clone/codex
1
0
Fork 0
mirror of https://github.com/openai/codex.git synced 2026-05-02 10:26:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

permissions: store only constrained permission profiles (#19735)

Browse Source
This commit is contained in:
Michael Bolin
2026-04-26 20:59:58 -07:00
committed by GitHub
parent 8033b6a449
commit 0ccd659b4b
32 changed files with 242 additions and 215 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
codex-rs/core/tests/suite/request_permissions.rs
View File

@@ -324,7 +324,9 @@ async fn with_additional_permissions_requires_approval_under_on_request() -> Res
let mut builder = test_codex().with_config(move |config| {
config.permissions.approval_policy = Constrained::allow_any(approval_policy);
config.permissions.sandbox_policy = Constrained::allow_any(sandbox_policy_for_config);
config
.set_legacy_sandbox_policy(sandbox_policy_for_config)
.expect("set sandbox policy");
config
.features
.enable(Feature::ExecPermissionApprovals)
@@ -419,7 +421,9 @@ async fn request_permissions_tool_is_auto_denied_when_granular_request_permissio
let mut builder = test_codex().with_config(move |config| {
config.permissions.approval_policy = Constrained::allow_any(approval_policy);
config.permissions.sandbox_policy = Constrained::allow_any(sandbox_policy_for_config);
config
.set_legacy_sandbox_policy(sandbox_policy_for_config)
.expect("set sandbox policy");
config
.features
.enable(Feature::RequestPermissionsTool)
@@ -502,7 +506,9 @@ async fn relative_additional_permissions_resolve_against_tool_workdir() -> Resul
let mut builder = test_codex().with_config(move |config| {
config.permissions.approval_policy = Constrained::allow_any(approval_policy);
config.permissions.sandbox_policy = Constrained::allow_any(sandbox_policy_for_config);
config
.set_legacy_sandbox_policy(sandbox_policy_for_config)
.expect("set sandbox policy");
config
.features
.enable(Feature::ExecPermissionApprovals)
@@ -603,7 +609,9 @@ async fn read_only_with_additional_permissions_does_not_widen_to_unrequested_cwd
let mut builder = test_codex().with_config(move |config| {
config.permissions.approval_policy = Constrained::allow_any(approval_policy);
config.permissions.sandbox_policy = Constrained::allow_any(sandbox_policy_for_config);
config
.set_legacy_sandbox_policy(sandbox_policy_for_config)
.expect("set sandbox policy");
config
.features
.enable(Feature::ExecPermissionApprovals)
@@ -703,7 +711,9 @@ async fn read_only_with_additional_permissions_does_not_widen_to_unrequested_tmp
let mut builder = test_codex().with_config(move |config| {
config.permissions.approval_policy = Constrained::allow_any(approval_policy);
config.permissions.sandbox_policy = Constrained::allow_any(sandbox_policy_for_config);
config
.set_legacy_sandbox_policy(sandbox_policy_for_config)
.expect("set sandbox policy");
config
.features
.enable(Feature::ExecPermissionApprovals)
@@ -802,7 +812,9 @@ async fn workspace_write_with_additional_permissions_can_write_outside_cwd() ->
let mut builder = test_codex().with_config(move |config| {
config.permissions.approval_policy = Constrained::allow_any(approval_policy);
config.permissions.sandbox_policy = Constrained::allow_any(sandbox_policy_for_config);
config
.set_legacy_sandbox_policy(sandbox_policy_for_config)
.expect("set sandbox policy");
config
.features
.enable(Feature::ExecPermissionApprovals)
@@ -906,7 +918,9 @@ async fn with_additional_permissions_denied_approval_blocks_execution() -> Resul
let mut builder = test_codex().with_config(move |config| {
config.permissions.approval_policy = Constrained::allow_any(approval_policy);
config.permissions.sandbox_policy = Constrained::allow_any(sandbox_policy_for_config);
config
.set_legacy_sandbox_policy(sandbox_policy_for_config)
.expect("set sandbox policy");
config
.features
.enable(Feature::ExecPermissionApprovals)
@@ -1011,7 +1025,9 @@ async fn request_permissions_grants_apply_to_later_exec_command_calls() -> Resul
let mut builder = test_codex().with_config(move |config| {
config.permissions.approval_policy = Constrained::allow_any(approval_policy);
config.permissions.sandbox_policy = Constrained::allow_any(sandbox_policy_for_config);
config
.set_legacy_sandbox_policy(sandbox_policy_for_config)
.expect("set sandbox policy");
config
.features
.enable(Feature::ExecPermissionApprovals)
@@ -1135,7 +1151,9 @@ async fn request_permissions_preapprove_explicit_exec_permissions_outside_on_req
let mut builder = test_codex().with_config(move |config| {
config.permissions.approval_policy = Constrained::allow_any(approval_policy);
config.permissions.sandbox_policy = Constrained::allow_any(sandbox_policy_for_config);
config
.set_legacy_sandbox_policy(sandbox_policy_for_config)
.expect("set sandbox policy");
config
.features
.enable(Feature::ExecPermissionApprovals)
@@ -1253,7 +1271,9 @@ async fn request_permissions_grants_apply_to_later_shell_command_calls() -> Resu
let mut builder = test_codex().with_config(move |config| {
config.permissions.approval_policy = Constrained::allow_any(approval_policy);
config.permissions.sandbox_policy = Constrained::allow_any(sandbox_policy_for_config);
config
.set_legacy_sandbox_policy(sandbox_policy_for_config)
.expect("set sandbox policy");
config
.features
.enable(Feature::ExecPermissionApprovals)
@@ -1365,7 +1385,9 @@ async fn request_permissions_grants_apply_to_later_shell_command_calls_without_i
let mut builder = test_codex().with_config(move |config| {
config.permissions.approval_policy = Constrained::allow_any(approval_policy);
config.permissions.sandbox_policy = Constrained::allow_any(sandbox_policy_for_config);
config
.set_legacy_sandbox_policy(sandbox_policy_for_config)
.expect("set sandbox policy");
config
.features
.enable(Feature::RequestPermissionsTool)
@@ -1477,7 +1499,9 @@ async fn partial_request_permissions_grants_do_not_preapprove_new_permissions()
let mut builder = test_codex().with_config(move |config| {
config.permissions.approval_policy = Constrained::allow_any(approval_policy);
config.permissions.sandbox_policy = Constrained::allow_any(sandbox_policy_for_config);
config
.set_legacy_sandbox_policy(sandbox_policy_for_config)
.expect("set sandbox policy");
config
.features
.enable(Feature::ExecPermissionApprovals)
@@ -1641,7 +1665,9 @@ async fn request_permissions_grants_do_not_carry_across_turns() -> Result<()> {
let mut builder = test_codex().with_config(move |config| {
config.permissions.approval_policy = Constrained::allow_any(approval_policy);
config.permissions.sandbox_policy = Constrained::allow_any(sandbox_policy_for_config);
config
.set_legacy_sandbox_policy(sandbox_policy_for_config)
.expect("set sandbox policy");
config
.features
.enable(Feature::ExecPermissionApprovals)
@@ -1754,7 +1780,9 @@ async fn request_permissions_session_grants_carry_across_turns() -> Result<()> {
let mut builder = test_codex().with_config(move |config| {
config.permissions.approval_policy = Constrained::allow_any(approval_policy);
config.permissions.sandbox_policy = Constrained::allow_any(sandbox_policy_for_config);
config
.set_legacy_sandbox_policy(sandbox_policy_for_config)
.expect("set sandbox policy");
config
.features
.enable(Feature::ExecPermissionApprovals)