tests: use permission profiles in request permission suite

tests: use permission profiles in unified exec suite
core: use permission profiles in small read-only contexts
2026-05-14 02:02:25 +03:00 · 2026-04-30 03:01:06 -07:00 · 2026-04-30 03:01:06 -07:00 · 2026-04-30 03:01:06 -07:00 · 2026-04-30 02:36:30 -07:00 · 2026-04-30 02:36:30 -07:00
8 changed files with 251 additions and 210 deletions
--- a/codex-rs/core/src/context_manager/history_tests.rs
+++ b/codex-rs/core/src/context_manager/history_tests.rs
@@ -13,13 +13,13 @@ use codex_protocol::models::ImageDetail;
 use codex_protocol::models::LocalShellAction;
 use codex_protocol::models::LocalShellExecAction;
 use codex_protocol::models::LocalShellStatus;
+use codex_protocol::models::PermissionProfile;
 use codex_protocol::models::ReasoningItemContent;
 use codex_protocol::models::ReasoningItemReasoningSummary;
 use codex_protocol::openai_models::InputModality;
 use codex_protocol::openai_models::default_input_modalities;
 use codex_protocol::protocol::AskForApproval;
 use codex_protocol::protocol::InterAgentCommunication;
-use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::protocol::TurnContextItem;
 use codex_utils_output_truncation::TruncationPolicy;
 use codex_utils_output_truncation::truncate_text;
@@ -119,15 +119,21 @@ fn developer_msg_with_fragments(texts: &[&str]) -> ResponseItem {
 }

 fn reference_context_item() -> TurnContextItem {
+    let cwd = PathBuf::from("/tmp/reference-cwd");
+    let permission_profile = PermissionProfile::read_only();
+    let sandbox_policy = permission_profile
+        .to_legacy_sandbox_policy(cwd.as_path())
+        .expect("read-only permission profile should have a legacy projection");
+
    TurnContextItem {
        turn_id: Some("reference-turn".to_string()),
        trace_id: None,
-        cwd: PathBuf::from("/tmp/reference-cwd"),
+        cwd,
        current_date: Some("2026-03-23".to_string()),
        timezone: Some("America/Los_Angeles".to_string()),
        approval_policy: AskForApproval::OnRequest,
-        sandbox_policy: SandboxPolicy::new_read_only_policy(),
-        permission_profile: None,
+        sandbox_policy,
+        permission_profile: Some(permission_profile),
        network: None,
        file_system_sandbox_policy: None,
        model: "gpt-test".to_string(),
--- a/codex-rs/core/src/guardian/review_session.rs
+++ b/codex-rs/core/src/guardian/review_session.rs
@@ -18,7 +18,6 @@ use codex_protocol::protocol::EventMsg;
 use codex_protocol::protocol::InitialHistory;
 use codex_protocol::protocol::Op;
 use codex_protocol::protocol::RolloutItem;
-use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::protocol::SubAgentSource;
 use codex_protocol::protocol::TokenUsage;
 use serde_json::Value;
@@ -703,6 +702,19 @@ async fn run_review_on_session(
        .await
        .unwrap_or_default();

+    let permission_profile = PermissionProfile::read_only();
+    let sandbox_policy =
+        match permission_profile.to_legacy_sandbox_policy(params.parent_turn.cwd.as_path()) {
+            Ok(sandbox_policy) => sandbox_policy,
+            Err(err) => {
+                return (
+                    GuardianReviewSessionOutcome::SessionFailed(err.into()),
+                    false,
+                    analytics_result,
+                );
+            }
+        };
+
    let submit_result = run_before_review_deadline(
        deadline,
        params.external_cancel.as_ref(),
@@ -712,8 +724,8 @@ async fn run_review_on_session(
            cwd: params.parent_turn.cwd.to_path_buf(),
            approval_policy: AskForApproval::Never,
            approvals_reviewer: None,
-            sandbox_policy: SandboxPolicy::new_read_only_policy(),
-            permission_profile: None,
+            sandbox_policy,
+            permission_profile: Some(permission_profile),
            model: params.model.clone(),
            effort: params.reasoning_effort,
            summary: Some(params.reasoning_summary),
@@ -896,15 +908,14 @@ pub(crate) fn build_guardian_review_session_config(
    );
    guardian_config.developer_instructions = None;
    guardian_config.permissions.approval_policy = Constrained::allow_only(AskForApproval::Never);
-    let sandbox_policy = SandboxPolicy::new_read_only_policy();
-    guardian_config.permissions.permission_profile = Constrained::allow_only(
-        PermissionProfile::from_legacy_sandbox_policy(&sandbox_policy),
-    );
+    let permission_profile = PermissionProfile::read_only();
+    guardian_config.permissions.permission_profile =
+        Constrained::allow_only(permission_profile.clone());
    guardian_config
        .permissions
-        .set_legacy_sandbox_policy(sandbox_policy, guardian_config.cwd.as_path())
+        .set_permission_profile(permission_profile)
        .map_err(|err| {
-            anyhow::anyhow!("guardian review session could not set sandbox policy: {err}")
+            anyhow::anyhow!("guardian review session could not set permission profile: {err}")
        })?;
    guardian_config.include_apps_instructions = false;
    guardian_config
--- a/codex-rs/core/src/realtime_context_tests.rs
+++ b/codex-rs/core/src/realtime_context_tests.rs
@@ -13,10 +13,10 @@ use chrono::Utc;
 use codex_git_utils::GitSha;
 use codex_protocol::ThreadId;
 use codex_protocol::models::ContentItem;
+use codex_protocol::models::PermissionProfile;
 use codex_protocol::models::ResponseItem;
 use codex_protocol::protocol::AskForApproval;
 use codex_protocol::protocol::GitInfo;
-use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::protocol::SessionSource;
 use codex_thread_store::StoredThread;
 use core_test_support::PathBufExt;
@@ -28,6 +28,8 @@ use std::process::Command;
 use tempfile::TempDir;

 fn stored_thread(cwd: &str, title: &str, first_user_message: &str) -> StoredThread {
+    let permission_profile = PermissionProfile::read_only();
+
    StoredThread {
        thread_id: ThreadId::new(),
        rollout_path: Some(PathBuf::from("/tmp/rollout.jsonl")),
@@ -58,7 +60,9 @@ fn stored_thread(cwd: &str, title: &str, first_user_message: &str) -> StoredThre
            repository_url: None,
        }),
        approval_mode: AskForApproval::Never,
-        sandbox_policy: SandboxPolicy::new_read_only_policy(),
+        sandbox_policy: permission_profile
+            .to_legacy_sandbox_policy(std::path::Path::new(cwd))
+            .expect("read-only permission profile should have a legacy projection"),
        token_usage: None,
        first_user_message: Some(first_user_message.to_string()),
        history: None,
--- a/codex-rs/core/tests/suite/apply_patch_cli.rs
+++ b/codex-rs/core/tests/suite/apply_patch_cli.rs
@@ -18,7 +18,6 @@ use codex_protocol::permissions::NetworkSandboxPolicy;
 use codex_protocol::protocol::AskForApproval;
 use codex_protocol::protocol::EventMsg;
 use codex_protocol::protocol::Op;
-use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::user_input::UserInput;
 #[cfg(target_os = "linux")]
 use codex_sandboxing::landlock::CODEX_LINUX_SANDBOX_ARG0;
@@ -36,6 +35,7 @@ use core_test_support::skip_if_remote;
 use core_test_support::test_codex::TestCodexBuilder;
 use core_test_support::test_codex::TestCodexHarness;
 use core_test_support::test_codex::test_codex;
+use core_test_support::test_codex::turn_permission_fields;
 use core_test_support::wait_for_event;
 use core_test_support::wait_for_event_with_timeout;
 use serde_json::json;
@@ -64,6 +64,8 @@ async fn apply_patch_harness_with(
 async fn submit_without_wait(harness: &TestCodexHarness, prompt: &str) -> Result<()> {
    let test = harness.test();
    let session_model = test.session_configured.model.clone();
+    let (sandbox_policy, permission_profile) =
+        turn_permission_fields(PermissionProfile::Disabled, harness.cwd());
    test.codex
        .submit(Op::UserTurn {
            environments: None,
@@ -75,8 +77,8 @@ async fn submit_without_wait(harness: &TestCodexHarness, prompt: &str) -> Result
            cwd: harness.cwd().to_path_buf(),
            approval_policy: AskForApproval::Never,
            approvals_reviewer: None,
-            sandbox_policy: SandboxPolicy::DangerFullAccess,
-            permission_profile: None,
+            sandbox_policy,
+            permission_profile,
            model: session_model,
            effort: None,
            summary: None,
--- a/codex-rs/core/tests/suite/hooks.rs
+++ b/codex-rs/core/tests/suite/hooks.rs
@@ -1943,9 +1943,9 @@ print(json.dumps({{
        fs::remove_file(&marker).context("remove leftover plugin pre tool use marker")?;
    }

