rename privileges to permissions

2026-04-27 18:01:04 +03:00 · 2025-08-01 01:03:30 -07:00
parent cb49cef114
commit c07207a4cd
7 changed files with 30 additions and 30 deletions
--- a/codex-rs/core/src/codex.rs
+++ b/codex-rs/core/src/codex.rs
@@ -1483,7 +1483,7 @@ async fn handle_response_item(
                command: action.command,
                workdir: action.working_directory,
                timeout_ms: action.timeout_ms,
-                with_escalated_privileges: None,
+                with_escalated_permissions: None,
                justification: None,
            };
            let effective_call_id = match (call_id, id) {
@@ -1570,7 +1570,7 @@ fn to_exec_params(params: ShellToolCallParams, sess: &Session) -> ExecParams {
        cwd: sess.resolve_path(params.workdir.clone()),
        timeout_ms: params.timeout_ms,
        env: create_env(&sess.shell_environment_policy),
-        with_escalated_privileges: params.with_escalated_privileges,
+        with_escalated_permissions: params.with_escalated_permissions,
        justification: params.justification,
    }
 }
@@ -1671,7 +1671,7 @@ async fn handle_container_exec_with_params(
                cwd: cwd.clone(),
                timeout_ms: params.timeout_ms,
                env: HashMap::new(),
-                with_escalated_privileges: None,
+                with_escalated_permissions: None,
                justification: None,
            };
            let safety = if *user_explicitly_approved_this_action {
@@ -1682,7 +1682,7 @@ async fn handle_container_exec_with_params(
                assess_safety_for_untrusted_command(
                    sess.approval_policy,
                    &sess.sandbox_policy,
-                    params.with_escalated_privileges.unwrap_or(false),
+                    params.with_escalated_permissions.unwrap_or(false),
                )
            };
            (
@@ -1699,7 +1699,7 @@ async fn handle_container_exec_with_params(
                    sess.approval_policy,
                    &sess.sandbox_policy,
                    &state.approved_commands,
-                    params.with_escalated_privileges.unwrap_or(false),
+                    params.with_escalated_permissions.unwrap_or(false),
                )
            };
            let command_for_display = params.command.clone();
--- a/codex-rs/core/src/exec.rs
+++ b/codex-rs/core/src/exec.rs
@@ -43,7 +43,7 @@ pub struct ExecParams {
    pub cwd: PathBuf,
    pub timeout_ms: Option<u64>,
    pub env: HashMap<String, String>,
-    pub with_escalated_privileges: Option<bool>,
+    pub with_escalated_permissions: Option<bool>,
    pub justification: Option<String>,
 }

@@ -76,7 +76,7 @@ pub async fn process_exec_tool_call(
                cwd,
                timeout_ms,
                env,
-                with_escalated_privileges: _,
+                with_escalated_permissions: _,
                justification: _,
            } = params;
            let child = spawn_command_under_seatbelt(
@@ -95,7 +95,7 @@ pub async fn process_exec_tool_call(
                cwd,
                timeout_ms,
                env,
-                with_escalated_privileges: _,
+                with_escalated_permissions: _,
                justification: _,
            } = params;

@@ -236,7 +236,7 @@ async fn exec(
        cwd,
        timeout_ms,
        env,
-        with_escalated_privileges: _,
+        with_escalated_permissions: _,
        justification: _,
    }: ExecParams,
    sandbox_policy: &SandboxPolicy,
--- a/codex-rs/core/src/models.rs
+++ b/codex-rs/core/src/models.rs
@@ -183,7 +183,7 @@ pub struct ShellToolCallParams {
    // The wire format uses `timeout`, which has ambiguous units, so we use
    // `timeout_ms` as the field name so it is clear in code.
    pub timeout_ms: Option<u64>,
-    pub with_escalated_privileges: Option<bool>,
+    pub with_escalated_permissions: Option<bool>,
    pub justification: Option<String>,
 }

@@ -297,19 +297,19 @@ mod tests {
                command: vec!["ls".to_string(), "-l".to_string()],
                workdir: Some("/tmp".to_string()),
                timeout_ms: Some(1000),
-                with_escalated_privileges: None,
+                with_escalated_permissions: None,
                justification: None,
            },
            params
        );
    }
    #[test]
-    fn deserialize_shell_tool_call_params_with_escalated_privileges() {
+    fn deserialize_shell_tool_call_params_with_escalated_permissions() {
        let json = r#"{
            "command": ["ls", "-l"],
            "workdir": "/tmp",
            "timeout": 1000,
-            "with_escalated_privileges": true,
+            "with_escalated_permissions": true,
            "justification": "I need internet access to run npm install"
        }"#;

