Skip to content

feat: introduce Permissions#11633

Merged
bolinfest merged 1 commit intomainfrom
pr11633
Feb 12, 2026
Merged

feat: introduce Permissions#11633
bolinfest merged 1 commit intomainfrom
pr11633

Conversation

@bolinfest
Copy link
Collaborator

@bolinfest bolinfest commented Feb 12, 2026
edited
Loading

Why

We currently carry multiple permission-related concepts directly on Config for shell/unified-exec behavior (approval_policy, sandbox_policy, network, shell_environment_policy, windows_sandbox_mode).

Consolidating these into one in-memory struct makes permission handling easier to reason about and sets up the next step: supporting named permission profiles ([permissions.PROFILE_NAME]) without changing behavior now.

This change is mostly mechanical: it updates existing callsites to go through config.permissions, but it does not yet refactor those callsites to take a single Permissions value in places where multiple permission fields are still threaded separately.

This PR intentionally does not change the on-disk config.toml format yet and keeps compatibility with legacy config keys.

What Changed

  • Introduced Permissions in core/src/config/mod.rs.
  • Added Config::permissions and moved effective runtime permission fields under it:
    • approval_policy
    • sandbox_policy
    • network
    • shell_environment_policy
    • windows_sandbox_mode
  • Updated config loading/building so these effective values are still derived from the same existing config inputs and constraints.
  • Updated Windows sandbox helpers/resolution to read/write via permissions.
  • Threaded the new field through all permission consumers across core runtime, app-server, CLI/exec, TUI, and sandbox summary code.
  • Updated affected tests to reference config.permissions.*.
  • Renamed the struct/field from EffectivePermissions/effective_permissions to Permissions/permissions and aligned variable naming accordingly.

Verification

  • just fix -p codex-core -p codex-tui -p codex-cli -p codex-app-server -p codex-exec -p codex-utils-sandbox-summary
  • cargo build -p codex-core -p codex-tui -p codex-cli -p codex-app-server -p codex-exec -p codex-utils-sandbox-summary

@bolinfest bolinfest force-pushed the pr11633 branch 2 times, most recently from 937f1e0 to 1709179 Compare February 12, 2026 20:43
owenlin0
owenlin0 approved these changes Feb 12, 2026
View reviewed changes
codex-rs/core/src/config/mod.rs Outdated

/// Application configuration loaded from disk and merged with overrides.
#[derive(Debug, Clone, PartialEq)]
pub struct EffectivePermissions {
Copy link
Collaborator

@owenlin0 owenlin0 Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

naming nit: should we just call this Permissions? is the Effective part necessary?

@bolinfest bolinfest changed the title feat: introduce EffectivePermissions feat: introduce Permissions Feb 12, 2026
@bolinfest bolinfest force-pushed the pr11633 branch 2 times, most recently from 5032154 to d913a7a Compare February 12, 2026 22:17
@bolinfest bolinfest enabled auto-merge (squash) February 12, 2026 22:29
@bolinfest bolinfest disabled auto-merge February 12, 2026 22:42
@bolinfest bolinfest merged commit a4cc1a4 into main Feb 12, 2026
54 of 65 checks passed
@bolinfest bolinfest deleted the pr11633 branch February 12, 2026 22:42
@github-actions github-actions bot locked and limited conversation to collaborators Feb 12, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@owenlin0 owenlin0 owenlin0 approved these changes

@viyatb-oai viyatb-oai viyatb-oai approved these changes

@celia-oai celia-oai Awaiting requested review from celia-oai

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bolinfest @owenlin0 @viyatb-oai