-    test.submit_turn_with_policy(
+    test.submit_turn_with_permission_profile(
        "run the shell command blocked by a plugin hook",
-        codex_protocol::protocol::SandboxPolicy::DangerFullAccess,
+        PermissionProfile::Disabled,
    )
    .await?;

--- a/codex-rs/core/tests/suite/request_permissions.rs
+++ b/codex-rs/core/tests/suite/request_permissions.rs
@@ -7,13 +7,14 @@ use codex_features::Feature;
 use codex_protocol::config_types::ApprovalsReviewer;
 use codex_protocol::models::AdditionalPermissionProfile as PermissionProfile;
 use codex_protocol::models::FileSystemPermissions;
+use codex_protocol::models::PermissionProfile as RuntimePermissionProfile;
+use codex_protocol::permissions::NetworkSandboxPolicy;
 use codex_protocol::protocol::AskForApproval;
 use codex_protocol::protocol::EventMsg;
 use codex_protocol::protocol::ExecApprovalRequestEvent;
 use codex_protocol::protocol::GranularApprovalConfig;
 use codex_protocol::protocol::Op;
 use codex_protocol::protocol::ReviewDecision;
-use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::request_permissions::PermissionGrantScope;
 use codex_protocol::request_permissions::RequestPermissionProfile;
 use codex_protocol::request_permissions::RequestPermissionsResponse;
@@ -31,6 +32,7 @@ use core_test_support::skip_if_no_network;
 use core_test_support::skip_if_sandbox;
 use core_test_support::test_codex::TestCodex;
 use core_test_support::test_codex::test_codex;
+use core_test_support::test_codex::turn_permission_fields;
 use core_test_support::wait_for_event;
 use pretty_assertions::assert_eq;
 use regex_lite::Regex;
@@ -182,9 +184,11 @@ async fn submit_turn(
    test: &TestCodex,
    prompt: &str,
    approval_policy: AskForApproval,
-    sandbox_policy: SandboxPolicy,
+    permission_profile: RuntimePermissionProfile,
 ) -> Result<()> {
    let session_model = test.session_configured.model.clone();
+    let (sandbox_policy, permission_profile) =
+        turn_permission_fields(permission_profile, test.cwd.path());
    test.codex
        .submit(Op::UserTurn {
            environments: None,
@@ -197,7 +201,7 @@ async fn submit_turn(
            approval_policy,
            approvals_reviewer: Some(ApprovalsReviewer::User),
            sandbox_policy,
-            permission_profile: None,
+            permission_profile,
            model: session_model,
            effort: None,
            summary: None,
@@ -283,13 +287,13 @@ async fn expect_request_permissions_event(
    }
 }

-fn workspace_write_excluding_tmp() -> SandboxPolicy {
-    SandboxPolicy::WorkspaceWrite {
-        writable_roots: vec![],
-        network_access: false,
-        exclude_tmpdir_env_var: true,
-        exclude_slash_tmp: true,
-    }
+fn workspace_write_excluding_tmp() -> RuntimePermissionProfile {
+    RuntimePermissionProfile::workspace_write_with(
+        &[],
+        NetworkSandboxPolicy::Restricted,
+        /*exclude_tmpdir_env_var*/ true,
+        /*exclude_slash_tmp*/ true,
+    )
 }

 fn requested_directory_write_permissions(path: &Path) -> RequestPermissionProfile {
@@ -319,14 +323,15 @@ async fn with_additional_permissions_requires_approval_under_on_request() -> Res

    let server = start_mock_server().await;
    let approval_policy = AskForApproval::OnRequest;
-    let sandbox_policy = SandboxPolicy::new_read_only_policy();
-    let sandbox_policy_for_config = sandbox_policy.clone();
+    let permission_profile = RuntimePermissionProfile::read_only();
+    let permission_profile_for_config = permission_profile.clone();

    let mut builder = test_codex().with_config(move |config| {
        config.permissions.approval_policy = Constrained::allow_any(approval_policy);
        config
-            .set_legacy_sandbox_policy(sandbox_policy_for_config)
-            .expect("set sandbox policy");
+            .permissions
+            .set_permission_profile(permission_profile_for_config)
+            .expect("set permission profile");
        config
            .features
            .enable(Feature::ExecPermissionApprovals)
@@ -372,7 +377,7 @@ async fn with_additional_permissions_requires_approval_under_on_request() -> Res
    )
    .await;

-    submit_turn(&test, call_id, approval_policy, sandbox_policy.clone()).await?;
+    submit_turn(&test, call_id, approval_policy, permission_profile.clone()).await?;
    let approval = expect_exec_approval(&test, command).await;
    assert_eq!(
        approval.additional_permissions,
@@ -416,14 +421,15 @@ async fn request_permissions_tool_is_auto_denied_when_granular_request_permissio
        request_permissions: false,
        mcp_elicitations: true,
    });
-    let sandbox_policy = SandboxPolicy::new_read_only_policy();
-    let sandbox_policy_for_config = sandbox_policy.clone();
+    let permission_profile = RuntimePermissionProfile::read_only();
+    let permission_profile_for_config = permission_profile.clone();

    let mut builder = test_codex().with_config(move |config| {
        config.permissions.approval_policy = Constrained::allow_any(approval_policy);
        config
-            .set_legacy_sandbox_policy(sandbox_policy_for_config)
-            .expect("set sandbox policy");
+            .permissions
+            .set_permission_profile(permission_profile_for_config)
+            .expect("set permission profile");
        config
            .features
            .enable(Feature::RequestPermissionsTool)
@@ -463,7 +469,7 @@ async fn request_permissions_tool_is_auto_denied_when_granular_request_permissio
        &test,
        "request permissions under granular.request_permissions = false",
        approval_policy,
-        sandbox_policy,
+        permission_profile,
    )
    .await?;

@@ -501,14 +507,15 @@ async fn relative_additional_permissions_resolve_against_tool_workdir() -> Resul

    let server = start_mock_server().await;
    let approval_policy = AskForApproval::OnRequest;
-    let sandbox_policy = SandboxPolicy::new_read_only_policy();
-    let sandbox_policy_for_config = sandbox_policy.clone();
+    let permission_profile = RuntimePermissionProfile::read_only();
+    let permission_profile_for_config = permission_profile.clone();

    let mut builder = test_codex().with_config(move |config| {
        config.permissions.approval_policy = Constrained::allow_any(approval_policy);
        config
-            .set_legacy_sandbox_policy(sandbox_policy_for_config)
-            .expect("set sandbox policy");
+            .permissions
+            .set_permission_profile(permission_profile_for_config)
+            .expect("set permission profile");
        config
            .features
            .enable(Feature::ExecPermissionApprovals)
@@ -564,7 +571,7 @@ async fn relative_additional_permissions_resolve_against_tool_workdir() -> Resul
    )
    .await;

