telemetry: tag sandboxes from permission profiles

context: remove legacy permissions instructions helper
2026-05-15 19:21:32 +03:00 · 2026-05-15 08:59:38 -07:00 · 2026-05-15 08:59:38 -07:00
5 changed files with 16 additions and 73 deletions
--- a/codex-rs/core/src/context/permissions_instructions.rs
+++ b/codex-rs/core/src/context/permissions_instructions.rs
@@ -8,7 +8,6 @@ use codex_protocol::permissions::NetworkSandboxPolicy;
 use codex_protocol::protocol::AskForApproval;
 use codex_protocol::protocol::GranularApprovalConfig;
 use codex_protocol::protocol::NetworkAccess;
-use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::protocol::WritableRoot;
 use codex_utils_template::Template;
 use std::path::Path;
@@ -85,27 +84,6 @@ impl PermissionsInstructions {
        )
    }

-    /// Builds permissions instructions from a legacy sandbox policy.
-    pub fn from_policy(
-        sandbox_policy: &SandboxPolicy,
-        approval_policy: AskForApproval,
-        approvals_reviewer: ApprovalsReviewer,
-        exec_policy: &Policy,
-        cwd: &Path,
-        exec_permission_approvals_enabled: bool,
-        request_permissions_tool_enabled: bool,
-    ) -> Self {
-        Self::from_permission_profile(
-            &PermissionProfile::from_legacy_sandbox_policy(sandbox_policy),
-            approval_policy,
-            approvals_reviewer,
-            exec_policy,
-            cwd,
-            exec_permission_approvals_enabled,
-            request_permissions_tool_enabled,
-        )
-    }
-
    fn from_permissions_with_network(
        sandbox_mode: SandboxMode,
        network_access: NetworkAccess,
--- a/codex-rs/core/src/context/permissions_instructions_tests.rs
+++ b/codex-rs/core/src/context/permissions_instructions_tests.rs
@@ -53,29 +53,6 @@ fn builds_permissions_with_network_access_override() {
    );
 }

-#[test]
-fn builds_permissions_from_policy() {
-    let policy = SandboxPolicy::WorkspaceWrite {
-        writable_roots: vec![],
-        network_access: true,
-        exclude_tmpdir_env_var: false,
-        exclude_slash_tmp: false,
-    };
-
-    let instructions = PermissionsInstructions::from_policy(
-        &policy,
-        AskForApproval::UnlessTrusted,
-        ApprovalsReviewer::User,
-        &Policy::empty(),
-        &PathBuf::from("/tmp"),
-        /*exec_permission_approvals_enabled*/ false,
-        /*request_permissions_tool_enabled*/ false,
-    );
-    let text = instructions.body();
-    assert!(text.contains("Network access is enabled."));
-    assert!(text.contains("`approval_policy` is `unless-trusted`"));
-}
-
 #[test]
 fn builds_permissions_from_profile() {
    let cwd = PathBuf::from("/tmp");
--- a/codex-rs/core/src/sandbox_tags.rs
+++ b/codex-rs/core/src/sandbox_tags.rs
@@ -1,24 +1,10 @@
 use codex_protocol::config_types::WindowsSandboxLevel;
 use codex_protocol::models::PermissionProfile;
-#[cfg(test)]
-use codex_protocol::protocol::SandboxPolicy;
 use codex_sandboxing::SandboxType;
 use codex_sandboxing::get_platform_sandbox;
 use codex_sandboxing::policy_transforms::should_require_platform_sandbox;
 use std::path::Path;

-#[cfg(test)]
-pub(crate) fn sandbox_tag(
-    policy: &SandboxPolicy,
-    windows_sandbox_level: WindowsSandboxLevel,
-) -> &'static str {
-    permission_profile_sandbox_tag(
-        &PermissionProfile::from_legacy_sandbox_policy(policy),
-        windows_sandbox_level,
-        /*enforce_managed_network*/ false,
-    )
-}
-
 pub(crate) fn permission_profile_sandbox_tag(
    profile: &PermissionProfile,
    windows_sandbox_level: WindowsSandboxLevel,
--- a/codex-rs/core/src/sandbox_tags_tests.rs
+++ b/codex-rs/core/src/sandbox_tags_tests.rs
@@ -1,6 +1,5 @@
 use super::permission_profile_policy_tag;
 use super::permission_profile_sandbox_tag;
-use super::sandbox_tag;
 use codex_protocol::config_types::WindowsSandboxLevel;
 use codex_protocol::models::ManagedFileSystemPermissions;
 use codex_protocol::models::PermissionProfile;
@@ -10,8 +9,6 @@ use codex_protocol::permissions::FileSystemSandboxEntry;
 use codex_protocol::permissions::FileSystemSandboxKind;
 use codex_protocol::permissions::FileSystemSandboxPolicy;
 use codex_protocol::permissions::NetworkSandboxPolicy;
-use codex_protocol::protocol::NetworkAccess;
-use codex_protocol::protocol::SandboxPolicy;
 use codex_sandboxing::SandboxType;
 use codex_sandboxing::get_platform_sandbox;
 use codex_utils_absolute_path::AbsolutePathBuf;
@@ -20,29 +17,32 @@ use std::path::Path;

