protocol: canonicalize file system permissions (#18274)

## Why `PermissionProfile` needs stable, canonical file-system semantics before it can become the primary runtime permissions abstraction. Without a canonical form, callers have to keep re-deriving legacy sandbox maps and profile comparisons remain lossy or order-dependent. ## What changed This adds canonicalization helpers for `FileSystemPermissions` and `PermissionProfile`, expands special paths into explicit sandbox entries, and updates permission request/conversion paths to consume those canonical entries. It also tightens the legacy bridge so root-wide write profiles with narrower carveouts are not silently projected as full-disk legacy access. ## Verification - `cargo test -p codex-protocol root_write_with_read_only_child_is_not_full_disk_write -- --nocapture` - `cargo test -p codex-sandboxing permission -- --nocapture` - `cargo test -p codex-tui permissions -- --nocapture`
2026-05-05 13:51:29 +03:00 · 2026-04-20 09:57:03 -07:00
parent ac7c9a685f
commit dcec516313
41 changed files with 2076 additions and 385 deletions
--- a/codex-rs/exec-server/src/fs_sandbox.rs
+++ b/codex-rs/exec-server/src/fs_sandbox.rs
@@ -139,10 +139,10 @@ impl FileSystemSandboxRunner {
            .flatten()
            .map(|helper_read_root| PermissionProfile {
                network: None,
-                file_system: Some(FileSystemPermissions {
-                    read: Some(vec![helper_read_root]),
-                    write: None,
-                }),
+                file_system: Some(FileSystemPermissions::from_read_write_roots(
+                    Some(vec![helper_read_root]),
+                    /*write*/ None,
+                )),
            });

        merge_permission_profiles(inherited_permissions.as_ref(), helper_permissions.as_ref())
@@ -504,30 +504,23 @@ mod tests {
                    network: Some(NetworkPermissions {
                        enabled: Some(true),
                    }),
-                    file_system: Some(FileSystemPermissions {
-                        read: Some(vec![]),
-                        write: Some(vec![writable.clone()]),
-                    }),
+                    file_system: Some(FileSystemPermissions::from_read_write_roots(
+                        Some(vec![]),
+                        Some(vec![writable.clone()]),
+                    )),
                }),
                /*include_helper_read_root*/ true,
            )
            .expect("helper permissions");
+        let (read, write) = permissions
+            .file_system
+            .as_ref()
+            .and_then(FileSystemPermissions::legacy_read_write_roots)
+            .expect("helper permissions should stay lossless as legacy read/write roots");

        assert_eq!(permissions.network, None);
-        assert_eq!(
-            permissions
-                .file_system
-                .as_ref()
-                .and_then(|fs| fs.write.clone()),
-            Some(vec![writable])
-        );
-        assert_eq!(
-            permissions
-                .file_system
-                .as_ref()
-                .and_then(|fs| fs.read.clone()),
-            Some(vec![readable])
-        );
+        assert_eq!(write, Some(vec![writable]));
+        assert_eq!(read, Some(vec![readable]));
    }

    #[test]
@@ -646,10 +639,10 @@ mod tests {
        assert_eq!(permissions.network, None);
        assert_eq!(
            permissions.file_system,
-            Some(FileSystemPermissions {
-                read: Some(vec![readable]),
-                write: None,
-            })
+            Some(FileSystemPermissions::from_read_write_roots(
+                Some(vec![readable]),
+                /*write*/ None,
+            ))
        );
    }