protocol: preserve glob scan depth in permission profiles

[bolinfest]

Why

#18274 made PermissionProfile the canonical file-system permissions shape, but the round-trip from FileSystemSandboxPolicy to PermissionProfile still dropped one piece of policy metadata: glob_scan_max_depth.

That field is security-relevant for deny-read globs such as **/*.env. On Linux, bubblewrap sandbox construction uses it to bound unreadable glob expansion. If a profile copied from active runtime permissions loses this value and is submitted back as an override, the resulting FileSystemSandboxPolicy can behave differently even though the visible permission entries look equivalent.

What changed

• Add glob_scan_max_depth to protocol FileSystemPermissions and preserve it when converting to/from FileSystemSandboxPolicy.
• Keep legacy read/write JSON for simple path-only permissions, but force canonical JSON when glob scan depth is present so the metadata is not silently dropped.
• Carry globScanMaxDepth through app-server AdditionalFileSystemPermissions, generated JSON/TypeScript schemas, and app-server/TUI conversion call sites.
• Preserve the metadata through sandboxing permission normalization, merging, and intersection.
• Carry the merged scan depth into the effective FileSystemSandboxPolicy used for command execution, so bounded deny-read globs reach Linux bubblewrap materialization.

Verification

• cargo test -p codex-sandboxing glob_scan -- --nocapture
• cargo test -p codex-sandboxing policy_transforms -- --nocapture
• just fix -p codex-sandboxing

---

Stack created with Sapling. Best reviewed with ReviewStack.

• tests: isolate approval fixtures from host rules #18288
• shell-escalation: carry resolved permission profiles #18287
• mcp: include permission profiles in sandbox state #18286
• tui: carry permission profiles on user turns #18285
• tui: sync session permission profiles #18284
• app-server: accept command permission profiles #18283
• protocol: report session permission profiles #18282
• rollout: persist turn permission profiles #18281
• clients: send permission profiles to app-server #18280
• app-server: accept permission profile overrides #18279
• app-server: expose thread permission profiles #18278
• core: derive active permission profiles #18277
• exec-server: carry filesystem sandbox profiles #18276
• sandboxing: intersect permission profiles semantically #18275
• -> protocol: preserve glob scan depth in permission profiles #18713

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4ba4370b70

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Intersect glob scan depth with granted profile

intersect_permission_profiles filters entries against granted, but it always keeps requested_file_system.glob_scan_max_depth. When an approver returns a stricter depth (for example a larger depth, or None for unbounded scanning) the intersection result can become less restrictive than what was granted, so request_permissions_response_from_client_result may persist broader filesystem access than the client approved.

Useful? React with 👍 / 👎.