-    submit_turn(&test, call_id, approval_policy, sandbox_policy.clone()).await?;
+    submit_turn(&test, call_id, approval_policy, permission_profile.clone()).await?;

    let approval = expect_exec_approval(&test, command).await;
    assert_eq!(
@@ -604,14 +611,15 @@ async fn read_only_with_additional_permissions_does_not_widen_to_unrequested_cwd

    let server = start_mock_server().await;
    let approval_policy = AskForApproval::OnRequest;
-    let sandbox_policy = SandboxPolicy::new_read_only_policy();
-    let sandbox_policy_for_config = sandbox_policy.clone();
+    let permission_profile = RuntimePermissionProfile::read_only();
+    let permission_profile_for_config = permission_profile.clone();

    let mut builder = test_codex().with_config(move |config| {
        config.permissions.approval_policy = Constrained::allow_any(approval_policy);
        config
-            .set_legacy_sandbox_policy(sandbox_policy_for_config)
-            .expect("set sandbox policy");
+            .permissions
+            .set_permission_profile(permission_profile_for_config)
+            .expect("set permission profile");
        config
            .features
            .enable(Feature::ExecPermissionApprovals)
@@ -660,7 +668,7 @@ async fn read_only_with_additional_permissions_does_not_widen_to_unrequested_cwd
    )
    .await;

-    submit_turn(&test, call_id, approval_policy, sandbox_policy.clone()).await?;
+    submit_turn(&test, call_id, approval_policy, permission_profile.clone()).await?;

    let approval = expect_exec_approval(&test, &command).await;
    assert_eq!(
@@ -706,14 +714,15 @@ async fn read_only_with_additional_permissions_does_not_widen_to_unrequested_tmp

    let server = start_mock_server().await;
    let approval_policy = AskForApproval::OnRequest;
-    let sandbox_policy = SandboxPolicy::new_read_only_policy();
-    let sandbox_policy_for_config = sandbox_policy.clone();
+    let permission_profile = RuntimePermissionProfile::read_only();
+    let permission_profile_for_config = permission_profile.clone();

    let mut builder = test_codex().with_config(move |config| {
        config.permissions.approval_policy = Constrained::allow_any(approval_policy);
        config
-            .set_legacy_sandbox_policy(sandbox_policy_for_config)
-            .expect("set sandbox policy");
+            .permissions
+            .set_permission_profile(permission_profile_for_config)
+            .expect("set permission profile");
        config
            .features
            .enable(Feature::ExecPermissionApprovals)
@@ -763,7 +772,7 @@ async fn read_only_with_additional_permissions_does_not_widen_to_unrequested_tmp
    )
    .await;

-    submit_turn(&test, call_id, approval_policy, sandbox_policy.clone()).await?;
+    submit_turn(&test, call_id, approval_policy, permission_profile.clone()).await?;

    let approval = expect_exec_approval(&test, &command).await;
    assert_eq!(
@@ -807,14 +816,15 @@ async fn workspace_write_with_additional_permissions_can_write_outside_cwd() ->

    let server = start_mock_server().await;
    let approval_policy = AskForApproval::OnRequest;
-    let sandbox_policy = workspace_write_excluding_tmp();
-    let sandbox_policy_for_config = sandbox_policy.clone();
+    let permission_profile = workspace_write_excluding_tmp();
+    let permission_profile_for_config = permission_profile.clone();

    let mut builder = test_codex().with_config(move |config| {
        config.permissions.approval_policy = Constrained::allow_any(approval_policy);
        config
-            .set_legacy_sandbox_policy(sandbox_policy_for_config)
-            .expect("set sandbox policy");
+            .permissions
+            .set_permission_profile(permission_profile_for_config)
+            .expect("set permission profile");
        config
            .features
            .enable(Feature::ExecPermissionApprovals)
@@ -873,7 +883,7 @@ async fn workspace_write_with_additional_permissions_can_write_outside_cwd() ->
    )
    .await;

-    submit_turn(&test, call_id, approval_policy, sandbox_policy.clone()).await?;
+    submit_turn(&test, call_id, approval_policy, permission_profile.clone()).await?;

    let approval = expect_exec_approval(&test, &command).await;
    assert_eq!(
@@ -913,14 +923,15 @@ async fn with_additional_permissions_denied_approval_blocks_execution() -> Resul
    skip_if_no_network!(Ok(()));
    let server = start_mock_server().await;
    let approval_policy = AskForApproval::OnRequest;
-    let sandbox_policy = workspace_write_excluding_tmp();
-    let sandbox_policy_for_config = sandbox_policy.clone();
+    let permission_profile = workspace_write_excluding_tmp();
+    let permission_profile_for_config = permission_profile.clone();

    let mut builder = test_codex().with_config(move |config| {
        config.permissions.approval_policy = Constrained::allow_any(approval_policy);
        config
-            .set_legacy_sandbox_policy(sandbox_policy_for_config)
-            .expect("set sandbox policy");
+            .permissions
+            .set_permission_profile(permission_profile_for_config)
+            .expect("set permission profile");
        config
            .features
            .enable(Feature::ExecPermissionApprovals)
@@ -977,7 +988,7 @@ async fn with_additional_permissions_denied_approval_blocks_execution() -> Resul
    )
    .await;

-    submit_turn(&test, call_id, approval_policy, sandbox_policy.clone()).await?;
+    submit_turn(&test, call_id, approval_policy, permission_profile.clone()).await?;

    let approval = expect_exec_approval(&test, &command).await;
    assert_eq!(
@@ -1020,14 +1031,15 @@ async fn request_permissions_grants_apply_to_later_exec_command_calls() -> Resul

    let server = start_mock_server().await;
    let approval_policy = AskForApproval::OnRequest;
-    let sandbox_policy = workspace_write_excluding_tmp();
-    let sandbox_policy_for_config = sandbox_policy.clone();
+    let permission_profile = workspace_write_excluding_tmp();
+    let permission_profile_for_config = permission_profile.clone();

    let mut builder = test_codex().with_config(move |config| {
        config.permissions.approval_policy = Constrained::allow_any(approval_policy);
        config
-            .set_legacy_sandbox_policy(sandbox_policy_for_config)
-            .expect("set sandbox policy");
+            .permissions
+            .set_permission_profile(permission_profile_for_config)
+            .expect("set permission profile");
        config
            .features
            .enable(Feature::ExecPermissionApprovals)
@@ -1091,7 +1103,7 @@ async fn request_permissions_grants_apply_to_later_exec_command_calls() -> Resul
        &test,
        "write outside the workspace",
        approval_policy,
-        sandbox_policy,
+        permission_profile,
    )
    .await?;

@@ -1146,14 +1158,15 @@ async fn request_permissions_preapprove_explicit_exec_permissions_outside_on_req

    let server = start_mock_server().await;
    let approval_policy = AskForApproval::OnRequest;
-    let sandbox_policy = workspace_write_excluding_tmp();
-    let sandbox_policy_for_config = sandbox_policy.clone();
+    let permission_profile = workspace_write_excluding_tmp();
+    let permission_profile_for_config = permission_profile.clone();

    let mut builder = test_codex().with_config(move |config| {
        config.permissions.approval_policy = Constrained::allow_any(approval_policy);
        config
-            .set_legacy_sandbox_policy(sandbox_policy_for_config)
-            .expect("set sandbox policy");
+            .permissions
+            .set_permission_profile(permission_profile_for_config)
+            .expect("set permission profile");
        config
            .features
            .enable(Feature::ExecPermissionApprovals)
@@ -1208,7 +1221,7 @@ async fn request_permissions_preapprove_explicit_exec_permissions_outside_on_req
        &test,
        "write outside the workspace",
        approval_policy,
-        sandbox_policy,
+        permission_profile,
    )
    .await?;

