core: use permission profiles in small read-only contexts

exec tests: launch sandbox cases from permission profiles
tests: use permission profiles in suite turn submits
2026-05-06 22:31:09 +03:00 · 2026-04-30 03:01:06 -07:00 · 2026-04-30 02:36:30 -07:00 · 2026-04-30 02:36:30 -07:00 · 2026-04-30 02:36:30 -07:00 · 2026-04-30 02:36:30 -07:00
13 changed files with 123 additions and 109 deletions
--- a/codex-rs/analytics/src/analytics_client_tests.rs
+++ b/codex-rs/analytics/src/analytics_client_tests.rs
@@ -98,7 +98,6 @@ use codex_protocol::protocol::AskForApproval;
 use codex_protocol::protocol::HookEventName;
 use codex_protocol::protocol::HookRunStatus;
 use codex_protocol::protocol::HookSource;
-use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::protocol::SessionSource;
 use codex_protocol::protocol::SubAgentSource;
 use codex_protocol::protocol::TokenUsage;
@@ -313,9 +312,7 @@ fn sample_turn_resolved_config(turn_id: &str) -> TurnResolvedConfigFact {
        session_source: SessionSource::Exec,
        model: "gpt-5".to_string(),
        model_provider: "openai".to_string(),
-        permission_profile: CorePermissionProfile::from_legacy_sandbox_policy(
-            &SandboxPolicy::new_read_only_policy(),
-        ),
+        permission_profile: CorePermissionProfile::read_only(),
        permission_profile_cwd: PathBuf::from("/tmp"),
        reasoning_effort: None,
        reasoning_summary: None,
--- a/codex-rs/analytics/src/reducer.rs
+++ b/codex-rs/analytics/src/reducer.rs
@@ -979,7 +979,7 @@ fn sandbox_policy_mode(permission_profile: &PermissionProfile, cwd: &Path) -> &'
                if permission_profile.network_sandbox_policy().is_enabled() {
                    "full_access"
                } else {
-                    "external_sandbox"
+                    "custom_permissions"
                }
            } else if file_system_policy
                .get_writable_roots_with_cwd(cwd)
@@ -1089,7 +1089,7 @@ mod tests {
    use codex_protocol::permissions::NetworkSandboxPolicy;

    #[test]
-    fn managed_full_disk_with_restricted_network_reports_external_sandbox() {
+    fn managed_full_disk_with_restricted_network_reports_custom_permissions() {
        let permission_profile = PermissionProfile::from_runtime_permissions_with_enforcement(
            SandboxEnforcement::Managed,
            &FileSystemSandboxPolicy::unrestricted(),
@@ -1098,7 +1098,7 @@ mod tests {

        assert_eq!(
            sandbox_policy_mode(&permission_profile, Path::new("/")),
-            "external_sandbox"
+            "custom_permissions"
        );
    }
 }
--- a/codex-rs/core/src/agent/role_tests.rs
+++ b/codex-rs/core/src/agent/role_tests.rs
@@ -512,7 +512,8 @@ model_reasoning_effort = "high"
 #[tokio::test]
 #[cfg(not(windows))]
 async fn apply_role_does_not_materialize_default_sandbox_workspace_write_fields() {
-    use codex_protocol::protocol::SandboxPolicy;
+    use codex_protocol::permissions::NetworkSandboxPolicy;
+
    let (home, mut config) = test_config_with_cli_overrides(vec![
        (
            "sandbox_mode".to_string(),
@@ -574,12 +575,13 @@ writable_roots = ["./sandbox-root"]
        false
    );

-    match &config.legacy_sandbox_policy() {
-        SandboxPolicy::WorkspaceWrite { network_access, .. } => {
-            assert_eq!(*network_access, true);
-        }
-        other => panic!("expected workspace-write sandbox policy, got {other:?}"),
-    }
+    assert_eq!(
+        config
+            .permissions
+            .permission_profile()
+            .network_sandbox_policy(),
+        NetworkSandboxPolicy::Enabled,
+    );
 }

