Add request permissions tool (#13092)

Adds a built-in `request_permissions` tool and wires it through the Codex core, protocol, and app-server layers so a running turn can ask the client for additional permissions instead of relying on a static session policy. The new flow emits a `RequestPermissions` event from core, tracks the pending request by call ID, forwards it through app-server v2 as an `item/permissions/requestApproval` request, and resumes the tool call once the client returns an approved subset of the requested permission profile.
2026-05-02 04:11:39 +03:00 · 2026-03-08 20:23:06 -07:00
parent 4ad3b59de3
commit e6b93841c5
48 changed files with 3332 additions and 130 deletions
--- a/codex-rs/protocol/src/models.rs
+++ b/codex-rs/protocol/src/models.rs
@@ -170,9 +170,13 @@ impl TryFrom<MacOsAutomationPermissionDe> for MacOsAutomationPermission {
 #[derive(Debug, Clone, PartialEq, Eq, Default, Hash, Serialize, Deserialize, JsonSchema, TS)]
 #[serde(default)]
 pub struct MacOsSeatbeltProfileExtensions {
+    #[serde(alias = "preferences")]
    pub macos_preferences: MacOsPreferencesPermission,
+    #[serde(alias = "automations")]
    pub macos_automation: MacOsAutomationPermission,
+    #[serde(alias = "accessibility")]
    pub macos_accessibility: bool,
+    #[serde(alias = "calendar")]
    pub macos_calendar: bool,
 }

@@ -1504,6 +1508,30 @@ mod tests {
        );
    }

+    #[test]
+    fn macos_seatbelt_profile_extensions_deserializes_tool_schema_aliases() {
+        let permissions =
+            serde_json::from_value::<MacOsSeatbeltProfileExtensions>(serde_json::json!({
+                "preferences": "read_write",
+                "automations": ["com.apple.Notes"],
+                "accessibility": true,
+                "calendar": true
+            }))
+            .expect("deserialize macos permissions");
+
+        assert_eq!(
+            permissions,
+            MacOsSeatbeltProfileExtensions {
+                macos_preferences: MacOsPreferencesPermission::ReadWrite,
+                macos_automation: MacOsAutomationPermission::BundleIds(vec![
+                    "com.apple.Notes".to_string(),
+                ]),
+                macos_accessibility: true,
+                macos_calendar: true,
+            }
+        );
+    }
+
    #[test]
    fn macos_automation_permission_deserializes_all_and_none() {
        let all = serde_json::from_str::<MacOsAutomationPermission>("\"all\"")