Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 1 addition & 4 deletions codex-rs/analytics/src/analytics_client_tests.rs
Original file line number Diff line number Diff line change
Expand Up @@ -138,7 +138,6 @@ use codex_protocol::protocol::AskForApproval;
use codex_protocol::protocol::HookEventName;
use codex_protocol::protocol::HookRunStatus;
use codex_protocol::protocol::HookSource;
use codex_protocol::protocol::SandboxPolicy;
use codex_protocol::protocol::SessionSource;
use codex_protocol::protocol::SubAgentSource;
use codex_protocol::protocol::ThreadSource;
Expand Down Expand Up @@ -367,9 +366,7 @@ fn sample_turn_resolved_config(thread_id: &str, turn_id: &str) -> TurnResolvedCo
session_source: SessionSource::Exec,
model: "gpt-5".to_string(),
model_provider: "openai".to_string(),
permission_profile: CorePermissionProfile::from_legacy_sandbox_policy(
&SandboxPolicy::new_read_only_policy(),
),
permission_profile: CorePermissionProfile::read_only(),
permission_profile_cwd: PathBuf::from("/tmp"),
reasoning_effort: None,
reasoning_summary: None,
Expand Down
71 changes: 25 additions & 46 deletions codex-rs/config/src/config_requirements.rs
Original file line number Diff line number Diff line change
Expand Up @@ -1255,8 +1255,7 @@ mod tests {
use codex_execpolicy::Decision;
use codex_execpolicy::Evaluation;
use codex_execpolicy::RuleMatch;
use codex_protocol::protocol::NetworkAccess;
use codex_protocol::protocol::SandboxPolicy;
use codex_protocol::permissions::NetworkSandboxPolicy;
use codex_utils_absolute_path::AbsolutePathBuf;
use codex_utils_absolute_path::AbsolutePathBufGuard;
use pretty_assertions::assert_eq;
Expand All @@ -1272,10 +1271,6 @@ mod tests {
)?)
}

fn profile_from_sandbox_policy(sandbox_policy: &SandboxPolicy) -> PermissionProfile {
PermissionProfile::from_legacy_sandbox_policy(sandbox_policy)
}

fn with_unknown_source(toml: ConfigRequirementsToml) -> ConfigRequirementsWithSources {
let ConfigRequirementsToml {
allowed_approval_policies,
Expand Down Expand Up @@ -1963,9 +1958,7 @@ allowed_approvals_reviewers = ["user"]
assert_eq!(
requirements
.permission_profile
.can_set(&profile_from_sandbox_policy(
&SandboxPolicy::DangerFullAccess,
)),
.can_set(&PermissionProfile::Disabled),
Err(ConstraintError::InvalidValue {
field_name: "sandbox_mode",
candidate: "DangerFullAccess".into(),
Expand Down Expand Up @@ -2110,9 +2103,7 @@ allowed_approvals_reviewers = ["user"]
assert!(
requirements
.permission_profile
.can_set(&profile_from_sandbox_policy(
&SandboxPolicy::new_read_only_policy()
))
.can_set(&PermissionProfile::read_only())
.is_ok()
);