 #[tokio::test]
--- a/codex-rs/core/src/context_manager/history_tests.rs
+++ b/codex-rs/core/src/context_manager/history_tests.rs
@@ -13,13 +13,13 @@ use codex_protocol::models::ImageDetail;
 use codex_protocol::models::LocalShellAction;
 use codex_protocol::models::LocalShellExecAction;
 use codex_protocol::models::LocalShellStatus;
+use codex_protocol::models::PermissionProfile;
 use codex_protocol::models::ReasoningItemContent;
 use codex_protocol::models::ReasoningItemReasoningSummary;
 use codex_protocol::openai_models::InputModality;
 use codex_protocol::openai_models::default_input_modalities;
 use codex_protocol::protocol::AskForApproval;
 use codex_protocol::protocol::InterAgentCommunication;
-use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::protocol::TurnContextItem;
 use codex_utils_output_truncation::TruncationPolicy;
 use codex_utils_output_truncation::truncate_text;
@@ -119,15 +119,21 @@ fn developer_msg_with_fragments(texts: &[&str]) -> ResponseItem {
 }

 fn reference_context_item() -> TurnContextItem {
+    let cwd = PathBuf::from("/tmp/reference-cwd");
+    let permission_profile = PermissionProfile::read_only();
+    let sandbox_policy = permission_profile
+        .to_legacy_sandbox_policy(cwd.as_path())
+        .expect("read-only permission profile should have a legacy projection");
+
    TurnContextItem {
        turn_id: Some("reference-turn".to_string()),
        trace_id: None,
-        cwd: PathBuf::from("/tmp/reference-cwd"),
+        cwd,
        current_date: Some("2026-03-23".to_string()),
        timezone: Some("America/Los_Angeles".to_string()),
        approval_policy: AskForApproval::OnRequest,
-        sandbox_policy: SandboxPolicy::new_read_only_policy(),
-        permission_profile: None,
+        sandbox_policy,
+        permission_profile: Some(permission_profile),
        network: None,
        file_system_sandbox_policy: None,
        model: "gpt-test".to_string(),
--- a/codex-rs/core/src/guardian/review_session.rs
+++ b/codex-rs/core/src/guardian/review_session.rs
@@ -18,7 +18,6 @@ use codex_protocol::protocol::EventMsg;
 use codex_protocol::protocol::InitialHistory;
 use codex_protocol::protocol::Op;
 use codex_protocol::protocol::RolloutItem;
-use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::protocol::SubAgentSource;
 use codex_protocol::protocol::TokenUsage;
 use serde_json::Value;
@@ -703,6 +702,19 @@ async fn run_review_on_session(
        .await
        .unwrap_or_default();

+    let permission_profile = PermissionProfile::read_only();
+    let sandbox_policy =
+        match permission_profile.to_legacy_sandbox_policy(params.parent_turn.cwd.as_path()) {
+            Ok(sandbox_policy) => sandbox_policy,
+            Err(err) => {
+                return (
+                    GuardianReviewSessionOutcome::SessionFailed(err.into()),
+                    false,
+                    analytics_result,
+                );
+            }
+        };
+
    let submit_result = run_before_review_deadline(
        deadline,
        params.external_cancel.as_ref(),
@@ -712,8 +724,8 @@ async fn run_review_on_session(
            cwd: params.parent_turn.cwd.to_path_buf(),
            approval_policy: AskForApproval::Never,
            approvals_reviewer: None,
-            sandbox_policy: SandboxPolicy::new_read_only_policy(),
-            permission_profile: None,
+            sandbox_policy,
+            permission_profile: Some(permission_profile),
            model: params.model.clone(),
            effort: params.reasoning_effort,
            summary: Some(params.reasoning_summary),
@@ -896,15 +908,14 @@ pub(crate) fn build_guardian_review_session_config(
    );
    guardian_config.developer_instructions = None;
    guardian_config.permissions.approval_policy = Constrained::allow_only(AskForApproval::Never);
-    let sandbox_policy = SandboxPolicy::new_read_only_policy();
-    guardian_config.permissions.permission_profile = Constrained::allow_only(
-        PermissionProfile::from_legacy_sandbox_policy(&sandbox_policy),
-    );
+    let permission_profile = PermissionProfile::read_only();
+    guardian_config.permissions.permission_profile =
+        Constrained::allow_only(permission_profile.clone());
    guardian_config
        .permissions
-        .set_legacy_sandbox_policy(sandbox_policy, guardian_config.cwd.as_path())
+        .set_permission_profile(permission_profile)
        .map_err(|err| {
-            anyhow::anyhow!("guardian review session could not set sandbox policy: {err}")
+            anyhow::anyhow!("guardian review session could not set permission profile: {err}")
        })?;
    guardian_config.include_apps_instructions = false;
    guardian_config
--- a/codex-rs/core/src/guardian/tests.rs
+++ b/codex-rs/core/src/guardian/tests.rs
@@ -38,7 +38,6 @@ use codex_protocol::protocol::GuardianRiskLevel;
 use codex_protocol::protocol::GuardianUserAuthorization;
 use codex_protocol::protocol::ReviewDecision;
 use codex_protocol::protocol::RolloutItem;
-use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::protocol::TurnCompleteEvent;
 use core_test_support::PathBufExt;
 use core_test_support::TempDirExt;
@@ -2168,9 +2167,7 @@ async fn guardian_review_session_config_preserves_parent_network_proxy() {
    );
    assert_eq!(
        guardian_config.permissions.permission_profile,
-        Constrained::allow_only(PermissionProfile::from_legacy_sandbox_policy(
-            &SandboxPolicy::new_read_only_policy(),
-        ))
+        Constrained::allow_only(PermissionProfile::read_only())
    );
 }

