRequest);
    });
    let test = builder.build(&server).await?;

--- a/codex-rs/core/tests/suite/permissions_messages.rs
+++ b/codex-rs/core/tests/suite/permissions_messages.rs
@@ -55,7 +55,7 @@ async fn permissions_message_sent_once_on_start() -> Result<()> {
    .await;

    let mut builder = test_codex().with_config(move |config| {
-        config.approval_policy = Constrained::allow_any(AskForApproval::OnRequest);
+        config.permissions.approval_policy = Constrained::allow_any(AskForApproval::OnRequest);
    });
    let test = builder.build(&server).await?;

@@ -96,7 +96,7 @@ async fn permissions_message_added_on_override_change() -> Result<()> {
    .await;

    let mut builder = test_codex().with_config(move |config| {
-        config.approval_policy = Constrained::allow_any(AskForApproval::OnRequest);
+        config.permissions.approval_policy = Constrained::allow_any(AskForApproval::OnRequest);
    });
    let test = builder.build(&server).await?;

@@ -168,7 +168,7 @@ async fn permissions_message_not_added_when_no_change() -> Result<()> {
    .await;

    let mut builder = test_codex().with_config(move |config| {
-        config.approval_policy = Constrained::allow_any(AskForApproval::OnRequest);
+        config.permissions.approval_policy = Constrained::allow_any(AskForApproval::OnRequest);
    });
    let test = builder.build(&server).await?;

@@ -230,7 +230,7 @@ async fn resume_replays_permissions_messages() -> Result<()> {
    .await;

    let mut builder = test_codex().with_config(|config| {
-        config.approval_policy = Constrained::allow_any(AskForApproval::OnRequest);
+        config.permissions.approval_policy = Constrained::allow_any(AskForApproval::OnRequest);
    });
    let initial = builder.build(&server).await?;
    let rollout_path = initial
@@ -329,7 +329,7 @@ async fn resume_and_fork_append_permissions_messages() -> Result<()> {
    .await;

    let mut builder = test_codex().with_config(|config| {
-        config.approval_policy = Constrained::allow_any(AskForApproval::OnRequest);
+        config.permissions.approval_policy = Constrained::allow_any(AskForApproval::OnRequest);
    });
    let initial = builder.build(&server).await?;
    let rollout_path = initial
@@ -384,7 +384,7 @@ async fn resume_and_fork_append_permissions_messages() -> Result<()> {
    assert_eq!(permissions_base.len(), 2);

    builder = builder.with_config(|config| {
-        config.approval_policy = Constrained::allow_any(AskForApproval::UnlessTrusted);
+        config.permissions.approval_policy = Constrained::allow_any(AskForApproval::UnlessTrusted);
    });
    let resumed = builder.resume(&server, home, rollout_path.clone()).await?;
    resumed
@@ -410,7 +410,7 @@ async fn resume_and_fork_append_permissions_messages() -> Result<()> {
    assert!(!permissions_base.contains(permissions_resume.last().expect("new permissions")));

    let mut fork_config = initial.config.clone();
-    fork_config.approval_policy = Constrained::allow_any(AskForApproval::UnlessTrusted);
+    fork_config.permissions.approval_policy = Constrained::allow_any(AskForApproval::UnlessTrusted);
    let forked = initial
        .thread_manager
        .fork_thread(usize::MAX, fork_config, rollout_path, false)
@@ -465,8 +465,8 @@ async fn permissions_message_includes_writable_roots() -> Result<()> {
    let sandbox_policy_for_config = sandbox_policy.clone();

    let mut builder = test_codex().with_config(move |config| {
-        config.approval_policy = Constrained::allow_any(AskForApproval::OnRequest);
-        config.sandbox_policy = Constrained::allow_any(sandbox_policy_for_config);
+        config.permissions.approval_policy = Constrained::allow_any(AskForApproval::OnRequest);
+        config.permissions.sandbox_policy = Constrained::allow_any(sandbox_policy_for_config);
    });
    let test = builder.build(&server).await?;

