core tests: migrate zsh-fork permissions to profiles (#20034)

## Summary - Updates the zsh-fork test helper to configure `PermissionProfile` directly instead of constructing a legacy `SandboxPolicy`. - Sends permission-profile-backed turns from the skill approval zsh-fork tests so the runtime and request path exercise the canonical permissions model. - Leaves the broader approvals suite on legacy policies for now, except for the zsh-fork test that shares this helper. ## Verification - `cargo check -p codex-core --tests` - `just fmt`
2026-05-03 02:46:39 +00:00 · 2026-04-28 17:15:58 -07:00
parent 1ea90410e1
commit 026df712cc
3 changed files with 56 additions and 33 deletions
--- a/codex-rs/core/tests/common/zsh_fork.rs
+++ b/codex-rs/core/tests/common/zsh_fork.rs
@@ -5,8 +5,9 @@ use anyhow::Result;
 use codex_core::config::Config;
 use codex_core::config::Constrained;
 use codex_features::Feature;
+use codex_protocol::models::PermissionProfile;
+use codex_protocol::permissions::NetworkSandboxPolicy;
 use codex_protocol::protocol::AskForApproval;
-use codex_protocol::protocol::SandboxPolicy;

 use crate::test_codex::TestCodex;
 use crate::test_codex::test_codex;
@@ -22,7 +23,7 @@ impl ZshForkRuntime {
        &self,
        config: &mut Config,
        approval_policy: AskForApproval,
-        sandbox_policy: SandboxPolicy,
+        permission_profile: PermissionProfile,
    ) {
        config
            .features
@@ -37,18 +38,19 @@ impl ZshForkRuntime {
        config.permissions.allow_login_shell = false;
        config.permissions.approval_policy = Constrained::allow_any(approval_policy);
        config
-            .set_legacy_sandbox_policy(sandbox_policy)
-            .expect("set sandbox policy");
+            .permissions
+            .set_permission_profile(permission_profile)
+            .expect("set permission profile");
    }
 }

-pub fn restrictive_workspace_write_policy() -> SandboxPolicy {
-    SandboxPolicy::WorkspaceWrite {
-        writable_roots: Vec::new(),
-        network_access: false,
-        exclude_tmpdir_env_var: true,
-        exclude_slash_tmp: true,
-    }
+pub fn restrictive_workspace_write_profile() -> PermissionProfile {
+    PermissionProfile::workspace_write_with(
+        &[],
+        NetworkSandboxPolicy::Restricted,
+        /*exclude_tmpdir_env_var*/ true,
+        /*exclude_slash_tmp*/ true,
+    )
 }

 pub fn zsh_fork_runtime(test_name: &str) -> Result<Option<ZshForkRuntime>> {
@@ -78,7 +80,7 @@ pub async fn build_zsh_fork_test<F>(
    server: &wiremock::MockServer,
    runtime: ZshForkRuntime,
    approval_policy: AskForApproval,
-    sandbox_policy: SandboxPolicy,
+    permission_profile: PermissionProfile,
    pre_build_hook: F,
 ) -> Result<TestCodex>
 where
@@ -87,7 +89,7 @@ where
    let mut builder = test_codex()
        .with_pre_build_hook(pre_build_hook)
        .with_config(move |config| {
-            runtime.apply_to_config(config, approval_policy, sandbox_policy);
+            runtime.apply_to_config(config, approval_policy, permission_profile);
        });
    builder.build(server).await
 }