@@ -2232,9 +2229,7 @@ async fn guardian_review_session_config_uses_live_network_proxy_state() {
            NetworkProxySpec::from_config_and_constraints(
                live_network,
                /*requirements*/ None,
-                &PermissionProfile::from_legacy_sandbox_policy(
-                    &SandboxPolicy::new_read_only_policy(),
-                ),
+                &PermissionProfile::read_only(),
            )
            .expect("live network proxy spec")
        )
--- a/codex-rs/core/src/realtime_context_tests.rs
+++ b/codex-rs/core/src/realtime_context_tests.rs
@@ -13,10 +13,10 @@ use chrono::Utc;
 use codex_git_utils::GitSha;
 use codex_protocol::ThreadId;
 use codex_protocol::models::ContentItem;
+use codex_protocol::models::PermissionProfile;
 use codex_protocol::models::ResponseItem;
 use codex_protocol::protocol::AskForApproval;
 use codex_protocol::protocol::GitInfo;
-use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::protocol::SessionSource;
 use codex_thread_store::StoredThread;
 use core_test_support::PathBufExt;
@@ -28,6 +28,8 @@ use std::process::Command;
 use tempfile::TempDir;

 fn stored_thread(cwd: &str, title: &str, first_user_message: &str) -> StoredThread {
+    let permission_profile = PermissionProfile::read_only();
+
    StoredThread {
        thread_id: ThreadId::new(),
        rollout_path: Some(PathBuf::from("/tmp/rollout.jsonl")),
@@ -58,7 +60,9 @@ fn stored_thread(cwd: &str, title: &str, first_user_message: &str) -> StoredThre
            repository_url: None,
        }),
        approval_mode: AskForApproval::Never,
-        sandbox_policy: SandboxPolicy::new_read_only_policy(),
+        sandbox_policy: permission_profile
+            .to_legacy_sandbox_policy(std::path::Path::new(cwd))
+            .expect("read-only permission profile should have a legacy projection"),
        token_usage: None,
        first_user_message: Some(first_user_message.to_string()),
        history: None,
--- a/codex-rs/core/src/unified_exec/process_manager_tests.rs
+++ b/codex-rs/core/src/unified_exec/process_manager_tests.rs
@@ -71,16 +71,9 @@ fn exec_server_params_use_env_policy_overlay_contract() {
        .expect("current dir")
        .try_into()
        .expect("absolute path");
-    let sandbox_policy = codex_protocol::protocol::SandboxPolicy::DangerFullAccess;
-    let file_system_sandbox_policy =
-        codex_protocol::permissions::FileSystemSandboxPolicy::from(&sandbox_policy);
+    let permission_profile = codex_protocol::models::PermissionProfile::Disabled;
+    let file_system_sandbox_policy = permission_profile.file_system_sandbox_policy();
    let network_sandbox_policy = codex_protocol::permissions::NetworkSandboxPolicy::Restricted;
-    let permission_profile =
-        codex_protocol::models::PermissionProfile::from_runtime_permissions_with_enforcement(
-            codex_protocol::models::SandboxEnforcement::from_legacy_sandbox_policy(&sandbox_policy),
-            &file_system_sandbox_policy,
-            network_sandbox_policy,
-        );
    let request = ExecRequest {
        command: vec!["bash".to_string(), "-lc".to_string(), "true".to_string()],
        cwd: cwd.clone(),
--- a/codex-rs/core/tests/suite/apply_patch_cli.rs
+++ b/codex-rs/core/tests/suite/apply_patch_cli.rs
@@ -18,7 +18,6 @@ use codex_protocol::permissions::NetworkSandboxPolicy;
 use codex_protocol::protocol::AskForApproval;
 use codex_protocol::protocol::EventMsg;
 use codex_protocol::protocol::Op;
-use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::user_input::UserInput;
 #[cfg(target_os = "linux")]
 use codex_sandboxing::landlock::CODEX_LINUX_SANDBOX_ARG0;
@@ -36,6 +35,7 @@ use core_test_support::skip_if_remote;
 use core_test_support::test_codex::TestCodexBuilder;
 use core_test_support::test_codex::TestCodexHarness;
 use core_test_support::test_codex::test_codex;
+use core_test_support::test_codex::turn_permission_fields;
 use core_test_support::wait_for_event;
 use core_test_support::wait_for_event_with_timeout;
 use serde_json::json;
@@ -64,6 +64,8 @@ async fn apply_patch_harness_with(
 async fn submit_without_wait(harness: &TestCodexHarness, prompt: &str) -> Result<()> {
    let test = harness.test();
    let session_model = test.session_configured.model.clone();
+    let (sandbox_policy, permission_profile) =
+        turn_permission_fields(PermissionProfile::Disabled, harness.cwd());
    test.codex
        .submit(Op::UserTurn {
            environments: None,
@@ -75,8 +77,8 @@ async fn submit_without_wait(harness: &TestCodexHarness, prompt: &str) -> Result
            cwd: harness.cwd().to_path_buf(),
            approval_policy: AskForApproval::Never,
            approvals_reviewer: None,
-            sandbox_policy: SandboxPolicy::DangerFullAccess,
-            permission_profile: None,
+            sandbox_policy,
+            permission_profile,
            model: session_model,
            effort: None,
            summary: None,
--- a/codex-rs/core/tests/suite/hooks.rs
+++ b/codex-rs/core/tests/suite/hooks.rs
@@ -1943,9 +1943,9 @@ print(json.dumps({{
        fs::remove_file(&marker).context("remove leftover plugin pre tool use marker")?;
    }