@@ -1266,14 +1279,15 @@ async fn request_permissions_grants_apply_to_later_shell_command_calls() -> Resu

    let server = start_mock_server().await;
    let approval_policy = AskForApproval::OnRequest;
-    let sandbox_policy = workspace_write_excluding_tmp();
-    let sandbox_policy_for_config = sandbox_policy.clone();
+    let permission_profile = workspace_write_excluding_tmp();
+    let permission_profile_for_config = permission_profile.clone();

    let mut builder = test_codex().with_config(move |config| {
        config.permissions.approval_policy = Constrained::allow_any(approval_policy);
        config
-            .set_legacy_sandbox_policy(sandbox_policy_for_config)
-            .expect("set sandbox policy");
+            .permissions
+            .set_permission_profile(permission_profile_for_config)
+            .expect("set permission profile");
        config
            .features
            .enable(Feature::ExecPermissionApprovals)
@@ -1324,7 +1338,7 @@ async fn request_permissions_grants_apply_to_later_shell_command_calls() -> Resu
        &test,
        "write outside the workspace",
        approval_policy,
-        sandbox_policy,
+        permission_profile,
    )
    .await?;

@@ -1380,14 +1394,15 @@ async fn request_permissions_grants_apply_to_later_shell_command_calls_without_i

    let server = start_mock_server().await;
    let approval_policy = AskForApproval::OnRequest;
-    let sandbox_policy = workspace_write_excluding_tmp();
-    let sandbox_policy_for_config = sandbox_policy.clone();
+    let permission_profile = workspace_write_excluding_tmp();
+    let permission_profile_for_config = permission_profile.clone();

    let mut builder = test_codex().with_config(move |config| {
        config.permissions.approval_policy = Constrained::allow_any(approval_policy);
        config
-            .set_legacy_sandbox_policy(sandbox_policy_for_config)
-            .expect("set sandbox policy");
+            .permissions
+            .set_permission_profile(permission_profile_for_config)
+            .expect("set permission profile");
        config
            .features
            .enable(Feature::RequestPermissionsTool)
@@ -1436,7 +1451,7 @@ async fn request_permissions_grants_apply_to_later_shell_command_calls_without_i
        &test,
        "write outside the workspace without inline permission feature",
        approval_policy,
-        sandbox_policy,
+        permission_profile,
    )
    .await?;

@@ -1494,14 +1509,15 @@ async fn partial_request_permissions_grants_do_not_preapprove_new_permissions()

    let server = start_mock_server().await;
    let approval_policy = AskForApproval::OnRequest;
-    let sandbox_policy = workspace_write_excluding_tmp();
-    let sandbox_policy_for_config = sandbox_policy.clone();
+    let permission_profile = workspace_write_excluding_tmp();
+    let permission_profile_for_config = permission_profile.clone();

    let mut builder = test_codex().with_config(move |config| {
        config.permissions.approval_policy = Constrained::allow_any(approval_policy);
        config
-            .set_legacy_sandbox_policy(sandbox_policy_for_config)
-            .expect("set sandbox policy");
+            .permissions
+            .set_permission_profile(permission_profile_for_config)
+            .expect("set permission profile");
        config
            .features
            .enable(Feature::ExecPermissionApprovals)
@@ -1588,7 +1604,7 @@ async fn partial_request_permissions_grants_do_not_preapprove_new_permissions()
        &test,
        "write outside the workspace",
        approval_policy,
-        sandbox_policy,
+        permission_profile,
    )
    .await?;

@@ -1660,14 +1676,15 @@ async fn request_permissions_grants_do_not_carry_across_turns() -> Result<()> {

    let server = start_mock_server().await;
    let approval_policy = AskForApproval::OnRequest;
-    let sandbox_policy = workspace_write_excluding_tmp();
-    let sandbox_policy_for_config = sandbox_policy.clone();
+    let permission_profile = workspace_write_excluding_tmp();
+    let permission_profile_for_config = permission_profile.clone();

    let mut builder = test_codex().with_config(move |config| {
        config.permissions.approval_policy = Constrained::allow_any(approval_policy);
        config
-            .set_legacy_sandbox_policy(sandbox_policy_for_config)
-            .expect("set sandbox policy");
+            .permissions
+            .set_permission_profile(permission_profile_for_config)
+            .expect("set permission profile");
        config
            .features
            .enable(Feature::ExecPermissionApprovals)
@@ -1709,7 +1726,7 @@ async fn request_permissions_grants_do_not_carry_across_turns() -> Result<()> {
        &test,
        "request permissions for later use",
        approval_policy,
-        sandbox_policy.clone(),
+        permission_profile.clone(),
    )
    .await?;

@@ -1754,7 +1771,7 @@ async fn request_permissions_grants_do_not_carry_across_turns() -> Result<()> {
        &test,
        "try to reuse permissions in a later turn",
        approval_policy,
-        sandbox_policy,
+        permission_profile,
    )
    .await?;
    wait_for_completion(&test).await;
@@ -1775,14 +1792,15 @@ async fn request_permissions_session_grants_carry_across_turns() -> Result<()> {

    let server = start_mock_server().await;
    let approval_policy = AskForApproval::OnRequest;
-    let sandbox_policy = workspace_write_excluding_tmp();
-    let sandbox_policy_for_config = sandbox_policy.clone();
+    let permission_profile = workspace_write_excluding_tmp();
+    let permission_profile_for_config = permission_profile.clone();

    let mut builder = test_codex().with_config(move |config| {
        config.permissions.approval_policy = Constrained::allow_any(approval_policy);
        config
-            .set_legacy_sandbox_policy(sandbox_policy_for_config)
-            .expect("set sandbox policy");
+            .permissions
+            .set_permission_profile(permission_profile_for_config)
+            .expect("set permission profile");
        config
            .features
            .enable(Feature::ExecPermissionApprovals)
@@ -1829,7 +1847,7 @@ async fn request_permissions_session_grants_carry_across_turns() -> Result<()> {
        &test,
        "request session permissions for later use",
        approval_policy,
-        sandbox_policy.clone(),
+        permission_profile.clone(),
    )
    .await?;

@@ -1871,7 +1889,7 @@ async fn request_permissions_session_grants_carry_across_turns() -> Result<()> {
        &test,
        "reuse session permissions in a later turn",
        approval_policy,
-        sandbox_policy,
+        permission_profile,
    )
    .await?;