@@ -319,7 +319,7 @@ mod tests {
                command: vec!["ls".to_string(), "-l".to_string()],
                workdir: Some("/tmp".to_string()),
                timeout_ms: Some(1000),
-                with_escalated_privileges: Some(true),
+                with_escalated_permissions: Some(true),
                justification: Some("I need internet access to run npm install".to_string()),
            },
            params
--- a/codex-rs/core/src/openai_tools.rs
+++ b/codex-rs/core/src/openai_tools.rs
@@ -149,15 +149,15 @@ fn create_shell_tool_for_sandbox(sandbox_policy: SandboxPolicy) -> OpenAiTool {

    if sandbox_policy != SandboxPolicy::DangerFullAccess {
        properties.insert(
-        "with_escalated_privileges".to_string(),
+        "with_escalated_permissions".to_string(),
        JsonSchema::Boolean {
-            description: Some("Whether to request escalated privileges. Set to true if command needs to be run without sandbox restrictions".to_string()),
+            description: Some("Whether to request escalated permissions. Set to true if command needs to be run without sandbox restrictions".to_string()),
        },
    );
        properties.insert(
        "justification".to_string(),
        JsonSchema::String {
-            description: Some("Only set if with_escalated_privileges is true. 1-sentence explanation of why we want to run this command.".to_string()),
+            description: Some("Only set if ask_for_escalated_permissions is true. 1-sentence explanation of why we want to run this command.".to_string()),
        },
    );
    }
@@ -181,8 +181,8 @@ The shell tool is used to execute shell commands.
    - cargo build
    - cargo test
 - When invoking a command that will require escalated privileges:
-  - Provide the with_escalated_privileges parameter with the boolean value true
-  - Include a short, 1 sentence explanation for why we need to run with_escalated_privileges."#,
+  - Provide the with_escalated_permissions parameter with the boolean value true
+  - Include a short, 1 sentence explanation for why we need to run with_escalated_permissions in the justification parameter."#,
                if !network_access {
                    "\n  - Commands that require network access\n"
                } else {
@@ -196,9 +196,9 @@ The shell tool is used to execute shell commands.
        SandboxPolicy::ReadOnly => {
            r#"
 The shell tool is used to execute shell commands.
-IMPORTANT: If you are running the apply_patch command, you will need to provide the with_escalated_privileges parameter with the boolean value true.
+IMPORTANT: If you are running the apply_patch command, you will need to provide the with_escalated_permissions parameter with the boolean value true.

- When invoking the shell tool, your call will be running in a landlock sandbox, and some shell commands (including apply_patch) will require escalated privileges:
+- When invoking the shell tool, your call will be running in a landlock sandbox, and some shell commands (including apply_patch) will require escalated permissions:
  - Types of actions that require escalated privileges:
    - Reading files outside the current directory
    - Writing files
@@ -210,8 +210,8 @@ IMPORTANT: If you are running the apply_patch command, you will need to provide
    - cargo build
    - cargo test
 - When invoking a command that will require escalated privileges:
-  - Provide the with_escalated_privileges parameter with the boolean value true
-  - Include a short, 1 sentence explanation for why we need to run with_escalated_privileges."#.to_string()
+  - Provide the with_escalated_permissions parameter with the boolean value true
+  - Include a short, 1 sentence explanation for why we need to run with_escalated_permissions in the justification parameter"#.to_string()
        }
    };

@@ -312,7 +312,7 @@ mod tests {
        let properties = tools_json[0]["parameters"]["properties"]
            .as_object()
            .unwrap();
-        assert!(!properties.contains_key("with_escalated_privileges"));
+        assert!(!properties.contains_key("with_escalated_permissions"));
        assert!(!properties.contains_key("justification"));
    }

@@ -332,7 +332,7 @@ mod tests {
        let properties = tools_json[0]["parameters"]["properties"]
            .as_object()
            .unwrap();
-        assert!(properties.contains_key("with_escalated_privileges"));
+        assert!(properties.contains_key("with_escalated_permissions"));
        assert!(properties.contains_key("justification"));
    }
 }
--- a/codex-rs/core/src/safety.rs
+++ b/codex-rs/core/src/safety.rs
@@ -107,7 +107,7 @@ pub fn assess_command_safety(
 pub(crate) fn assess_safety_for_untrusted_command(
    approval_policy: AskForApproval,
    sandbox_policy: &SandboxPolicy,
-    with_escalated_privileges: bool,
+    with_escalated_permissions: bool,
 ) -> SafetyCheck {
    use AskForApproval::*;
    use SandboxPolicy::*;
@@ -125,7 +125,7 @@ pub(crate) fn assess_safety_for_untrusted_command(
            sandbox_type: SandboxType::None,
        },
        (OnRequest, ReadOnly) | (OnRequest, WorkspaceWrite { .. }) => {
-            if with_escalated_privileges {
+            if with_escalated_permissions {
                SafetyCheck::AskUser
            } else {
                match get_platform_sandbox() {
--- a/codex-rs/core/src/shell.rs
+++ b/codex-rs/core/src/shell.rs
@@ -215,7 +215,7 @@ mod tests {
                        "HOME".to_string(),
                        temp_home.path().to_str().unwrap().to_string(),
                    )]),
-                    with_escalated_privileges: None,
+                    with_escalated_permissions: None,
                    justification: None,
                },
                SandboxType::None,
--- a/codex-rs/linux-sandbox/tests/landlock.rs
+++ b/codex-rs/linux-sandbox/tests/landlock.rs
@@ -44,7 +44,7 @@ async fn run_cmd(cmd: &[&str], writable_roots: &[PathBuf], timeout_ms: u64) {
        cwd: std::env::current_dir().expect("cwd should exist"),
        timeout_ms: Some(timeout_ms),
        env: create_env_from_core_vars(),
-        with_escalated_privileges: None,
+        with_escalated_permissions: None,
        justification: None,
    };

@@ -139,7 +139,7 @@ async fn assert_network_blocked(cmd: &[&str]) {
        // do not stall the suite.
        timeout_ms: Some(NETWORK_TIMEOUT_MS),
        env: create_env_from_core_vars(),
-        with_escalated_privileges: None,
+        with_escalated_permissions: None,
        justification: None,
    };