-    test.submit_turn_with_policy(
+    test.submit_turn_with_permission_profile(
        "run the shell command blocked by a plugin hook",
-        codex_protocol::protocol::SandboxPolicy::DangerFullAccess,
+        PermissionProfile::Disabled,
    )
    .await?;

--- a/codex-rs/exec-server/src/server/file_system_handler.rs
+++ b/codex-rs/exec-server/src/server/file_system_handler.rs
@@ -173,8 +173,8 @@ fn map_fs_error(err: io::Error) -> JSONRPCErrorError {

 #[cfg(test)]
 mod tests {
-    use codex_protocol::protocol::NetworkAccess;
-    use codex_protocol::protocol::SandboxPolicy;
+    use codex_protocol::models::PermissionProfile;
+    use codex_protocol::permissions::NetworkSandboxPolicy;
    use codex_utils_absolute_path::AbsolutePathBuf;
    use pretty_assertions::assert_eq;

@@ -195,12 +195,12 @@ mod tests {
        let sandbox_cwd =
            AbsolutePathBuf::from_absolute_path(temp_dir.path()).expect("absolute tempdir");

-        for (file_name, sandbox_policy) in [
-            ("danger.txt", SandboxPolicy::DangerFullAccess),
+        for (file_name, permission_profile) in [
+            ("danger.txt", PermissionProfile::Disabled),
            (
                "external.txt",
-                SandboxPolicy::ExternalSandbox {
-                    network_access: NetworkAccess::Restricted,
+                PermissionProfile::External {
+                    network: NetworkSandboxPolicy::Restricted,
                },
            ),
        ] {
@@ -212,8 +212,8 @@ mod tests {
                .write_file(FsWriteFileParams {
                    path: path.clone(),
                    data_base64: STANDARD.encode("ok"),
-                    sandbox: Some(FileSystemSandboxContext::from_legacy_sandbox_policy(
-                        sandbox_policy.clone(),
+                    sandbox: Some(FileSystemSandboxContext::from_permission_profile_with_cwd(
+                        permission_profile.clone(),
                        sandbox_cwd.clone(),
                    )),
                })
@@ -223,8 +223,8 @@ mod tests {
            let response = handler
                .read_file(FsReadFileParams {
                    path,
-                    sandbox: Some(FileSystemSandboxContext::from_legacy_sandbox_policy(
-                        sandbox_policy,
+                    sandbox: Some(FileSystemSandboxContext::from_permission_profile_with_cwd(
+                        permission_profile,
                        sandbox_cwd.clone(),
                    )),
                })
--- a/codex-rs/exec/tests/suite/sandbox.rs
+++ b/codex-rs/exec/tests/suite/sandbox.rs
@@ -1,6 +1,7 @@
 #![cfg(unix)]
 use codex_core::spawn::StdioPolicy;
-use codex_protocol::protocol::SandboxPolicy;
+use codex_protocol::models::PermissionProfile;