--- a/codex-rs/core/tests/suite/unified_exec.rs
+++ b/codex-rs/core/tests/suite/unified_exec.rs
@@ -14,7 +14,6 @@ use codex_protocol::protocol::EventMsg;
 use codex_protocol::protocol::ExecCommandSource;
 use codex_protocol::protocol::ExecCommandStatus;
 use codex_protocol::protocol::Op;
-use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::user_input::UserInput;
 use core_test_support::assert_regex_match;
 use core_test_support::process::process_is_alive;
@@ -33,6 +32,7 @@ use core_test_support::skip_if_windows;
 use core_test_support::test_codex::TestCodex;
 use core_test_support::test_codex::TestCodexHarness;
 use core_test_support::test_codex::test_codex;
+use core_test_support::test_codex::turn_permission_fields;
 use core_test_support::wait_for_event;
 use core_test_support::wait_for_event_match;
 use core_test_support::wait_for_event_with_timeout;
@@ -183,9 +183,11 @@ async fn wait_for_raw_unified_exec_output(
 async fn submit_unified_exec_turn(
    test: &TestCodex,
    prompt: &str,
-    sandbox_policy: SandboxPolicy,
+    permission_profile: PermissionProfile,
 ) -> Result<()> {
    let session_model = test.session_configured.model.clone();
+    let (sandbox_policy, permission_profile) =
+        turn_permission_fields(permission_profile, test.config.cwd.as_path());

    test.codex
        .submit(Op::UserTurn {
@@ -199,7 +201,7 @@ async fn submit_unified_exec_turn(
            approval_policy: AskForApproval::Never,
            approvals_reviewer: None,
            sandbox_policy,
-            permission_profile: None,
+            permission_profile,
            model: session_model,
            effort: None,
            summary: None,
@@ -271,6 +273,8 @@ async fn unified_exec_intercepts_apply_patch_exec_command() -> Result<()> {
    let codex = test.codex.clone();
    let cwd = test.cwd_path().to_path_buf();
    let session_model = test.session_configured.model.clone();
+    let (sandbox_policy, permission_profile) =
+        turn_permission_fields(PermissionProfile::Disabled, cwd.as_path());

    codex
        .submit(Op::UserTurn {
@@ -283,8 +287,8 @@ async fn unified_exec_intercepts_apply_patch_exec_command() -> Result<()> {
            cwd,
            approval_policy: AskForApproval::Never,
            approvals_reviewer: None,
-            sandbox_policy: SandboxPolicy::DangerFullAccess,
-            permission_profile: None,
+            sandbox_policy,
+            permission_profile,
            model: session_model,
            effort: None,
            summary: None,
@@ -402,7 +406,7 @@ async fn unified_exec_emits_exec_command_begin_event() -> Result<()> {
    ];
    mount_sse_sequence(&server, responses).await;

-    submit_unified_exec_turn(&test, "emit begin event", SandboxPolicy::DangerFullAccess).await?;
+    submit_unified_exec_turn(&test, "emit begin event", PermissionProfile::Disabled).await?;

    let begin_event = wait_for_event_match(&test.codex, |msg| match msg {
        EventMsg::ExecCommandBegin(event) if event.call_id == call_id => Some(event.clone()),
@@ -466,7 +470,7 @@ async fn unified_exec_resolves_relative_workdir() -> Result<()> {
    submit_unified_exec_turn(
        &test,
        "run relative workdir test",
-        SandboxPolicy::DangerFullAccess,
+        PermissionProfile::Disabled,
    )
    .await?;

@@ -531,7 +535,7 @@ async fn unified_exec_respects_workdir_override() -> Result<()> {
    ];
    let request_log = mount_sse_sequence(&server, responses).await;

-    submit_unified_exec_turn(&test, "run workdir test", SandboxPolicy::DangerFullAccess).await?;
+    submit_unified_exec_turn(&test, "run workdir test", PermissionProfile::Disabled).await?;

    let begin_event = wait_for_event_match(&test.codex, |msg| match msg {
        EventMsg::ExecCommandBegin(event) if event.call_id == call_id => Some(event.clone()),
@@ -608,7 +612,7 @@ async fn unified_exec_emits_exec_command_end_event() -> Result<()> {
    ];
    mount_sse_sequence(&server, responses).await;

-    submit_unified_exec_turn(&test, "emit end event", SandboxPolicy::DangerFullAccess).await?;
+    submit_unified_exec_turn(&test, "emit end event", PermissionProfile::Disabled).await?;

    let end_event = wait_for_event_match(&test.codex, |msg| match msg {
        EventMsg::ExecCommandEnd(ev) if ev.call_id == call_id => Some(ev.clone()),
@@ -666,7 +670,7 @@ async fn unified_exec_emits_output_delta_for_exec_command() -> Result<()> {
    ];
    mount_sse_sequence(&server, responses).await;

-    submit_unified_exec_turn(&test, "emit delta", SandboxPolicy::DangerFullAccess).await?;
+    submit_unified_exec_turn(&test, "emit delta", PermissionProfile::Disabled).await?;

    let event = wait_for_event_match(&test.codex, |msg| match msg {
        EventMsg::ExecCommandEnd(ev) if ev.call_id == call_id => Some(ev.clone()),
@@ -728,7 +732,7 @@ async fn unified_exec_full_lifecycle_with_background_end_event() -> Result<()> {
    submit_unified_exec_turn(
        &test,
        "exercise full unified exec lifecycle",
-        SandboxPolicy::DangerFullAccess,
+        PermissionProfile::Disabled,
    )
    .await?;

@@ -871,7 +875,7 @@ async fn unified_exec_short_lived_network_denial_emits_failed_end_event() -> Res
 #[allow(clippy::expect_used)]
 async fn unified_exec_network_denial_test(
    server: &wiremock::MockServer,
-) -> Result<(TestCodex, SandboxPolicy)> {
+) -> Result<(TestCodex, PermissionProfile)> {
    use codex_config::ConfigLayerStack;
    use codex_config::ConfigLayerStackOrdering;
    use codex_config::Constrained;
@@ -879,6 +883,7 @@ async fn unified_exec_network_denial_test(
    use codex_config::NetworkRequirementsToml;
    use codex_config::RequirementSource;
    use codex_config::Sourced;
+    use codex_protocol::permissions::NetworkSandboxPolicy;
    use std::sync::Arc;
    use tempfile::TempDir;

@@ -896,11 +901,13 @@ mode = "limited"
 allow_local_binding = true
 "#,
    )?;
-    let mut sandbox_policy = SandboxPolicy::new_workspace_write_policy();
-    if let SandboxPolicy::WorkspaceWrite { network_access, .. } = &mut sandbox_policy {
-        *network_access = true;
-    }
-    let sandbox_policy_for_config = sandbox_policy.clone();
+    let permission_profile = PermissionProfile::workspace_write_with(
+        &[],
+        NetworkSandboxPolicy::Enabled,
+        /*exclude_tmpdir_env_var*/ false,
+        /*exclude_slash_tmp*/ false,
+    );
+    let permission_profile_for_config = permission_profile.clone();
    let mut builder = test_codex().with_home(home).with_config(move |config| {
        config.use_experimental_unified_exec_tool = true;
        config
@@ -908,9 +915,8 @@ allow_local_binding = true
            .enable(Feature::UnifiedExec)
            .expect("test config should allow feature update");
        config.permissions.approval_policy = Constrained::allow_any(AskForApproval::Never);
-        config.permissions.permission_profile = Constrained::allow_any(
-            PermissionProfile::from_legacy_sandbox_policy(&sandbox_policy_for_config),
-        );
+        config.permissions.permission_profile =
+            Constrained::allow_any(permission_profile_for_config);
        let layers = config
            .config_layer_stack
            .get_layers(
@@ -947,7 +953,7 @@ allow_local_binding = true
        "expected managed network proxy config to be present"
    );

-    Ok((test, sandbox_policy))
+    Ok((test, permission_profile))
 }

 async fn mount_unified_exec_network_denial_responses(
@@ -1065,7 +1071,7 @@ async fn unified_exec_emits_terminal_interaction_for_write_stdin() -> Result<()>
    ];
    mount_sse_sequence(&server, responses).await;

-    submit_unified_exec_turn(&test, "stdin delta", SandboxPolicy::DangerFullAccess).await?;
+    submit_unified_exec_turn(&test, "stdin delta", PermissionProfile::Disabled).await?;

    let mut terminal_interaction = None;

