changes

2026-04-24 14:45:27 +00:00 · 2026-02-20 16:03:18 -08:00
parent d26641c5e7
commit 2d54e07c98
2 changed files with 18 additions and 4 deletions
--- a/codex-rs/core/src/sandboxing/mod.rs
+++ b/codex-rs/core/src/sandboxing/mod.rs
@@ -6,6 +6,8 @@ sandbox placement and transformation of portable CommandSpec into a
 ready‑to‑spawn environment.
 */

+pub(crate) mod policy_merge;
+
 use crate::exec::ExecExpiration;
 use crate::exec::ExecToolCallOutput;
 use crate::exec::SandboxType;
--- a/codex-rs/core/src/zsh_exec_bridge/mod.rs
+++ b/codex-rs/core/src/zsh_exec_bridge/mod.rs
@@ -21,6 +21,8 @@ use crate::protocol::ReviewDecision;
 #[cfg(unix)]
 use crate::sandboxing::SandboxPermissions;
 #[cfg(unix)]
+use crate::sandboxing::policy_merge::extend_sandbox_policy;
+#[cfg(unix)]
 use crate::tools::sandboxing::ExecApprovalRequirement;
 #[cfg(unix)]
 use anyhow::Context as _;
@@ -359,14 +361,24 @@ impl ZshExecBridge {
            *program = file.clone();
        }

-        // Collect skill-provided approval overlays that may add promptable prefix rules.
-        let overlay_prompt_prefixes = {
+        // Collect skill-provided approval overlays and any matching skill permission profile.
+        let (overlay_prompt_prefixes, matched_skill_permissions) = {
            let registry = turn
                .skill_prefix_permissions
                .read()
                .unwrap_or_else(std::sync::PoisonError::into_inner);
-            registry.keys().cloned().collect::<Vec<_>>()
+            let matched_skill_permissions = command_for_execpolicy
+                .first()
+                .and_then(|program| registry.get(std::slice::from_ref(program)).cloned());
+            let overlay_prompt_prefixes = registry.keys().cloned().collect::<Vec<_>>();
+            (overlay_prompt_prefixes, matched_skill_permissions)
        };
+        let effective_sandbox_policy = matched_skill_permissions.as_ref().map_or_else(
+            || turn.sandbox_policy.clone(),
+            |skill_permissions| {
+                extend_sandbox_policy(&turn.sandbox_policy, skill_permissions.sandbox_policy.get())
+            },
+        );

        // Ask exec policy whether this command can run, is forbidden, or needs approval.
        let exec_approval_requirement = session
@@ -376,7 +388,7 @@ impl ZshExecBridge {
                ExecApprovalRequest {
                    command: &command_for_execpolicy,
                    approval_policy: turn.approval_policy,
-                    sandbox_policy: &turn.sandbox_policy,
+                    sandbox_policy: &effective_sandbox_policy,
                    sandbox_permissions: SandboxPermissions::UseDefault,
                    prefix_rule: None,
                },