+use codex_protocol::permissions::NetworkSandboxPolicy;
 use codex_utils_absolute_path::AbsolutePathBuf;
 use codex_utils_absolute_path::test_support::PathBufExt;
 use std::collections::HashMap;
@@ -14,7 +15,7 @@ use tokio::process::Child;
 async fn spawn_command_under_sandbox(
    command: Vec<String>,
    command_cwd: AbsolutePathBuf,
-    sandbox_policy: &SandboxPolicy,
+    permission_profile: &PermissionProfile,
    sandbox_cwd: &AbsolutePathBuf,
    stdio_policy: StdioPolicy,
    env: HashMap<String, String>,
@@ -24,7 +25,6 @@ async fn spawn_command_under_sandbox(
    use codex_core::exec::build_exec_request;
    use codex_core::sandboxing::SandboxPermissions;
    use codex_protocol::config_types::WindowsSandboxLevel;
-    use codex_protocol::models::PermissionProfile;
    use std::process::Stdio;

    let codex_linux_sandbox_exe = None;
@@ -42,7 +42,7 @@ async fn spawn_command_under_sandbox(
            justification: None,
            arg0: None,
        },
-        &PermissionProfile::from_legacy_sandbox_policy(sandbox_policy),
+        permission_profile,
        sandbox_cwd,
        &codex_linux_sandbox_exe,
        /*use_legacy_landlock*/ false,
@@ -83,22 +83,20 @@ async fn spawn_command_under_sandbox(
 async fn spawn_command_under_sandbox(
    command: Vec<String>,
    command_cwd: AbsolutePathBuf,
-    sandbox_policy: &SandboxPolicy,
+    permission_profile: &PermissionProfile,
    sandbox_cwd: &AbsolutePathBuf,
    stdio_policy: StdioPolicy,
    env: HashMap<String, String>,
 ) -> std::io::Result<Child> {
    use codex_core::spawn_command_under_linux_sandbox;
-    use codex_protocol::models::PermissionProfile;

    let codex_linux_sandbox_exe = core_test_support::find_codex_linux_sandbox_exe()
        .map_err(|err| io::Error::new(io::ErrorKind::NotFound, err))?;
-    let permission_profile = PermissionProfile::from_legacy_sandbox_policy(sandbox_policy);
    spawn_command_under_linux_sandbox(
        codex_linux_sandbox_exe,
        command,
        command_cwd,
-        &permission_profile,
+        permission_profile,
        sandbox_cwd,
        /*use_legacy_landlock*/ false,
        stdio_policy,
@@ -118,9 +116,16 @@ async fn spawn_command_under_sandbox(
 async fn linux_sandbox_test_env() -> Option<HashMap<String, String>> {
    let command_cwd = AbsolutePathBuf::current_dir().ok()?;
    let sandbox_cwd = command_cwd.clone();
-    let policy = SandboxPolicy::new_read_only_policy();
+    let permission_profile = PermissionProfile::read_only();

-    if can_apply_linux_sandbox_policy(&policy, &command_cwd, &sandbox_cwd, HashMap::new()).await {
+    if can_apply_linux_sandbox_policy(
+        &permission_profile,
+        &command_cwd,
+        &sandbox_cwd,
+        HashMap::new(),
+    )
+    .await
+    {
        return Some(HashMap::new());
    }