--- a/codex-rs/core/tests/suite/personality.rs
+++ b/codex-rs/core/tests/suite/personality.rs
@@ -94,7 +94,7 @@ async fn user_turn_personality_none_does_not_add_update_message() -> anyhow::Res
            }],
            final_output_json_schema: None,
            cwd: test.cwd_path().to_path_buf(),
-            approval_policy: test.config.approval_policy.value(),
+            approval_policy: test.config.permissions.approval_policy.value(),
            sandbox_policy: SandboxPolicy::new_read_only_policy(),
            model: test.session_configured.model.clone(),
            effort: test.config.model_reasoning_effort,
@@ -141,7 +141,7 @@ async fn config_personality_some_sets_instructions_template() -> anyhow::Result<
            }],
            final_output_json_schema: None,
            cwd: test.cwd_path().to_path_buf(),
-            approval_policy: test.config.approval_policy.value(),
+            approval_policy: test.config.permissions.approval_policy.value(),
            sandbox_policy: SandboxPolicy::new_read_only_policy(),
            model: test.session_configured.model.clone(),
            effort: test.config.model_reasoning_effort,
@@ -195,7 +195,7 @@ async fn config_personality_none_sends_no_personality() -> anyhow::Result<()> {
            }],
            final_output_json_schema: None,
            cwd: test.cwd_path().to_path_buf(),
-            approval_policy: test.config.approval_policy.value(),
+            approval_policy: test.config.permissions.approval_policy.value(),
            sandbox_policy: SandboxPolicy::new_read_only_policy(),
            model: test.session_configured.model.clone(),
            effort: test.config.model_reasoning_effort,
@@ -255,7 +255,7 @@ async fn default_personality_is_pragmatic_without_config_toml() -> anyhow::Resul
            }],
            final_output_json_schema: None,
            cwd: test.cwd_path().to_path_buf(),
-            approval_policy: test.config.approval_policy.value(),
+            approval_policy: test.config.permissions.approval_policy.value(),
            sandbox_policy: SandboxPolicy::new_read_only_policy(),
            model: test.session_configured.model.clone(),
            effort: test.config.model_reasoning_effort,
@@ -303,7 +303,7 @@ async fn user_turn_personality_some_adds_update_message() -> anyhow::Result<()>
            }],
            final_output_json_schema: None,
            cwd: test.cwd_path().to_path_buf(),
-            approval_policy: test.config.approval_policy.value(),
+            approval_policy: test.config.permissions.approval_policy.value(),
            sandbox_policy: SandboxPolicy::new_read_only_policy(),
            model: test.session_configured.model.clone(),
            effort: test.config.model_reasoning_effort,
@@ -337,7 +337,7 @@ async fn user_turn_personality_some_adds_update_message() -> anyhow::Result<()>
            }],
            final_output_json_schema: None,
            cwd: test.cwd_path().to_path_buf(),
-            approval_policy: test.config.approval_policy.value(),
+            approval_policy: test.config.permissions.approval_policy.value(),
            sandbox_policy: SandboxPolicy::new_read_only_policy(),
            model: test.session_configured.model.clone(),
            effort: test.config.model_reasoning_effort,
@@ -400,7 +400,7 @@ async fn user_turn_personality_same_value_does_not_add_update_message() -> anyho
            }],
            final_output_json_schema: None,
            cwd: test.cwd_path().to_path_buf(),
-            approval_policy: test.config.approval_policy.value(),
+            approval_policy: test.config.permissions.approval_policy.value(),
            sandbox_policy: SandboxPolicy::new_read_only_policy(),
            model: test.session_configured.model.clone(),
            effort: test.config.model_reasoning_effort,
@@ -434,7 +434,7 @@ async fn user_turn_personality_same_value_does_not_add_update_message() -> anyho
            }],
            final_output_json_schema: None,
            cwd: test.cwd_path().to_path_buf(),
-            approval_policy: test.config.approval_policy.value(),
+            approval_policy: test.config.permissions.approval_policy.value(),
            sandbox_policy: SandboxPolicy::new_read_only_policy(),
            model: test.session_configured.model.clone(),
            effort: test.config.model_reasoning_effort,
@@ -507,7 +507,7 @@ async fn user_turn_personality_skips_if_feature_disabled() -> anyhow::Result<()>
            }],
            final_output_json_schema: None,
            cwd: test.cwd_path().to_path_buf(),
-            approval_policy: test.config.approval_policy.value(),
+            approval_policy: test.config.permissions.approval_policy.value(),
            sandbox_policy: SandboxPolicy::new_read_only_policy(),
            model: test.session_configured.model.clone(),
            effort: test.config.model_reasoning_effort,
@@ -541,7 +541,7 @@ async fn user_turn_personality_skips_if_feature_disabled() -> anyhow::Result<()>
            }],
            final_output_json_schema: None,
            cwd: test.cwd_path().to_path_buf(),
-            approval_policy: test.config.approval_policy.value(),
+            approval_policy: test.config.permissions.approval_policy.value(),
            sandbox_policy: SandboxPolicy::new_read_only_policy(),
            model: test.session_configured.model.clone(),
            effort: test.config.model_reasoning_effort,
--- a/codex-rs/core/tests/suite/prompt_caching.rs
+++ b/codex-rs/core/tests/suite/prompt_caching.rs
@@ -733,8 +733,8 @@ async fn send_user_turn_with_no_changes_does_not_send_environment_context() -> a
        .await?;

