app-server: accept permission profile overrides (#18279)

## Why `PermissionProfile` is becoming the canonical permissions shape shared by core and app-server. After app-server responses expose the active profile, clients need to be able to send that same shape back when starting, resuming, forking, or overriding a turn instead of translating through the legacy `sandbox`/`sandboxPolicy` shorthands. This still needs to preserve the existing requirements/platform enforcement model. A profile-shaped request can be downgraded or rejected by constraints, but the server should keep the user's elevated-access intent for project trust decisions. Turn-level profile overrides also need to retain existing read protections, including deny-read entries and bounded glob-scan metadata, so a permission override cannot accidentally drop configured protections such as `**/*.env = deny`. ## What changed - Adds optional `permissionProfile` request fields to `thread/start`, `thread/resume`, `thread/fork`, and `turn/start`. - Rejects ambiguous requests that specify both `permissionProfile` and the legacy `sandbox`/`sandboxPolicy` fields, including running-thread resume requests. - Converts profile-shaped overrides into core runtime filesystem/network permissions while continuing to derive the constrained legacy sandbox projection used by existing execution paths. - Preserves project-trust intent for profile overrides that are equivalent to workspace-write or full-access sandbox requests. - Preserves existing deny-read entries and `globScanMaxDepth` when applying turn-level `permissionProfile` overrides. - Updates app-server docs plus generated JSON/TypeScript schema fixtures and regression coverage. ## Verification - `cargo test -p codex-app-server-protocol schema_fixtures` - `cargo test -p codex-core session_configuration_apply_permission_profile_preserves_existing_deny_read_entries` --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/openai/codex/pull/18279). * #18288 * #18287 * #18286 * #18285 * #18284 * #18283 * #18282 * #18281 * #18280 * __->__ #18279
2026-05-01 09:56:37 +00:00 · 2026-04-22 13:34:33 -07:00
parent ed4def8286
commit 18a26d7bbc
46 changed files with 2425 additions and 59 deletions
--- a/codex-rs/core/tests/suite/prompt_caching.rs
+++ b/codex-rs/core/tests/suite/prompt_caching.rs
@@ -444,6 +444,7 @@ async fn overrides_turn_context_but_keeps_cached_prefix_and_key_constant() -> an
            approval_policy: Some(AskForApproval::Never),
            approvals_reviewer: None,
            sandbox_policy: Some(new_policy.clone()),
+            permission_profile: None,
            windows_sandbox_level: None,
            model: None,
            effort: Some(Some(ReasoningEffort::High)),
@@ -529,6 +530,7 @@ async fn override_before_first_turn_emits_environment_context() -> anyhow::Resul
            approval_policy: Some(AskForApproval::Never),
            approvals_reviewer: None,
            sandbox_policy: None,
+            permission_profile: None,
            windows_sandbox_level: None,
            model: Some("gpt-5.4".to_string()),
            effort: Some(Some(ReasoningEffort::Low)),