clone/codex
1
0
Fork 0
mirror of https://github.com/openai/codex.git synced 2026-05-02 18:37:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

permissions: store only constrained permission profiles (#19735)

Browse Source
This commit is contained in:
Michael Bolin
2026-04-26 20:59:58 -07:00
committed by GitHub
parent 8033b6a449
commit 0ccd659b4b
32 changed files with 242 additions and 215 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
codex-rs/core/tests/suite/approvals.rs
View File

@@ -1727,7 +1727,9 @@ async fn run_scenario(scenario: &ScenarioSpec) -> Result<()> {
let mut builder = test_codex().with_model(model).with_config(move |config| {
config.permissions.approval_policy = Constrained::allow_any(approval_policy);
config.permissions.sandbox_policy = Constrained::allow_any(sandbox_policy.clone());
config
.set_legacy_sandbox_policy(sandbox_policy.clone())
.expect("set sandbox policy");
for feature in features {
config
.features
@@ -1854,7 +1856,9 @@ async fn approving_apply_patch_for_session_skips_future_prompts_for_same_file()
.with_model("gpt-5.4")
.with_config(move |config| {
config.permissions.approval_policy = Constrained::allow_any(approval_policy);
config.permissions.sandbox_policy = Constrained::allow_any(sandbox_policy_for_config);
config
.set_legacy_sandbox_policy(sandbox_policy_for_config)
.expect("set sandbox policy");
config.approvals_reviewer = ApprovalsReviewer::User;
});
let test = builder.build(&server).await?;
@@ -1962,7 +1966,9 @@ async fn approving_execpolicy_amendment_persists_policy_and_skips_future_prompts
let sandbox_policy_for_config = sandbox_policy.clone();
let mut builder = test_codex().with_config(move |config| {
config.permissions.approval_policy = Constrained::allow_any(approval_policy);
config.permissions.sandbox_policy = Constrained::allow_any(sandbox_policy_for_config);
config
.set_legacy_sandbox_policy(sandbox_policy_for_config)
.expect("set sandbox policy");
});
let test = builder.build(&server).await?;
let allow_prefix_path = test.cwd.path().join("allow-prefix.txt");
@@ -2133,7 +2139,9 @@ async fn spawned_subagent_execpolicy_amendment_propagates_to_parent_session() ->
let sandbox_policy_for_config = sandbox_policy.clone();
let mut builder = test_codex().with_config(move |config| {
config.permissions.approval_policy = Constrained::allow_any(approval_policy);
config.permissions.sandbox_policy = Constrained::allow_any(sandbox_policy_for_config);
config
.set_legacy_sandbox_policy(sandbox_policy_for_config)
.expect("set sandbox policy");
config
.features
.enable(Feature::Collab)
@@ -2394,7 +2402,9 @@ async fn invalid_requested_prefix_rule_falls_back_for_compound_command() -> Resu
let sandbox_policy_for_config = sandbox_policy.clone();
let mut builder = test_codex().with_config(move |config| {
config.permissions.approval_policy = Constrained::allow_any(approval_policy);
config.permissions.sandbox_policy = Constrained::allow_any(sandbox_policy_for_config);
config
.set_legacy_sandbox_policy(sandbox_policy_for_config)
.expect("set sandbox policy");
});
let test = builder.build(&server).await?;
@@ -2445,7 +2455,9 @@ async fn approving_fallback_rule_for_compound_command_works() -> Result<()> {
let sandbox_policy_for_config = sandbox_policy.clone();
let mut builder = test_codex().with_config(move |config| {
config.permissions.approval_policy = Constrained::allow_any(approval_policy);
config.permissions.sandbox_policy = Constrained::allow_any(sandbox_policy_for_config);
config
.set_legacy_sandbox_policy(sandbox_policy_for_config)
.expect("set sandbox policy");
});
let test = builder.build(&server).await?;
@@ -2580,7 +2592,9 @@ allow_local_binding = true
let sandbox_policy_for_config = sandbox_policy.clone();
let mut builder = test_codex().with_home(home).with_config(move |config| {
config.permissions.approval_policy = Constrained::allow_any(approval_policy);
config.permissions.sandbox_policy = Constrained::allow_any(sandbox_policy_for_config);
config
.set_legacy_sandbox_policy(sandbox_policy_for_config)
.expect("set sandbox policy");
let layers = config
.config_layer_stack
.get_layers(
@@ -3030,7 +3044,9 @@ async fn compound_command_with_one_safe_command_still_requires_approval() -> Res
let sandbox_policy_for_config = sandbox_policy.clone();
let mut builder = test_codex().with_config(move |config| {
config.permissions.approval_policy = Constrained::allow_any(approval_policy);
config.permissions.sandbox_policy = Constrained::allow_any(sandbox_policy_for_config);
config
.set_legacy_sandbox_policy(sandbox_policy_for_config)
.expect("set sandbox policy");
});
let test = builder.build(&server).await?;