Skip to content

permissions: derive compatibility policies from profiles#19392

Merged
bolinfest merged 1 commit into
mainfrom
pr19392
Apr 26, 2026
Merged

permissions: derive compatibility policies from profiles#19392
bolinfest merged 1 commit into
mainfrom
pr19392

Conversation

@bolinfest

@bolinfest bolinfest commented Apr 24, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Why

After #19391, PermissionProfile and the split filesystem/network policies could still be stored in parallel. That creates drift risk: a profile can preserve deny globs, external enforcement, or split filesystem entries while a cached projection silently loses those details. This PR makes the profile the runtime source and derives compatibility views from it.

What Changed

  • Removes stored filesystem/network sandbox projections from Permissions and SessionConfiguration; their accessors now derive from the canonical PermissionProfile.
  • Derives legacy SandboxPolicy snapshots from profiles only where an older API still needs that field.
  • Updates MCP connection and elicitation state to track PermissionProfile instead of SandboxPolicy for auto-approval decisions.
  • Adds semantic filesystem-policy comparison so cwd changes can preserve richer profiles while still recognizing equivalent legacy projections independent of entry ordering.
  • Updates config/session tests to assert profile-derived projections instead of parallel stored fields.

Verification

  • cargo test -p codex-core direct_write_roots
  • cargo test -p codex-core runtime_roots_to_legacy_projection
  • cargo test -p codex-app-server requested_permissions_trust_project_uses_permission_profile_intent

Stack created with Sapling. Best reviewed with ReviewStack.

@bolinfest bolinfest requested a review from a team as a code owner April 24, 2026 16:02
This was referenced Apr 24, 2026
Merged
Merged
Merged
Merged
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Apr 24, 2026
View reviewed changes

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1ca956eb3b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread codex-rs/codex-mcp/src/mcp/mod.rs Outdated
@bolinfest bolinfest force-pushed the pr19392 branch 2 times, most recently from 62541d0 to 32a2927 Compare April 24, 2026 16:34
@bolinfest bolinfest force-pushed the pr19391 branch 2 times, most recently from 2ec2407 to e04981b Compare April 24, 2026 16:47
@bolinfest bolinfest force-pushed the pr19392 branch 2 times, most recently from 37ef901 to f805b17 Compare April 24, 2026 17:05
@bolinfest bolinfest force-pushed the pr19391 branch 2 times, most recently from bbddc8e to c4451a1 Compare April 24, 2026 17:18
@bolinfest bolinfest mentioned this pull request Apr 24, 2026
Merged
@bolinfest bolinfest force-pushed the pr19392 branch 2 times, most recently from 1b98ec5 to e8e9902 Compare April 24, 2026 19:09
viyatb-oai
viyatb-oai reviewed Apr 25, 2026
View reviewed changes
Comment thread codex-rs/core/src/session/session.rs
@bolinfest bolinfest force-pushed the pr19391 branch 2 times, most recently from 61bde65 to cdbbfa4 Compare April 25, 2026 16:17
@bolinfest bolinfest force-pushed the pr19392 branch 2 times, most recently from c8335d2 to f64334a Compare April 25, 2026 17:25
@bolinfest bolinfest force-pushed the pr19391 branch 2 times, most recently from 71ce357 to bb278c3 Compare April 25, 2026 22:28
@bolinfest bolinfest mentioned this pull request Apr 25, 2026
Merged
Base automatically changed from pr19391 to pr19604 April 25, 2026 22:46
@bolinfest bolinfest force-pushed the pr19604 branch 2 times, most recently from 708b6b7 to 8261305 Compare April 25, 2026 22:58
@bolinfest bolinfest mentioned this pull request Apr 25, 2026
Merged
This was referenced Apr 26, 2026
Open
Open
@Huynhthuongg Huynhthuongg mentioned this pull request Apr 26, 2026
Open
@bolinfest bolinfest mentioned this pull request Apr 26, 2026
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@viyatb-oai viyatb-oai viyatb-oai approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bolinfest @viyatb-oai