POC - Configurable ReadAcess in WorkspaceWrite SandboxPolicy

2026-04-25 07:05:38 +00:00 · 2026-02-11 10:47:26 -08:00
parent d74fa8edd1
commit 04df7970fc
49 changed files with 1654 additions and 17 deletions
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadResumeResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadResumeResponse.json
@@ -571,6 +571,9 @@
              "default": false,
              "type": "boolean"
            },
+            "readAccess": {
+              "$ref": "#/definitions/WorkspaceReadAccess"
+            },
            "type": {
              "enum": [
                "workspaceWrite"
@@ -1538,6 +1541,49 @@
          "type": "object"
        }
      ]
+    },
+    "WorkspaceReadAccess": {
+      "oneOf": [
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "fullReadAccess"
+              ],
+              "title": "FullReadAccessWorkspaceReadAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullReadAccessWorkspaceReadAccess",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "readableRoots": {
+              "default": [],
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restrictedReadAccess"
+              ],
+              "title": "RestrictedReadAccessWorkspaceReadAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadAccessWorkspaceReadAccess",
+          "type": "object"
+        }
+      ]
    }
  },
  "properties": {