@@ -1185,7 +1191,7 @@ async fn unified_exec_terminal_interaction_captures_delayed_output() -> Result<(
    submit_unified_exec_turn(
        &test,
        "delayed terminal interaction output",
-        SandboxPolicy::DangerFullAccess,
+        PermissionProfile::Disabled,
    )
    .await?;

@@ -1330,7 +1336,7 @@ async fn unified_exec_emits_one_begin_and_one_end_event() -> Result<()> {
    submit_unified_exec_turn(
        &test,
        "check poll event behavior",
-        SandboxPolicy::DangerFullAccess,
+        PermissionProfile::Disabled,
    )
    .await?;

@@ -1420,7 +1426,7 @@ async fn exec_command_reports_chunk_and_exit_metadata() -> Result<()> {
    ];
    let request_log = mount_sse_sequence(&server, responses).await;

-    submit_unified_exec_turn(&test, "run metadata test", SandboxPolicy::DangerFullAccess).await?;
+    submit_unified_exec_turn(&test, "run metadata test", PermissionProfile::Disabled).await?;

    wait_for_event(&test.codex, |event| {
        matches!(event, EventMsg::TurnComplete(_))
@@ -1519,7 +1525,7 @@ async fn exec_command_clamps_model_requested_max_output_tokens_to_policy() -> Re
    submit_unified_exec_turn(
        &test,
        "run clamped max output test",
-        SandboxPolicy::DangerFullAccess,
+        PermissionProfile::Disabled,
    )
    .await?;

@@ -1602,7 +1608,7 @@ async fn write_stdin_clamps_model_requested_max_output_tokens_to_policy() -> Res
    submit_unified_exec_turn(
        &test,
        "run clamped write_stdin output test",
-        SandboxPolicy::DangerFullAccess,
+        PermissionProfile::Disabled,
    )
    .await?;

@@ -1667,7 +1673,7 @@ async fn unified_exec_defaults_to_pipe() -> Result<()> {
    submit_unified_exec_turn(
        &test,
        "check default pipe mode",
-        SandboxPolicy::DangerFullAccess,
+        PermissionProfile::Disabled,
    )
    .await?;

@@ -1734,7 +1740,7 @@ async fn unified_exec_can_enable_tty() -> Result<()> {
    ];
    let request_log = mount_sse_sequence(&server, responses).await;

-    submit_unified_exec_turn(&test, "check tty enabled", SandboxPolicy::DangerFullAccess).await?;
+    submit_unified_exec_turn(&test, "check tty enabled", PermissionProfile::Disabled).await?;

    wait_for_event(&test.codex, |event| {
        matches!(event, EventMsg::TurnComplete(_))
@@ -1801,7 +1807,7 @@ async fn unified_exec_respects_early_exit_notifications() -> Result<()> {
    submit_unified_exec_turn(
        &test,
        "watch early exit timing",
-        SandboxPolicy::DangerFullAccess,
+        PermissionProfile::Disabled,
    )
    .await?;

@@ -1920,7 +1926,7 @@ async fn write_stdin_returns_exit_metadata_and_clears_session() -> Result<()> {
    submit_unified_exec_turn(
        &test,
        "test write_stdin exit behavior",
-        SandboxPolicy::DangerFullAccess,
+        PermissionProfile::Disabled,
    )
    .await?;

@@ -2073,7 +2079,7 @@ async fn unified_exec_emits_end_event_when_session_dies_via_stdin() -> Result<()
    ];
    mount_sse_sequence(&server, responses).await;

-    submit_unified_exec_turn(&test, "end on exit", SandboxPolicy::DangerFullAccess).await?;
+    submit_unified_exec_turn(&test, "end on exit", PermissionProfile::Disabled).await?;

    // We expect the ExecCommandEnd event to match the initial exec_command call_id.
    let end_event = wait_for_event_match(&test.codex, |msg| match msg {
@@ -2139,6 +2145,8 @@ async fn unified_exec_keeps_long_running_session_after_turn_end() -> Result<()>
    mount_sse_sequence(&server, responses).await;

    let session_model = session_configured.model.clone();
+    let (sandbox_policy, permission_profile) =
+        turn_permission_fields(PermissionProfile::Disabled, cwd.path());

    codex
        .submit(Op::UserTurn {
@@ -2151,8 +2159,8 @@ async fn unified_exec_keeps_long_running_session_after_turn_end() -> Result<()>
            cwd: cwd.path().to_path_buf(),
            approval_policy: AskForApproval::Never,
            approvals_reviewer: None,
-            sandbox_policy: SandboxPolicy::DangerFullAccess,
-            permission_profile: None,
+            sandbox_policy,
+            permission_profile,
            model: session_model,
            effort: None,
            summary: None,
@@ -2234,6 +2242,8 @@ async fn unified_exec_interrupt_preserves_long_running_session() -> Result<()> {
    mount_sse_sequence(&server, responses).await;

    let session_model = session_configured.model.clone();
+    let (sandbox_policy, permission_profile) =
+        turn_permission_fields(PermissionProfile::Disabled, cwd.path());

    codex
        .submit(Op::UserTurn {
@@ -2246,8 +2256,8 @@ async fn unified_exec_interrupt_preserves_long_running_session() -> Result<()> {
            cwd: cwd.path().to_path_buf(),
            approval_policy: AskForApproval::Never,
            approvals_reviewer: None,
-            sandbox_policy: SandboxPolicy::DangerFullAccess,
-            permission_profile: None,
+            sandbox_policy,
+            permission_profile,
            model: session_model,
            effort: None,
            summary: None,
@@ -2339,7 +2349,7 @@ async fn unified_exec_reuses_session_via_stdin() -> Result<()> {
    ];
    let request_log = mount_sse_sequence(&server, responses).await;

-    submit_unified_exec_turn(&test, "run unified exec", SandboxPolicy::DangerFullAccess).await?;
+    submit_unified_exec_turn(&test, "run unified exec", PermissionProfile::Disabled).await?;

    wait_for_event(&test.codex, |event| {
        matches!(event, EventMsg::TurnComplete(_))
@@ -2457,12 +2467,7 @@ PY
    ];
    let request_log = mount_sse_sequence(&server, responses).await;

-    submit_unified_exec_turn(
-        &test,
-        "exercise lag handling",
-        SandboxPolicy::DangerFullAccess,
-    )
-    .await?;
+    submit_unified_exec_turn(&test, "exercise lag handling", PermissionProfile::Disabled).await?;
    // This is a worst case scenario for the truncate logic, and CI can spend a
    // while draining the lagged tail before the follow-up tool call completes.
    wait_for_event_with_timeout(
@@ -2557,7 +2562,7 @@ async fn unified_exec_timeout_and_followup_poll() -> Result<()> {
    ];
    let request_log = mount_sse_sequence(&server, responses).await;

-    submit_unified_exec_turn(&test, "check timeout", SandboxPolicy::DangerFullAccess).await?;
+    submit_unified_exec_turn(&test, "check timeout", PermissionProfile::Disabled).await?;

    loop {
        let event = test.codex.next_event().await.expect("event");
@@ -2633,12 +2638,7 @@ PY
    ];
    let request_log = mount_sse_sequence(&server, responses).await;