@@ -135,7 +140,7 @@ async fn linux_sandbox_test_env() -> Option<HashMap<String, String>> {
 /// This is used as a capability probe so sandbox behavior tests only run when
 /// Landlock enforcement is actually active.
 async fn can_apply_linux_sandbox_policy(
-    policy: &SandboxPolicy,
+    permission_profile: &PermissionProfile,
    command_cwd: &AbsolutePathBuf,
    sandbox_cwd: &AbsolutePathBuf,
    env: HashMap<String, String>,
@@ -143,7 +148,7 @@ async fn can_apply_linux_sandbox_policy(
    let spawn_result = spawn_command_under_sandbox(
        vec!["/usr/bin/true".to_string()],
        command_cwd.clone(),
-        policy,
+        permission_profile,
        sandbox_cwd,
        StdioPolicy::RedirectForShellTool,
        env,
@@ -180,12 +185,12 @@ async fn python_multiprocessing_lock_works_under_sandbox() {
    #[cfg(target_os = "linux")]
    let writable_roots: Vec<AbsolutePathBuf> = vec!["/dev/shm".try_into().unwrap()];

-    let policy = SandboxPolicy::WorkspaceWrite {
-        writable_roots,
-        network_access: false,
-        exclude_tmpdir_env_var: false,
-        exclude_slash_tmp: false,
-    };
+    let permission_profile = PermissionProfile::workspace_write_with(
+        &writable_roots,
+        NetworkSandboxPolicy::Restricted,
+        /*exclude_tmpdir_env_var*/ false,
+        /*exclude_slash_tmp*/ false,
+    );

    let python_code = r#"import multiprocessing
 from multiprocessing import Lock, Process
@@ -210,7 +215,7 @@ if __name__ == '__main__':
            python_code.to_string(),
        ],
        command_cwd,
-        &policy,
+        &permission_profile,
        &sandbox_cwd,
        StdioPolicy::Inherit,
        sandbox_env,
@@ -242,7 +247,7 @@ async fn python_getpwuid_works_under_sandbox() {
        return;
    }

-    let policy = SandboxPolicy::new_read_only_policy();
+    let permission_profile = PermissionProfile::read_only();
    let command_cwd = AbsolutePathBuf::current_dir().expect("should be able to get current dir");
    let sandbox_cwd = command_cwd.clone();

@@ -253,7 +258,7 @@ async fn python_getpwuid_works_under_sandbox() {
            "import pwd, os; print(pwd.getpwuid(os.getuid()))".to_string(),
        ],
        command_cwd,
-        &policy,
+        &permission_profile,
        &sandbox_cwd,
        StdioPolicy::RedirectForShellTool,
        sandbox_env,
@@ -294,12 +299,12 @@ async fn sandbox_distinguishes_command_and_policy_cwds() {
    // Note writable_roots is empty: verify that `canonical_allowed_path` is
    // writable only because it is under the sandbox policy cwd, not because it
    // is under a writable root.
-    let policy = SandboxPolicy::WorkspaceWrite {
-        writable_roots: vec![],
-        network_access: false,
-        exclude_tmpdir_env_var: true,
-        exclude_slash_tmp: true,
-    };
+    let permission_profile = PermissionProfile::workspace_write_with(
+        &[],
+        NetworkSandboxPolicy::Restricted,
+        /*exclude_tmpdir_env_var*/ true,
+        /*exclude_slash_tmp*/ true,
+    );

    // Attempt to write inside the command cwd, which is outside of the sandbox policy cwd.
    let mut child = spawn_command_under_sandbox(
@@ -309,7 +314,7 @@ async fn sandbox_distinguishes_command_and_policy_cwds() {
            "echo forbidden > forbidden.txt".to_string(),
        ],
        command_root.clone(),
-        &policy,
+        &permission_profile,
        &canonical_sandbox_root,
        StdioPolicy::Inherit,
        sandbox_env.clone(),
@@ -340,7 +345,7 @@ async fn sandbox_distinguishes_command_and_policy_cwds() {
            canonical_allowed_path.to_string_lossy().into_owned(),
        ],
        command_root,
-        &policy,
+        &permission_profile,
        &canonical_sandbox_root,
        StdioPolicy::Inherit,
        sandbox_env,
@@ -375,12 +380,12 @@ async fn sandbox_blocks_first_time_dot_codex_creation() {
    create_dir_all(&repo_root).await.expect("mkdir repo");
    let dot_codex = repo_root.join(".codex");
    let config_toml = dot_codex.join("config.toml");
-    let policy = SandboxPolicy::WorkspaceWrite {
-        writable_roots: vec![],
-        network_access: false,
-        exclude_tmpdir_env_var: true,
-        exclude_slash_tmp: true,
-    };
+    let permission_profile = PermissionProfile::workspace_write_with(
+        &[],
+        NetworkSandboxPolicy::Restricted,
+        /*exclude_tmpdir_env_var*/ true,
+        /*exclude_slash_tmp*/ true,
+    );