Expand Down Expand Up @@ -2195,29 +2186,25 @@ allowed_approvals_reviewers = ["user"]
assert!(
requirements
.permission_profile
.can_set(&profile_from_sandbox_policy(
&SandboxPolicy::new_read_only_policy()
))
.can_set(&PermissionProfile::read_only())
.is_ok()
);
let workspace_write_policy = SandboxPolicy::WorkspaceWrite {
writable_roots: vec![AbsolutePathBuf::from_absolute_path(root)?],
network_access: false,
exclude_tmpdir_env_var: false,
exclude_slash_tmp: false,
};
let workspace_write_profile = PermissionProfile::workspace_write_with(
&[AbsolutePathBuf::from_absolute_path(root)?],
NetworkSandboxPolicy::Restricted,
/*exclude_tmpdir_env_var*/ false,
/*exclude_slash_tmp*/ false,
);
assert!(
requirements
.permission_profile
.can_set(&profile_from_sandbox_policy(&workspace_write_policy))
.can_set(&workspace_write_profile)
.is_ok()
);
assert_eq!(
requirements
.permission_profile
.can_set(&profile_from_sandbox_policy(
&SandboxPolicy::DangerFullAccess,
)),
.can_set(&PermissionProfile::Disabled),
Err(ConstraintError::InvalidValue {
field_name: "sandbox_mode",
candidate: "DangerFullAccess".into(),
Expand All @@ -2228,11 +2215,9 @@ allowed_approvals_reviewers = ["user"]
assert_eq!(
requirements
.permission_profile
.can_set(&profile_from_sandbox_policy(
&SandboxPolicy::ExternalSandbox {
network_access: NetworkAccess::Restricted,
}
)),
.can_set(&PermissionProfile::External {
network: NetworkSandboxPolicy::Restricted,
}),
Err(ConstraintError::InvalidValue {
field_name: "sandbox_mode",
candidate: "ExternalSandbox".into(),
Expand Down Expand Up @@ -2313,24 +2298,22 @@ allowed_approvals_reviewers = ["user"]

let requirements = ConfigRequirements::try_from(requirements_with_sources)?;
let root = if cfg!(windows) { "C:\\repo" } else { "/repo" };
let workspace_write_policy = SandboxPolicy::WorkspaceWrite {
writable_roots: vec![AbsolutePathBuf::from_absolute_path(root)?],
network_access: false,
exclude_tmpdir_env_var: false,
exclude_slash_tmp: false,
};
let workspace_write_profile = PermissionProfile::workspace_write_with(
&[AbsolutePathBuf::from_absolute_path(root)?],
NetworkSandboxPolicy::Restricted,
/*exclude_tmpdir_env_var*/ false,
/*exclude_slash_tmp*/ false,
);
assert!(
requirements
.permission_profile
.can_set(&profile_from_sandbox_policy(&workspace_write_policy))
.can_set(&workspace_write_profile)
.is_ok()
);
assert_eq!(
requirements
.permission_profile
.can_set(&profile_from_sandbox_policy(
&SandboxPolicy::DangerFullAccess,
)),
.can_set(&PermissionProfile::Disabled),
Err(ConstraintError::InvalidValue {
field_name: "sandbox_mode",
candidate: "DangerFullAccess".into(),
Expand Down Expand Up @@ -2361,9 +2344,7 @@ allowed_approvals_reviewers = ["user"]
assert_eq!(
requirements
.permission_profile
.can_set(&profile_from_sandbox_policy(
&SandboxPolicy::DangerFullAccess,
)),
.can_set(&PermissionProfile::Disabled),
Err(ConstraintError::InvalidValue {
field_name: "sandbox_mode",
candidate: "DangerFullAccess".into(),
Expand Down Expand Up @@ -2402,9 +2383,7 @@ allowed_approvals_reviewers = ["user"]
assert_eq!(
requirements
.permission_profile
.can_set(&profile_from_sandbox_policy(
&SandboxPolicy::new_workspace_write_policy(),
)),
.can_set(&PermissionProfile::workspace_write()),
Err(ConstraintError::InvalidValue {
field_name: "sandbox_mode",
candidate: "WorkspaceWrite".into(),
Expand Down
23 changes: 6 additions & 17 deletions codex-rs/core/src/config/config_loader_tests.rs
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@ use codex_protocol::config_types::TrustLevel;
use codex_protocol::config_types::WebSearchMode;
use codex_protocol::models::PermissionProfile;
use codex_protocol::protocol::AskForApproval;
use codex_protocol::protocol::SandboxPolicy;
use codex_utils_absolute_path::AbsolutePathBuf;
use pretty_assertions::assert_eq;
use std::collections::BTreeMap;
Expand Down Expand Up @@ -821,6 +820,7 @@ flag = false
async fn managed_preferences_expand_home_directory_in_workspace_write_roots() -> anyhow::Result<()>
{
use base64::Engine;
use codex_protocol::protocol::SandboxPolicy;