-    submit_unified_exec_turn(
-        &test,
-        "summarize large output",
-        SandboxPolicy::DangerFullAccess,
-    )
-    .await?;
+    submit_unified_exec_turn(&test, "summarize large output", PermissionProfile::Disabled).await?;

    wait_for_event(&test.codex, |event| {
        matches!(event, EventMsg::TurnComplete(_))
@@ -2708,6 +2708,8 @@ async fn unified_exec_runs_under_sandbox() -> Result<()> {
    let request_log = mount_sse_sequence(&server, responses).await;

    let session_model = session_configured.model.clone();
+    let (sandbox_policy, permission_profile) =
+        turn_permission_fields(PermissionProfile::read_only(), cwd.path());

    codex
        .submit(Op::UserTurn {
@@ -2721,8 +2723,8 @@ async fn unified_exec_runs_under_sandbox() -> Result<()> {
            approval_policy: AskForApproval::Never,
            approvals_reviewer: None,
            // Important!
-            sandbox_policy: SandboxPolicy::new_read_only_policy(),
-            permission_profile: None,
+            sandbox_policy,
+            permission_profile,
            model: session_model,
            effort: None,
            summary: None,
@@ -2753,7 +2755,6 @@ async fn unified_exec_runs_under_sandbox() -> Result<()> {
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
 async fn unified_exec_enforces_glob_deny_read_policy() -> Result<()> {
    use codex_config::Constrained;
-    use codex_protocol::models::PermissionProfile;
    use codex_protocol::permissions::FileSystemAccessMode;
    use codex_protocol::permissions::FileSystemPath;
    use codex_protocol::permissions::FileSystemSandboxEntry;
@@ -2764,16 +2765,11 @@ async fn unified_exec_enforces_glob_deny_read_policy() -> Result<()> {
    skip_if_sandbox!(Ok(()));

    let server = start_mock_server().await;
-    let read_only_policy = SandboxPolicy::new_read_only_policy();
-    let read_only_policy_for_config = read_only_policy.clone();
    let mut builder = test_codex().with_config(move |config| {
        config
            .features
            .enable(Feature::UnifiedExec)
            .expect("test config should allow feature update");
-        config
-            .set_legacy_sandbox_policy(read_only_policy_for_config)
-            .expect("set sandbox policy");
        let mut file_system_sandbox_policy = FileSystemSandboxPolicy::default();
        file_system_sandbox_policy
            .entries
@@ -2828,6 +2824,8 @@ async fn unified_exec_enforces_glob_deny_read_policy() -> Result<()> {
    let request_log = mount_sse_sequence(&server, responses).await;

    let session_model = session_configured.model.clone();
+    let (sandbox_policy, permission_profile) =
+        turn_permission_fields(session_configured.permission_profile.clone(), cwd.path());
    codex
        .submit(Op::UserTurn {
            environments: None,
@@ -2839,8 +2837,8 @@ async fn unified_exec_enforces_glob_deny_read_policy() -> Result<()> {
            cwd: cwd.path().to_path_buf(),
            approval_policy: AskForApproval::Never,
            approvals_reviewer: None,
-            sandbox_policy: read_only_policy,
-            permission_profile: None,
+            sandbox_policy,
+            permission_profile,
            model: session_model,
            effort: None,
            summary: None,
@@ -2957,6 +2955,8 @@ async fn unified_exec_python_prompt_under_seatbelt() -> Result<()> {
    let request_log = mount_sse_sequence(&server, responses).await;

    let session_model = session_configured.model.clone();
+    let (sandbox_policy, permission_profile) =
+        turn_permission_fields(PermissionProfile::read_only(), cwd.path());

    codex
        .submit(Op::UserTurn {
@@ -2969,8 +2969,8 @@ async fn unified_exec_python_prompt_under_seatbelt() -> Result<()> {
            cwd: cwd.path().to_path_buf(),
            approval_policy: AskForApproval::Never,
            approvals_reviewer: None,
-            sandbox_policy: SandboxPolicy::new_read_only_policy(),
-            permission_profile: None,
+            sandbox_policy,
+            permission_profile,
            model: session_model,
            effort: None,
            summary: None,
@@ -3053,12 +3053,7 @@ async fn unified_exec_runs_on_all_platforms() -> Result<()> {
    ];
    let request_log = mount_sse_sequence(&server, responses).await;

-    submit_unified_exec_turn(
-        &test,
-        "summarize large output",
-        SandboxPolicy::DangerFullAccess,
-    )
-    .await?;
+    submit_unified_exec_turn(&test, "summarize large output", PermissionProfile::Disabled).await?;

    wait_for_event(&test.codex, |event| {
        matches!(event, EventMsg::TurnComplete(_))
@@ -3176,7 +3171,7 @@ async fn unified_exec_prunes_exited_sessions_first() -> Result<()> {
    let response_mock =
        mount_sse_sequence(&server, vec![first_response, completion_response]).await;

-    submit_unified_exec_turn(&test, "fill session cache", SandboxPolicy::DangerFullAccess).await?;
+    submit_unified_exec_turn(&test, "fill session cache", PermissionProfile::Disabled).await?;

    wait_for_event(&test.codex, |event| {
        matches!(event, EventMsg::TurnComplete(_))
--- a/codex-rs/exec/tests/suite/sandbox.rs
+++ b/codex-rs/exec/tests/suite/sandbox.rs
@@ -1,6 +1,7 @@
 #![cfg(unix)]
 use codex_core::spawn::StdioPolicy;
-use codex_protocol::protocol::SandboxPolicy;
+use codex_protocol::models::PermissionProfile;
+use codex_protocol::permissions::NetworkSandboxPolicy;
 use codex_utils_absolute_path::AbsolutePathBuf;
 use codex_utils_absolute_path::test_support::PathBufExt;
 use std::collections::HashMap;
@@ -14,7 +15,7 @@ use tokio::process::Child;
 async fn spawn_command_under_sandbox(
    command: Vec<String>,
    command_cwd: AbsolutePathBuf,
-    sandbox_policy: &SandboxPolicy,
+    permission_profile: &PermissionProfile,
    sandbox_cwd: &AbsolutePathBuf,
    stdio_policy: StdioPolicy,
    env: HashMap<String, String>,
@@ -24,7 +25,6 @@ async fn spawn_command_under_sandbox(
    use codex_core::exec::build_exec_request;
    use codex_core::sandboxing::SandboxPermissions;
    use codex_protocol::config_types::WindowsSandboxLevel;
-    use codex_protocol::models::PermissionProfile;
    use std::process::Stdio;

    let codex_linux_sandbox_exe = None;
@@ -42,7 +42,7 @@ async fn spawn_command_under_sandbox(
            justification: None,
            arg0: None,
        },
-        &PermissionProfile::from_legacy_sandbox_policy(sandbox_policy),
+        permission_profile,
        sandbox_cwd,
        &codex_linux_sandbox_exe,
        /*use_legacy_landlock*/ false,
@@ -83,22 +83,20 @@ async fn spawn_command_under_sandbox(
 async fn spawn_command_under_sandbox(
    command: Vec<String>,
    command_cwd: AbsolutePathBuf,
-    sandbox_policy: &SandboxPolicy,
+    permission_profile: &PermissionProfile,
    sandbox_cwd: &AbsolutePathBuf,
    stdio_policy: StdioPolicy,
    env: HashMap<String, String>,
 ) -> std::io::Result<Child> {
    use codex_core::spawn_command_under_linux_sandbox;
-    use codex_protocol::models::PermissionProfile;

    let codex_linux_sandbox_exe = core_test_support::find_codex_linux_sandbox_exe()
        .map_err(|err| io::Error::new(io::ErrorKind::NotFound, err))?;
-    let permission_profile = PermissionProfile::from_legacy_sandbox_policy(sandbox_policy);
    spawn_command_under_linux_sandbox(
        codex_linux_sandbox_exe,
        command,
        command_cwd,
-        &permission_profile,
+        permission_profile,
        sandbox_cwd,
        /*use_legacy_landlock*/ false,
        stdio_policy,
@@ -118,9 +116,16 @@ async fn spawn_command_under_sandbox(
 async fn linux_sandbox_test_env() -> Option<HashMap<String, String>> {
    let command_cwd = AbsolutePathBuf::current_dir().ok()?;
    let sandbox_cwd = command_cwd.clone();
-    let policy = SandboxPolicy::new_read_only_policy();
+    let permission_profile = PermissionProfile::read_only();