    let mut child = spawn_command_under_sandbox(
        vec![
@@ -390,7 +395,7 @@ async fn sandbox_blocks_first_time_dot_codex_creation() {
                .to_string(),
        ],
        repo_root.clone(),
-        &policy,
+        &permission_profile,
        &repo_root,
        StdioPolicy::RedirectForShellTool,
        sandbox_env,
@@ -507,7 +512,7 @@ fn unix_sock_body() {
 async fn allow_unix_socketpair_recvfrom() {
    run_code_under_sandbox(
        "allow_unix_socketpair_recvfrom",
-        &SandboxPolicy::new_read_only_policy(),
+        &PermissionProfile::read_only(),
        || async { unix_sock_body() },
    )
    .await
@@ -519,7 +524,7 @@ const IN_SANDBOX_ENV_VAR: &str = "IN_SANDBOX";
 #[expect(clippy::expect_used)]
 pub async fn run_code_under_sandbox<F, Fut>(
    test_selector: &str,
-    policy: &SandboxPolicy,
+    permission_profile: &PermissionProfile,
    child_body: F,
 ) -> io::Result<Option<ExitStatus>>
 where
@@ -544,7 +549,7 @@ where
        let mut child = spawn_command_under_sandbox(
            cmds,
            command_cwd,
-            policy,
+            permission_profile,
            &sandbox_cwd,
            stdio_policy,
            HashMap::from([("IN_SANDBOX".into(), "1".into())]),
--- a/codex-rs/memories/write/src/phase2.rs
+++ b/codex-rs/memories/write/src/phase2.rs
@@ -17,9 +17,10 @@ use codex_config::Constrained;
 use codex_core::config::Config;
 use codex_features::Feature;
 use codex_protocol::ThreadId;
+use codex_protocol::models::PermissionProfile;
+use codex_protocol::permissions::NetworkSandboxPolicy;
 use codex_protocol::protocol::AgentStatus;
 use codex_protocol::protocol::AskForApproval;
-use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::protocol::TokenUsage;
 use codex_protocol::user_input::UserInput;
 use codex_state::Stage1Output;
@@ -315,18 +316,16 @@ mod agent {
            .features
            .disable(Feature::SkillMcpDependencyInstall);

-        // Sandbox policy
-        let writable_roots = vec![root];
        // The consolidation agent only needs local memory-root write access and no network.
-        let consolidation_sandbox_policy = SandboxPolicy::WorkspaceWrite {
-            writable_roots,
-            network_access: false,
-            exclude_tmpdir_env_var: true,
-            exclude_slash_tmp: true,
-        };
+        let permission_profile = PermissionProfile::workspace_write_with(
+            std::slice::from_ref(&root),
+            NetworkSandboxPolicy::Restricted,
+            /*exclude_tmpdir_env_var*/ true,
+            /*exclude_slash_tmp*/ true,
+        );
        agent_config
            .permissions
-            .set_legacy_sandbox_policy(consolidation_sandbox_policy, agent_config.cwd.as_path())
+            .set_permission_profile(permission_profile)
            .ok()?;

        agent_config.model = Some(
Author	SHA1	Message	Date
Michael Bolin	57094ee86d	core: use permission profiles in small read-only contexts	2026-04-30 03:01:06 -07:00
Michael Bolin	550adee585	exec tests: launch sandbox cases from permission profiles	2026-04-30 02:36:30 -07:00
Michael Bolin	200c83f7d7	tests: use permission profiles in suite turn submits	2026-04-30 02:36:30 -07:00
Michael Bolin	cfeaa5aab1	guardian: configure review session permissions directly	2026-04-30 02:36:30 -07:00
Michael Bolin	75c9c98aed	tests: use permission profiles in small core fixtures	2026-04-30 02:36:30 -07:00
Michael Bolin	d2e3e3613b	exec-server: use permission profiles in file system handler tests	2026-04-30 02:36:30 -07:00
Michael Bolin	57f895a7c0	memories: configure consolidation permissions directly	2026-04-30 02:36:30 -07:00
Michael Bolin	0cc3264ed4	analytics: distinguish custom managed permission profiles	2026-04-30 02:36:30 -07:00
Michael Bolin	05d341f0d4	tests: use permission profiles in guardian config checks	2026-04-30 02:36:30 -07:00