Propagate runtime permission profiles#19849
Closed
evawong-oai wants to merge 1 commit into
Closed
Conversation
This was referenced Apr 27, 2026
05f4eb2 to
f23239c
Compare
fca3989 to
1bc0b13
Compare
2e4f779 to
774934a
Compare
2b511ae to
b0df7b1
Compare
774934a to
21cfe9c
Compare
b0df7b1 to
e76a989
Compare
21cfe9c to
4e95f07
Compare
e76a989 to
6c3c566
Compare
5f6cf03 to
a73dc93
Compare
6c3c566 to
669222a
Compare
a73dc93 to
f483023
Compare
a1666bf to
427c425
Compare
9d4f283 to
4db4407
Compare
427c425 to
5259804
Compare
4db4407 to
e8365c7
Compare
5259804 to
f9a5bc4
Compare
e8365c7 to
abc55be
Compare
f9a5bc4 to
e683055
Compare
evawong-oai
added a commit
that referenced
this pull request
Apr 28, 2026
## Summary Make FileSystemSandboxPolicy the semantic source of truth for project root metadata protection. Under writable roots, `.git`, `.codex`, and `.agents` stay protected unless user policy grants an explicit write rule for that metadata path. ## Scope 1. Add `protected_metadata_names` to `WritableRoot`. 2. Teach `FileSystemSandboxPolicy::can_write_path_with_cwd` to reject protected metadata writes under writable roots unless explicitly allowed. 3. Default workspace write profiles to protect `.git`, `.codex`, and `.agents`. 4. Add the Linux fallback setup needed before Linux enforcement lands later in the stack. ## Reviewer Focus 1. The policy decision belongs in FileSystemSandboxPolicy, not shell command parsing. 2. Legacy SandboxPolicy remains a compatibility projection, not the source of the new rule. 3. Explicit user write rules can still opt into these metadata paths. ## Stack 1. Policy primitive: this PR 2. macOS Seatbelt adapter: #19847 3. Shell preflight UX: #19848 4. Runtime profile propagation: #19849 5. Linux bubblewrap adapter: #19852 ## Validation 1. codex protocol permissions tests 2. formatting for codex protocol and codex linux sandbox 3. diff whitespace check
evawong-oai
added a commit
that referenced
this pull request
Apr 28, 2026
## Summary Translate FileSystemSandboxPolicy project root metadata carveouts into macOS Seatbelt rules. ## Scope 1. Thread protected metadata names into Seatbelt access roots. 2. Ask FileSystemSandboxPolicy whether each metadata carveout is writable. 3. Emit Seatbelt deny rules that block creating or replacing protected metadata names under writable roots. 4. Add coverage for first time metadata creation and read only carveouts. ## Reviewer Focus 1. This PR only covers the macOS sandbox adapter. 2. The policy decision comes from FileSystemSandboxPolicy. 3. Read only subpath carveouts and metadata protection checks should compose cleanly. ## Stack 1. Policy primitive: #19846 2. macOS Seatbelt adapter: this PR 3. Shell preflight UX: #19848 4. Runtime profile propagation: #19849 5. Linux bubblewrap adapter: #19852 ## Validation 1. formatting for codex sandboxing 2. codex sandboxing package tests
e683055 to
74f29c7
Compare
abc55be to
3eb844d
Compare
9fcd271 to
9ee9e1c
Compare
3eb844d to
a86cfa7
Compare
9ee9e1c to
8d29c35
Compare
a86cfa7 to
b8b87d1
Compare
8d29c35 to
35e30b8
Compare
b8b87d1 to
27a4413
Compare
35e30b8 to
321204f
Compare
27a4413 to
3465cc9
Compare
Oreoxp
pushed a commit
to Oreoxp/codex-cli
that referenced
this pull request
May 7, 2026
## Summary Make FileSystemSandboxPolicy the semantic source of truth for project root metadata protection. Under writable roots, `.git`, `.codex`, and `.agents` stay protected unless user policy grants an explicit write rule for that metadata path. ## Scope 1. Add `protected_metadata_names` to `WritableRoot`. 2. Teach `FileSystemSandboxPolicy::can_write_path_with_cwd` to reject protected metadata writes under writable roots unless explicitly allowed. 3. Default workspace write profiles to protect `.git`, `.codex`, and `.agents`. 4. Add the Linux fallback setup needed before Linux enforcement lands later in the stack. ## Reviewer Focus 1. The policy decision belongs in FileSystemSandboxPolicy, not shell command parsing. 2. Legacy SandboxPolicy remains a compatibility projection, not the source of the new rule. 3. Explicit user write rules can still opt into these metadata paths. ## Stack 1. Policy primitive: this PR 2. macOS Seatbelt adapter: openai#19847 3. Shell preflight UX: openai#19848 4. Runtime profile propagation: openai#19849 5. Linux bubblewrap adapter: openai#19852 ## Validation 1. codex protocol permissions tests 2. formatting for codex protocol and codex linux sandbox 3. diff whitespace check
Oreoxp
pushed a commit
to Oreoxp/codex-cli
that referenced
this pull request
May 7, 2026
## Summary Translate FileSystemSandboxPolicy project root metadata carveouts into macOS Seatbelt rules. ## Scope 1. Thread protected metadata names into Seatbelt access roots. 2. Ask FileSystemSandboxPolicy whether each metadata carveout is writable. 3. Emit Seatbelt deny rules that block creating or replacing protected metadata names under writable roots. 4. Add coverage for first time metadata creation and read only carveouts. ## Reviewer Focus 1. This PR only covers the macOS sandbox adapter. 2. The policy decision comes from FileSystemSandboxPolicy. 3. Read only subpath carveouts and metadata protection checks should compose cleanly. ## Stack 1. Policy primitive: openai#19846 2. macOS Seatbelt adapter: this PR 3. Shell preflight UX: openai#19848 4. Runtime profile propagation: openai#19849 5. Linux bubblewrap adapter: openai#19852 ## Validation 1. formatting for codex sandboxing 2. codex sandboxing package tests
AIALRA-0