-    if can_apply_linux_sandbox_policy(&policy, &command_cwd, &sandbox_cwd, HashMap::new()).await {
+    if can_apply_linux_sandbox_policy(
+        &permission_profile,
+        &command_cwd,
+        &sandbox_cwd,
+        HashMap::new(),
+    )
+    .await
+    {
        return Some(HashMap::new());
    }

@@ -135,7 +140,7 @@ async fn linux_sandbox_test_env() -> Option<HashMap<String, String>> {
 /// This is used as a capability probe so sandbox behavior tests only run when
 /// Landlock enforcement is actually active.
 async fn can_apply_linux_sandbox_policy(
-    policy: &SandboxPolicy,
+    permission_profile: &PermissionProfile,
    command_cwd: &AbsolutePathBuf,
    sandbox_cwd: &AbsolutePathBuf,
    env: HashMap<String, String>,
@@ -143,7 +148,7 @@ async fn can_apply_linux_sandbox_policy(
    let spawn_result = spawn_command_under_sandbox(
        vec!["/usr/bin/true".to_string()],
        command_cwd.clone(),
-        policy,
+        permission_profile,
        sandbox_cwd,
        StdioPolicy::RedirectForShellTool,
        env,
@@ -180,12 +185,12 @@ async fn python_multiprocessing_lock_works_under_sandbox() {
    #[cfg(target_os = "linux")]
    let writable_roots: Vec<AbsolutePathBuf> = vec!["/dev/shm".try_into().unwrap()];

-    let policy = SandboxPolicy::WorkspaceWrite {
-        writable_roots,
-        network_access: false,
-        exclude_tmpdir_env_var: false,
-        exclude_slash_tmp: false,
-    };
+    let permission_profile = PermissionProfile::workspace_write_with(
+        &writable_roots,
+        NetworkSandboxPolicy::Restricted,
+        /*exclude_tmpdir_env_var*/ false,
+        /*exclude_slash_tmp*/ false,
+    );

    let python_code = r#"import multiprocessing
 from multiprocessing import Lock, Process
@@ -210,7 +215,7 @@ if __name__ == '__main__':
            python_code.to_string(),
        ],
        command_cwd,
-        &policy,
+        &permission_profile,
        &sandbox_cwd,
        StdioPolicy::Inherit,
        sandbox_env,
@@ -242,7 +247,7 @@ async fn python_getpwuid_works_under_sandbox() {
        return;
    }

-    let policy = SandboxPolicy::new_read_only_policy();
+    let permission_profile = PermissionProfile::read_only();
    let command_cwd = AbsolutePathBuf::current_dir().expect("should be able to get current dir");
    let sandbox_cwd = command_cwd.clone();

@@ -253,7 +258,7 @@ async fn python_getpwuid_works_under_sandbox() {
            "import pwd, os; print(pwd.getpwuid(os.getuid()))".to_string(),
        ],
        command_cwd,
-        &policy,
+        &permission_profile,
        &sandbox_cwd,
        StdioPolicy::RedirectForShellTool,
        sandbox_env,
@@ -294,12 +299,12 @@ async fn sandbox_distinguishes_command_and_policy_cwds() {
    // Note writable_roots is empty: verify that `canonical_allowed_path` is
    // writable only because it is under the sandbox policy cwd, not because it
    // is under a writable root.
-    let policy = SandboxPolicy::WorkspaceWrite {
-        writable_roots: vec![],
-        network_access: false,
-        exclude_tmpdir_env_var: true,
-        exclude_slash_tmp: true,
-    };
+    let permission_profile = PermissionProfile::workspace_write_with(
+        &[],
+        NetworkSandboxPolicy::Restricted,
+        /*exclude_tmpdir_env_var*/ true,
+        /*exclude_slash_tmp*/ true,
+    );

    // Attempt to write inside the command cwd, which is outside of the sandbox policy cwd.
    let mut child = spawn_command_under_sandbox(
@@ -309,7 +314,7 @@ async fn sandbox_distinguishes_command_and_policy_cwds() {
            "echo forbidden > forbidden.txt".to_string(),
        ],
        command_root.clone(),
-        &policy,
+        &permission_profile,
        &canonical_sandbox_root,
        StdioPolicy::Inherit,
        sandbox_env.clone(),
@@ -340,7 +345,7 @@ async fn sandbox_distinguishes_command_and_policy_cwds() {
            canonical_allowed_path.to_string_lossy().into_owned(),
        ],
        command_root,
-        &policy,
+        &permission_profile,
        &canonical_sandbox_root,
        StdioPolicy::Inherit,
        sandbox_env,
@@ -375,12 +380,12 @@ async fn sandbox_blocks_first_time_dot_codex_creation() {
    create_dir_all(&repo_root).await.expect("mkdir repo");
    let dot_codex = repo_root.join(".codex");
    let config_toml = dot_codex.join("config.toml");
-    let policy = SandboxPolicy::WorkspaceWrite {
-        writable_roots: vec![],
-        network_access: false,
-        exclude_tmpdir_env_var: true,
-        exclude_slash_tmp: true,
-    };
+    let permission_profile = PermissionProfile::workspace_write_with(
+        &[],
+        NetworkSandboxPolicy::Restricted,
+        /*exclude_tmpdir_env_var*/ true,
+        /*exclude_slash_tmp*/ true,
+    );

    let mut child = spawn_command_under_sandbox(
        vec![
@@ -390,7 +395,7 @@ async fn sandbox_blocks_first_time_dot_codex_creation() {
                .to_string(),
        ],
        repo_root.clone(),
-        &policy,
+        &permission_profile,
        &repo_root,
        StdioPolicy::RedirectForShellTool,
        sandbox_env,
@@ -507,7 +512,7 @@ fn unix_sock_body() {
 async fn allow_unix_socketpair_recvfrom() {
    run_code_under_sandbox(
        "allow_unix_socketpair_recvfrom",
-        &SandboxPolicy::new_read_only_policy(),
+        &PermissionProfile::read_only(),
        || async { unix_sock_body() },
    )
    .await
@@ -519,7 +524,7 @@ const IN_SANDBOX_ENV_VAR: &str = "IN_SANDBOX";
 #[expect(clippy::expect_used)]
 pub async fn run_code_under_sandbox<F, Fut>(
    test_selector: &str,
-    policy: &SandboxPolicy,
+    permission_profile: &PermissionProfile,
    child_body: F,
 ) -> io::Result<Option<ExitStatus>>
 where
@@ -544,7 +549,7 @@ where
        let mut child = spawn_command_under_sandbox(
            cmds,
            command_cwd,
-            policy,
+            permission_profile,
            &sandbox_cwd,
            stdio_policy,
            HashMap::from([("IN_SANDBOX".into(), "1".into())]),
Author	SHA1	Message	Date
Michael Bolin	e28bb5c396	tests: use permission profiles in request permission suite	2026-04-30 03:01:06 -07:00
Michael Bolin	521cf5bdd4	tests: use permission profiles in unified exec suite	2026-04-30 03:01:06 -07:00
Michael Bolin	57094ee86d	core: use permission profiles in small read-only contexts	2026-04-30 03:01:06 -07:00
Michael Bolin	550adee585	exec tests: launch sandbox cases from permission profiles	2026-04-30 02:36:30 -07:00
Michael Bolin	200c83f7d7	tests: use permission profiles in suite turn submits	2026-04-30 02:36:30 -07:00
Michael Bolin	cfeaa5aab1	guardian: configure review session permissions directly	2026-04-30 02:36:30 -07:00