Show effective sandbox modes in /debug-config

[canvrno-oai]

Summary

• Render /debug-config's allowed_sandbox_modes from the finalized permission constraints instead of the raw requirements list.
• Add regression coverage for configured full-access and external sandbox modes being omitted when effective permissions reject them.

Details

allowed_sandbox_modes comes from managed requirements, but the final permissions can be further constrained by derived validation rules. For example, permissions.filesystem.deny_read requires sandbox enforcement, so modes that disable or externalize Codex's sandbox are not actually usable even if they were present in the raw requirements TOML.

The debug renderer now enumerates the configured sandbox-mode labels and keeps only those accepted by Config.permissions. That makes /debug-config reflect the same effective permission-profile constraint path used by runtime config validation, while preserving the existing source/provenance display.

Validation

• Added a regression test for effective sandbox-mode filtering in /debug-config.

[canvrno-oai]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: aef829d185

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[fcoury-oai]

I was able to review how /debug-config would read before and after this change and it works as expected.

I think the updated response seems to better reflect the actual current status.

Approved 👍