 #[test]
 fn danger_full_access_is_untagged_even_when_linux_sandbox_defaults_apply() {
-    let actual = sandbox_tag(
-        &SandboxPolicy::DangerFullAccess,
+    let actual = permission_profile_sandbox_tag(
+        &PermissionProfile::Disabled,
        WindowsSandboxLevel::Disabled,
+        /*enforce_managed_network*/ false,
    );
    assert_eq!(actual, "none");
 }

 #[test]
 fn external_sandbox_keeps_external_tag_when_linux_sandbox_defaults_apply() {
-    let actual = sandbox_tag(
-        &SandboxPolicy::ExternalSandbox {
-            network_access: NetworkAccess::Enabled,
+    let actual = permission_profile_sandbox_tag(
+        &PermissionProfile::External {
+            network: NetworkSandboxPolicy::Enabled,
        },
        WindowsSandboxLevel::Disabled,
+        /*enforce_managed_network*/ false,
    );
    assert_eq!(actual, "external");
 }

 #[test]
 fn default_linux_sandbox_uses_platform_sandbox_tag() {
-    let actual = sandbox_tag(
-        &SandboxPolicy::new_read_only_policy(),
+    let actual = permission_profile_sandbox_tag(
+        &PermissionProfile::read_only(),
        WindowsSandboxLevel::Disabled,
+        /*enforce_managed_network*/ false,
    );
    let expected = get_platform_sandbox(/*windows_sandbox_enabled*/ false)
        .map(SandboxType::as_metric_tag)
--- a/codex-rs/core/src/turn_metadata_tests.rs
+++ b/codex-rs/core/src/turn_metadata_tests.rs
@@ -1,9 +1,8 @@
 use super::*;

-use crate::sandbox_tags::sandbox_tag;
+use crate::sandbox_tags::permission_profile_sandbox_tag;
 use codex_protocol::models::PermissionProfile;
 use codex_protocol::openai_models::ReasoningEffort as ReasoningEffortConfig;
-use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::protocol::ThreadSource;
 use core_test_support::PathBufExt;
 use core_test_support::PathExt;
@@ -89,7 +88,6 @@ async fn build_turn_metadata_header_includes_has_changes_for_clean_repo() {
 fn turn_metadata_state_uses_platform_sandbox_tag() {
    let temp_dir = TempDir::new().expect("temp dir");
    let cwd = temp_dir.path().abs();
-    let sandbox_policy = SandboxPolicy::new_read_only_policy();
    let permission_profile = PermissionProfile::read_only();

    let state = TurnMetadataState::new(
@@ -110,7 +108,11 @@ fn turn_metadata_state_uses_platform_sandbox_tag() {
    let thread_id = json.get("thread_id").and_then(Value::as_str);
    let thread_source = json.get("thread_source").and_then(Value::as_str);

-    let expected_sandbox = sandbox_tag(&sandbox_policy, WindowsSandboxLevel::Disabled);
+    let expected_sandbox = permission_profile_sandbox_tag(
+        &permission_profile,
+        WindowsSandboxLevel::Disabled,
+        /*enforce_managed_network*/ false,
+    );
    assert_eq!(sandbox_name, Some(expected_sandbox));
    assert_eq!(session_id, Some("session-a"));
    assert_eq!(thread_id, Some("thread-a"));
Author	SHA1	Message	Date
Michael Bolin	73e71bc175	telemetry: tag sandboxes from permission profiles	2026-05-15 08:59:38 -07:00
Michael Bolin	a6c29b87b2	context: remove legacy permissions instructions helper	2026-05-15 08:59:38 -07:00