pushed a commit
to AIALRA-0/codex-turn-engine
that referenced
this pull request
Jun 10, 2026
## Summary Make FileSystemSandboxPolicy the semantic source of truth for project root metadata protection. Under writable roots, `.git`, `.codex`, and `.agents` stay protected unless user policy grants an explicit write rule for that metadata path. ## Scope 1. Add `protected_metadata_names` to `WritableRoot`. 2. Teach `FileSystemSandboxPolicy::can_write_path_with_cwd` to reject protected metadata writes under writable roots unless explicitly allowed. 3. Default workspace write profiles to protect `.git`, `.codex`, and `.agents`. 4. Add the Linux fallback setup needed before Linux enforcement lands later in the stack. ## Reviewer Focus 1. The policy decision belongs in FileSystemSandboxPolicy, not shell command parsing. 2. Legacy SandboxPolicy remains a compatibility projection, not the source of the new rule. 3. Explicit user write rules can still opt into these metadata paths. ## Stack 1. Policy primitive: this PR 2. macOS Seatbelt adapter: openai#19847 3. Shell preflight UX: openai#19848 4. Runtime profile propagation: openai#19849 5. Linux bubblewrap adapter: openai#19852 ## Validation 1. codex protocol permissions tests 2. formatting for codex protocol and codex linux sandbox 3. diff whitespace check
AIALRA-0
pushed a commit
to AIALRA-0/codex-turn-engine
that referenced
this pull request
Jun 10, 2026
## Summary Translate FileSystemSandboxPolicy project root metadata carveouts into macOS Seatbelt rules. ## Scope 1. Thread protected metadata names into Seatbelt access roots. 2. Ask FileSystemSandboxPolicy whether each metadata carveout is writable. 3. Emit Seatbelt deny rules that block creating or replacing protected metadata names under writable roots. 4. Add coverage for first time metadata creation and read only carveouts. ## Reviewer Focus 1. This PR only covers the macOS sandbox adapter. 2. The policy decision comes from FileSystemSandboxPolicy. 3. Read only subpath carveouts and metadata protection checks should compose cleanly. ## Stack 1. Policy primitive: openai#19846 2. macOS Seatbelt adapter: this PR 3. Shell preflight UX: openai#19848 4. Runtime profile propagation: openai#19849 5. Linux bubblewrap adapter: openai#19852 ## Validation 1. formatting for codex sandboxing 2. codex sandboxing package tests
AIALRA-0
pushed a commit
to AIALRA-0/codex-turn-engine
that referenced
this pull request
Jun 10, 2026
## Summary Make FileSystemSandboxPolicy the semantic source of truth for project root metadata protection. Under writable roots, `.git`, `.codex`, and `.agents` stay protected unless user policy grants an explicit write rule for that metadata path. ## Scope 1. Add `protected_metadata_names` to `WritableRoot`. 2. Teach `FileSystemSandboxPolicy::can_write_path_with_cwd` to reject protected metadata writes under writable roots unless explicitly allowed. 3. Default workspace write profiles to protect `.git`, `.codex`, and `.agents`. 4. Add the Linux fallback setup needed before Linux enforcement lands later in the stack. ## Reviewer Focus 1. The policy decision belongs in FileSystemSandboxPolicy, not shell command parsing. 2. Legacy SandboxPolicy remains a compatibility projection, not the source of the new rule. 3. Explicit user write rules can still opt into these metadata paths. ## Stack 1. Policy primitive: this PR 2. macOS Seatbelt adapter: openai#19847 3. Shell preflight UX: openai#19848 4. Runtime profile propagation: openai#19849 5. Linux bubblewrap adapter: openai#19852 ## Validation 1. codex protocol permissions tests 2. formatting for codex protocol and codex linux sandbox 3. diff whitespace check
AIALRA-0
pushed a commit
to AIALRA-0/codex-turn-engine
that referenced
this pull request
Jun 10, 2026
## Summary Translate FileSystemSandboxPolicy project root metadata carveouts into macOS Seatbelt rules. ## Scope 1. Thread protected metadata names into Seatbelt access roots. 2. Ask FileSystemSandboxPolicy whether each metadata carveout is writable. 3. Emit Seatbelt deny rules that block creating or replacing protected metadata names under writable roots. 4. Add coverage for first time metadata creation and read only carveouts. ## Reviewer Focus 1. This PR only covers the macOS sandbox adapter. 2. The policy decision comes from FileSystemSandboxPolicy. 3. Read only subpath carveouts and metadata protection checks should compose cleanly. ## Stack 1. Policy primitive: openai#19846 2. macOS Seatbelt adapter: this PR 3. Shell preflight UX: openai#19848 4. Runtime profile propagation: openai#19849 5. Linux bubblewrap adapter: openai#19852 ## Validation 1. formatting for codex sandboxing 2. codex sandboxing package tests
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Propagate active runtime permission profiles through embedded turn start paths so platform sandbox adapters receive the current FileSystemSandboxPolicy.
Scope
Reviewer Focus
Stack
Validation