let Some(home) = dirs::home_dir() else {
return Ok(());
Expand Down Expand Up @@ -913,14 +913,7 @@ allowed_sandbox_modes = ["read-only"]
state
.requirements()
.permission_profile
.can_set(&PermissionProfile::from_legacy_sandbox_policy(
&SandboxPolicy::WorkspaceWrite {
writable_roots: Vec::new(),
network_access: false,
exclude_tmpdir_env_var: false,
exclude_slash_tmp: false,
},
))
.can_set(&PermissionProfile::workspace_write())
.is_err()
);

Expand Down Expand Up @@ -1233,11 +1226,9 @@ allowed_sandbox_modes = ["read-only"]
let config_requirements: ConfigRequirements = config_requirements_toml.try_into()?;

assert_eq!(
config_requirements.permission_profile.can_set(
&PermissionProfile::from_legacy_sandbox_policy(
&SandboxPolicy::new_workspace_write_policy()
)
),
config_requirements
.permission_profile
.can_set(&PermissionProfile::workspace_write()),
Err(ConstraintError::InvalidValue {
field_name: "sandbox_mode",
candidate: "WorkspaceWrite".into(),
Expand Down Expand Up @@ -1570,9 +1561,7 @@ async fn load_config_layers_applies_matching_remote_sandbox_config() -> anyhow::
layers
.requirements()
.permission_profile
.can_set(&PermissionProfile::from_legacy_sandbox_policy(
&SandboxPolicy::new_workspace_write_policy()
))
.can_set(&PermissionProfile::workspace_write())
.is_ok()
);

Expand Down
46 changes: 21 additions & 25 deletions codex-rs/core/src/config/config_tests.rs
Original file line number Diff line number Diff line change
Expand Up @@ -4303,8 +4303,7 @@ fn web_search_mode_disabled_overrides_legacy_request() {
#[test]
fn web_search_mode_for_turn_uses_preference_for_read_only() {
let web_search_mode = Constrained::allow_any(WebSearchMode::Cached);
let permission_profile =
PermissionProfile::from_legacy_sandbox_policy(&SandboxPolicy::new_read_only_policy());
let permission_profile = PermissionProfile::read_only();
let mode = resolve_web_search_mode_for_turn(&web_search_mode, &permission_profile);

assert_eq!(mode, WebSearchMode::Cached);
Expand Down Expand Up @@ -8926,29 +8925,26 @@ async fn derive_sandbox_policy_preserves_windows_downgrade_for_unsupported_fallb
let active_project = ProjectConfig {
trust_level: Some(TrustLevel::Trusted),
};
let constrained = Constrained::new(
PermissionProfile::from_legacy_sandbox_policy(&SandboxPolicy::new_workspace_write_policy()),
|candidate| {
if matches!(
candidate,
PermissionProfile::Managed {
file_system: ManagedFileSystemPermissions::Restricted { entries, .. },
..
} if entries
.iter()
.any(|entry| entry.access.can_write())
) {
Ok(())
} else {
Err(ConstraintError::InvalidValue {
field_name: "sandbox_mode",
candidate: format!("{candidate:?}"),
allowed: "[WorkspaceWrite]".to_string(),
requirement_source: RequirementSource::Unknown,
})
}
},
)?;
let constrained = Constrained::new(PermissionProfile::workspace_write(), |candidate| {
if matches!(
candidate,
PermissionProfile::Managed {
file_system: ManagedFileSystemPermissions::Restricted { entries, .. },
..
} if entries
.iter()
.any(|entry| entry.access.can_write())
) {
Ok(())
} else {
Err(ConstraintError::InvalidValue {
field_name: "sandbox_mode",
candidate: format!("{candidate:?}"),
allowed: "[WorkspaceWrite]".to_string(),
requirement_source: RequirementSource::Unknown,
})
}
})?;

let resolution = derive_legacy_sandbox_policy_for_test(
&cfg,
Expand Down
Loading
Loading