Trim PermissionRequest hook inputs

Keep PermissionRequest hook payloads focused on tool identity and the actionable command details. For Bash and exec_command hooks, plumb request justification into tool_input.description when present. For NetworkAccess hooks, pass the originating command and a network-access <domain> description instead of the old approval context envelope. Co-authored-by: Codex <noreply@openai.com>
2026-04-26 15:45:02 +00:00 · 2026-04-13 16:24:45 -07:00
parent 2563661366
commit 04294e0038
12 changed files with 83 additions and 321 deletions
--- a/codex-rs/hooks/schema/generated/permission-request.command.input.schema.json
+++ b/codex-rs/hooks/schema/generated/permission-request.command.input.schema.json
@@ -2,176 +2,29 @@
  "$schema": "http://json-schema.org/draft-07/schema#",
  "additionalProperties": false,
  "definitions": {
-    "AbsolutePathBuf": {
-      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
-      "type": "string"
-    },
-    "FileSystemPermissions": {
-      "properties": {
-        "read": {
-          "items": {
-            "$ref": "#/definitions/AbsolutePathBuf"
-          },
-          "type": "array"
-        },
-        "write": {
-          "items": {
-            "$ref": "#/definitions/AbsolutePathBuf"
-          },
-          "type": "array"
-        }
-      },
-      "type": "object"
-    },
-    "NetworkApprovalProtocol": {
-      "enum": [
-        "http",
-        "https",
-        "socks5_tcp",
-        "socks5_udp"
-      ],
-      "type": "string"
-    },
-    "NetworkPermissions": {
-      "properties": {
-        "enabled": {
-          "type": "boolean"
-        }
-      },
-      "type": "object"
-    },
    "NullableString": {
      "type": [
        "string",
        "null"
      ]
    },
-    "PermissionProfile": {
-      "properties": {
-        "file_system": {
-          "$ref": "#/definitions/FileSystemPermissions"
-        },
-        "network": {
-          "$ref": "#/definitions/NetworkPermissions"
-        }
-      },
-      "type": "object"
-    },
-    "PermissionRequestApprovalAttempt": {
-      "enum": [
-        "initial",
-        "retry"
-      ],
-      "type": "string"
-    },
-    "PermissionRequestApprovalContext": {
-      "additionalProperties": false,
-      "properties": {
-        "attempt": {
-          "$ref": "#/definitions/PermissionRequestAttemptContext"
-        },
-        "justification": {
-          "type": "string"
-        },
-        "policy": {
-          "$ref": "#/definitions/PermissionRequestPolicyContext"
-        },
-        "resource": {
-          "$ref": "#/definitions/PermissionRequestResourceContext"
-        }
-      },
-      "required": [
-        "attempt",
-        "policy",
-        "resource"
-      ],
-      "type": "object"
-    },
-    "PermissionRequestAttemptContext": {
-      "additionalProperties": false,
-      "properties": {
-        "retryReason": {
-          "type": "string"
-        },
-        "stage": {
-          "$ref": "#/definitions/PermissionRequestApprovalAttempt"
-        }
-      },
-      "required": [
-        "stage"
-      ],
-      "type": "object"
-    },
-    "PermissionRequestPolicyContext": {
-      "additionalProperties": false,
-      "properties": {
-        "additionalPermissions": {
-          "$ref": "#/definitions/PermissionProfile"
-        },
-        "sandboxPermissions": {
-          "$ref": "#/definitions/SandboxPermissions"
-        }
-      },
-      "required": [
-        "sandboxPermissions"
-      ],
-      "type": "object"
-    },
-    "PermissionRequestResourceContext": {
-      "additionalProperties": false,
-      "properties": {
-        "host": {
-          "type": "string"
-        },
-        "protocol": {
-          "$ref": "#/definitions/NetworkApprovalProtocol"
-        }
-      },
-      "type": "object"
-    },
    "PermissionRequestToolInput": {
      "additionalProperties": false,
      "properties": {
        "command": {
          "type": "string"
+        },
+        "description": {
+          "type": "string"
        }
      },
      "required": [
        "command"
      ],
      "type": "object"
-    },
-    "SandboxPermissions": {
-      "description": "Controls the per-command sandbox override requested by a shell-like tool call.",
-      "oneOf": [
-        {
-          "description": "Run with the turn's configured sandbox policy unchanged.",
-          "enum": [
-            "use_default"
-          ],
-          "type": "string"
-        },
-        {
-          "description": "Request to run outside the sandbox.",
-          "enum": [
-            "require_escalated"
-          ],
-          "type": "string"
-        },
-        {
-          "description": "Request to stay in the sandbox while widening permissions for this command only.",
-          "enum": [
-            "with_additional_permissions"
-          ],
-          "type": "string"
-        }
-      ]
    }
  },
  "properties": {
-    "approval_context": {
-      "$ref": "#/definitions/PermissionRequestApprovalContext"
-    },
    "cwd": {
      "type": "string"
    },
@@ -214,7 +67,6 @@
    }
  },
  "required": [
-    "approval_context",
    "cwd",
    "hook_event_name",
    "model",