mirrors/codex
1
0
Fork 0
mirror of https://github.com/openai/codex.git synced 2026-05-02 12:21:26 +03:00
Code Issues Packages Projects Releases Wiki Activity

core/protocol: add structured macOS additional permissions and merge them into sandbox execution (#13499)

Browse Source 
## Summary
- Introduce strongly-typed macOS additional permissions across
protocol/core/app-server boundaries.
- Merge additional permissions into effective sandbox execution,
including macOS seatbelt profile extensions.
- Expand docs, schema/tool definitions, UI rendering, and tests for
`network`, `file_system`, and `macos` additional permissions.
This commit is contained in:
Celia Chen
2026-03-05 16:21:45 -08:00
committed by GitHub
parent 4e77ea0ec7
commit aaefee04cd
24 changed files with 1013 additions and 379 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
codex-rs/protocol/src/prompts/permissions/approval_policy/on_request_rule_request_permission.md
View File

@@ -4,12 +4,17 @@ Commands may require user approval before execution. Prefer requesting sandboxed
## Preferred request mode
When you need extra filesystem access for one command, use:
When you need extra sandboxed permissions for one command, use:
- `sandbox_permissions: "with_additional_permissions"`
- `additional_permissions` with one or both fields:
- `additional_permissions` with one or more of:
- `network.enabled`: set to `true` to enable network access
- `file_system.read`: list of paths that need read access
- `file_system.write`: list of paths that need write access
- `macos.preferences`: `readonly` or `readwrite`
- `macos.automations`: list of bundle IDs that need Apple Events access
- `macos.accessibility`: set to `true` to allow accessibility APIs
- `macos.calendar`: set to `true` to allow Calendar access
This keeps execution inside the current sandbox policy, while adding only the requested permissions for that command, unless an exec-policy allow rule applies and authorizes running the command outside the sandbox.