Send sandbox state through MCP tool metadata

[aaronl-openai]

Changes

Allows MCPs to opt in to receiving sandbox config info through _meta on model-initiated tool calls. This lets MCPs adhere to the thread's sandbox if they choose to.

Details

• Adds the codex/sandbox-state-meta experimental MCP capability.
• Tracks whether each MCP server advertises that capability.
• When a server opts in, codex-core injects the current SandboxState into model-initiated MCP tool-call request _meta.

Verification

• added an integration test for the capability

[bolinfest]

It would be good to have an integration test for this.

[bolinfest]

I should get rid of this, but I'll do that in a follow-up PR.

[bolinfest]

Can you add a docstring to explain what this capability does?

[bolinfest]

I should be able to remove this, as well.

[bolinfest]

SandboxState was introduced before we introduced PermissionProfile:

codex/codex-rs/protocol/src/models.rs

Lines 106 to 110 in d7f9d5c

	#[derive(Debug, Clone, Default, Eq, Hash, PartialEq, Serialize, Deserialize, JsonSchema, TS)]
	pub struct PermissionProfile {
	pub network: Option<NetworkPermissions>,
	pub file_system: Option<FileSystemPermissions>,
	}

I think we should be passing that instead (and update codex sandbox to take it).

Also, I don't think you need codex_linux_sandbox_exe, though you likely want the path to codex itself?

[aaronl-openai]

one thing I'm concerned about is that it looks like FileSystemSandboxPolicy/NetworkSandboxPolicy are more expressive than PermissionProfile. for example, FileSystemSandboxPolicy can give readwrite access to /some/folder except readonly access to /some/folder/readonly/, which I don't think we can express with PermissionProfile.

[bolinfest]

Sorry, yes, I'll fix this up once I merge #15914