Skip to content

Feat: Preserve network access on read-only sandbox policies#13409

Merged
celia-oai merged 2 commits intomainfrom
dev/cc/merge-sandbox
Mar 4, 2026
Merged

Feat: Preserve network access on read-only sandbox policies#13409
celia-oai merged 2 commits intomainfrom
dev/cc/merge-sandbox

Conversation

@celia-oai
Copy link
Copy Markdown
Collaborator

@celia-oai celia-oai commented Mar 3, 2026
edited by bolinfest
Loading

Summary

PermissionProfile.network could not be preserved when additional or compiled permissions resolved to
SandboxPolicy::ReadOnly, because ReadOnly had no network_access field. This change makes read-only + network
enabled representable directly and threads that through the protocol, app-server v2 mirror, and permission-
merging logic.

What changed

  • Added network_access: bool to SandboxPolicy::ReadOnly in the core protocol and app-server v2 protocol.
  • Kept backward compatibility by defaulting the new field to false, so legacy read-only payloads still
    deserialize unchanged.
  • Updated has_full_network_access() and sandbox summaries to respect read-only network access.
  • Preserved PermissionProfile.network when:
    • compiling skill permission profiles into sandbox policies
    • normalizing additional permissions
    • merging additional permissions into existing sandbox policies
  • Updated the approval overlay to show network in the rendered permission rule when requested.
  • Regenerated app-server schema fixtures for the new v2 wire shape.

@celia-oai celia-oai changed the title Title: Preserve network access on read-only sandbox policies Feat: Preserve network access on read-only sandbox policies Mar 3, 2026
@celia-oai celia-oai marked this pull request as ready for review March 3, 2026 23:38
@github-actions github-actions bot mentioned this pull request Mar 4, 2026
Open
@celia-oai celia-oai force-pushed the dev/cc/merge-sandbox branch 3 times, most recently from adf0d51 to 24e0c67 Compare March 4, 2026 01:20
@celia-oai celia-oai force-pushed the dev/cc/merge-sandbox branch from 24e0c67 to 277998c Compare March 4, 2026 01:42
bolinfest
bolinfest reviewed Mar 4, 2026
View reviewed changes
@celia-oai celia-oai requested a review from bolinfest March 4, 2026 01:56
bolinfest
bolinfest reviewed Mar 4, 2026
View reviewed changes
@celia-oai celia-oai enabled auto-merge (squash) March 4, 2026 02:05
@github-actions github-actions bot mentioned this pull request Mar 4, 2026
Open
@celia-oai celia-oai merged commit e6773f8 into main Mar 4, 2026
54 of 57 checks passed
@celia-oai celia-oai deleted the dev/cc/merge-sandbox branch March 4, 2026 02:41
@github-actions github-actions bot locked and limited conversation to collaborators Mar 4, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@bolinfest bolinfest bolinfest approved these changes

@dylan-hurd-oai dylan-hurd-oai dylan-hurd-oai approved these changes

@owenlin0 owenlin0 Awaiting requested review from owenlin0

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@celia-oai @bolinfest @dylan-hurd-oai