Add request permissions tool (#13092)

Adds a built-in `request_permissions` tool and wires it through the
Codex core, protocol, and app-server layers so a running turn can ask
the client for additional permissions instead of relying on a static
session policy.

The new flow emits a `RequestPermissions` event from core, tracks the
pending request by call ID, forwards it through app-server v2 as an
`item/permissions/requestApproval` request, and resumes the tool call
once the client returns an approved subset of the requested permission
profile.

codex-rs/core/src/codex_delegate.rs

@@ -13,6 +13,9 @@ use codex_protocol::protocol::RequestUserInputEvent;
 use codex_protocol::protocol::SessionSource;
 use codex_protocol::protocol::SubAgentSource;
 use codex_protocol::protocol::Submission;
+use codex_protocol::request_permissions::RequestPermissionsArgs;
+use codex_protocol::request_permissions::RequestPermissionsEvent;
+use codex_protocol::request_permissions::RequestPermissionsResponse;
 use codex_protocol::request_user_input::RequestUserInputArgs;
 use codex_protocol::request_user_input::RequestUserInputResponse;
 use codex_protocol::user_input::UserInput;
@@ -251,6 +254,19 @@ async fn forward_events(
                         )
                         .await;
                     }
+                    Event {
+                        msg: EventMsg::RequestPermissions(event),
+                        ..
+                    } => {
+                        handle_request_permissions(
+                            &codex,
+                            &parent_session,
+                            &parent_ctx,
+                            event,
+                            &cancel_token,
+                        )
+                        .await;
+                    }
                     Event {
                         id,
                         msg: EventMsg::RequestUserInput(event),
@@ -425,6 +441,30 @@ async fn handle_request_user_input(
     let _ = codex.submit(Op::UserInputAnswer { id, response }).await;
 }
 
+async fn handle_request_permissions(
+    codex: &Codex,
+    parent_session: &Session,
+    parent_ctx: &TurnContext,
+    event: RequestPermissionsEvent,
+    cancel_token: &CancellationToken,
+) {
+    let call_id = event.call_id;
+    let args = RequestPermissionsArgs {
+        reason: event.reason,
+        permissions: event.permissions,
+    };
+    let response_fut = parent_session.request_permissions(parent_ctx, call_id.clone(), args);
+    let response =
+        await_request_permissions_with_cancel(response_fut, parent_session, &call_id, cancel_token)
+            .await;
+    let _ = codex
+        .submit(Op::RequestPermissionsResponse {
+            id: call_id,
+            response,
+        })
+        .await;
+}
+
 async fn await_user_input_with_cancel<F>(
     fut: F,
     parent_session: &Session,
@@ -451,6 +491,32 @@ where
     }
 }
 
+async fn await_request_permissions_with_cancel<F>(
+    fut: F,
+    parent_session: &Session,
+    call_id: &str,
+    cancel_token: &CancellationToken,
+) -> RequestPermissionsResponse
+where
+    F: core::future::Future<Output = Option<RequestPermissionsResponse>>,
+{
+    tokio::select! {
+        biased;
+        _ = cancel_token.cancelled() => {
+            let empty = RequestPermissionsResponse {
+                permissions: Default::default(),
+            };
+            parent_session
+                .notify_request_permissions_response(call_id, empty.clone())
+                .await;
+            empty
+        }
+        response = fut => response.unwrap_or_else(|| RequestPermissionsResponse {
+            permissions: Default::default(),
+        }),
+    }
+}
+
 /// Await an approval decision, aborting on cancellation.
 async fn await_approval_with_cancel<F>(
     fut: F,
@@ -479,11 +545,16 @@ where
 mod tests {
     use super::*;
     use async_channel::bounded;
+    use codex_protocol::models::NetworkPermissions;
+    use codex_protocol::models::PermissionProfile;
     use codex_protocol::models::ResponseItem;
     use codex_protocol::protocol::AgentStatus;
+    use codex_protocol::protocol::EventMsg;
     use codex_protocol::protocol::RawResponseItemEvent;
     use codex_protocol::protocol::TurnAbortReason;
     use codex_protocol::protocol::TurnAbortedEvent;
+    use codex_protocol::request_permissions::RequestPermissionsEvent;
+    use codex_protocol::request_permissions::RequestPermissionsResponse;
     use pretty_assertions::assert_eq;
     use tokio::sync::watch;
 
@@ -602,4 +673,90 @@ mod tests {
             .expect("forward_ops did not exit")
             .expect("forward_ops join error");
     }
+
+    #[tokio::test]
+    async fn handle_request_permissions_uses_tool_call_id_for_round_trip() {
+        let (parent_session, parent_ctx, rx_events) =
+            crate::codex::make_session_and_context_with_rx().await;
+        *parent_session.active_turn.lock().await = Some(crate::state::ActiveTurn::default());
+
+        let (tx_sub, rx_sub) = bounded(SUBMISSION_CHANNEL_CAPACITY);
+        let (_tx_events, rx_events_child) = bounded(SUBMISSION_CHANNEL_CAPACITY);
+        let (_agent_status_tx, agent_status) = watch::channel(AgentStatus::PendingInit);
+        let codex = Arc::new(Codex {
+            tx_sub,
+            rx_event: rx_events_child,
+            agent_status,
+            session: Arc::clone(&parent_session),
+        });
+
+        let call_id = "tool-call-1".to_string();
+        let expected_response = RequestPermissionsResponse {
+            permissions: PermissionProfile {
+                network: Some(NetworkPermissions {
+                    enabled: Some(true),
+                }),
+                ..PermissionProfile::default()
+            },
+        };
+        let cancel_token = CancellationToken::new();
+        let request_call_id = call_id.clone();
+
+        let handle = tokio::spawn({
+            let codex = Arc::clone(&codex);
+            let parent_session = Arc::clone(&parent_session);
+            let parent_ctx = Arc::clone(&parent_ctx);
+            let cancel_token = cancel_token.clone();
+            async move {
+                handle_request_permissions(
+                    codex.as_ref(),
+                    parent_session.as_ref(),
+                    parent_ctx.as_ref(),
+                    RequestPermissionsEvent {
+                        call_id: request_call_id,
+                        turn_id: "child-turn-1".to_string(),
+                        reason: Some("need access".to_string()),
+                        permissions: PermissionProfile {
+                            network: Some(NetworkPermissions {
+                                enabled: Some(true),
+                            }),
+                            ..PermissionProfile::default()
+                        },
+                    },
+                    &cancel_token,
+                )
+                .await;
+            }
+        });
+
+        let request_event = timeout(Duration::from_secs(1), rx_events.recv())
+            .await
+            .expect("request_permissions event timed out")
+            .expect("request_permissions event missing");
+        let EventMsg::RequestPermissions(request) = request_event.msg else {
+            panic!("expected RequestPermissions event");
+        };
+        assert_eq!(request.call_id, call_id.clone());
+
+        parent_session
+            .notify_request_permissions_response(&call_id, expected_response.clone())
+            .await;
+
+        timeout(Duration::from_secs(1), handle)
+            .await
+            .expect("handle_request_permissions hung")
+            .expect("handle_request_permissions join error");
+
+        let submission = timeout(Duration::from_secs(1), rx_sub.recv())
+            .await
+            .expect("request_permissions response timed out")
+            .expect("request_permissions response missing");
+        assert_eq!(
+            submission.op,
+            Op::RequestPermissionsResponse {
+                id: call_id,
+                response: expected_response,
+            }
+        );
+    }
 }