    let default_cwd = config.cwd.clone();
-    let default_approval_policy = config.approval_policy.value();
-    let default_sandbox_policy = config.sandbox_policy.get();
+    let default_approval_policy = config.permissions.approval_policy.value();
+    let default_sandbox_policy = config.permissions.sandbox_policy.get();
    let default_model = session_configured.model;
    let default_effort = config.model_reasoning_effort;
    let default_summary = config.model_reasoning_summary;
@@ -841,8 +841,8 @@ async fn send_user_turn_with_changes_sends_environment_context() -> anyhow::Resu
        .await?;

    let default_cwd = config.cwd.clone();
-    let default_approval_policy = config.approval_policy.value();
-    let default_sandbox_policy = config.sandbox_policy.get();
+    let default_approval_policy = config.permissions.approval_policy.value();
+    let default_sandbox_policy = config.permissions.sandbox_policy.get();
    let default_model = session_configured.model;
    let default_effort = config.model_reasoning_effort;
    let default_summary = config.model_reasoning_summary;
--- a/codex-rs/core/tests/suite/remote_models.rs
+++ b/codex-rs/core/tests/suite/remote_models.rs
@@ -177,8 +177,8 @@ async fn remote_models_long_model_slug_is_sent_with_high_reasoning() -> Result<(
            }],
            final_output_json_schema: None,
            cwd: cwd.path().to_path_buf(),
-            approval_policy: config.approval_policy.value(),
-            sandbox_policy: config.sandbox_policy.get().clone(),
+            approval_policy: config.permissions.approval_policy.value(),
+            sandbox_policy: config.permissions.sandbox_policy.get().clone(),
            model: requested_model.to_string(),
            effort: None,
            summary: config.model_reasoning_summary,
--- a/codex-rs/core/tests/suite/resume_warning.rs
+++ b/codex-rs/core/tests/suite/resume_warning.rs
@@ -22,8 +22,8 @@ fn resume_history(
    let turn_ctx = TurnContextItem {
        turn_id: None,
        cwd: config.cwd.clone(),
-        approval_policy: config.approval_policy.value(),
-        sandbox_policy: config.sandbox_policy.get().clone(),
+        approval_policy: config.permissions.approval_policy.value(),
+        sandbox_policy: config.permissions.sandbox_policy.get().clone(),
        model: previous_model.to_string(),
        personality: None,
        collaboration_mode: None,
--- a/codex-rs/core/tests/suite/tools.rs
+++ b/codex-rs/core/tests/suite/tools.rs
@@ -416,6 +416,7 @@ async fn shell_timeout_handles_background_grandchild_stdout() -> Result<()> {
    let server = start_mock_server().await;
    let mut builder = test_codex().with_model("gpt-5.1").with_config(|config| {
        config
+            .permissions
            .sandbox_policy
            .set(SandboxPolicy::DangerFullAccess)
            .expect("set sandbox policy");
@@ -511,7 +512,8 @@ async fn shell_spawn_failure_truncates_exec_error() -> Result<()> {

    let server = start_mock_server().await;
    let mut builder = test_codex().with_config(|cfg| {
-        cfg.sandbox_policy
+        cfg.permissions
+            .sandbox_policy
            .set(SandboxPolicy::DangerFullAccess)
            .expect("set sandbox policy");
    });