Propagate runtime permission profiles

2026-05-02 10:26:45 +00:00 · 2026-04-27 13:51:36 -07:00
parent 321204f3d0
commit 3465cc93a8
2 changed files with 116 additions and 21 deletions
--- a/codex-rs/tui/src/app/thread_routing.rs
+++ b/codex-rs/tui/src/app/thread_routing.rs
@@ -530,7 +530,7 @@ impl App {
                approval_policy,
                approvals_reviewer,
                sandbox_policy,
-                permission_profile,
+                permission_profile: _,
                model,
                effort,
                summary,
@@ -614,7 +614,10 @@ impl App {
                            approvals_reviewer
                                .unwrap_or(self.chat_widget.config_ref().approvals_reviewer),
                            sandbox_policy.clone(),
-                            permission_profile.clone(),
+                            runtime_permission_profile_for_turn_start(
+                                self.runtime_sandbox_policy_override.as_ref(),
+                                sandbox_policy,
+                            ),
                            model.to_string(),
                            effort,
                            *summary,
@@ -1482,3 +1485,47 @@ impl App {
        Ok(())
    }
 }
+
+fn runtime_permission_profile_for_turn_start(
+    runtime_sandbox_policy_override: Option<&SandboxPolicy>,
+    sandbox_policy: &SandboxPolicy,
+) -> Option<codex_protocol::models::PermissionProfile> {
+    runtime_sandbox_policy_override?;
+    match sandbox_policy {
+        SandboxPolicy::ExternalSandbox { .. } => None,
+        SandboxPolicy::ReadOnly { .. }
+        | SandboxPolicy::WorkspaceWrite { .. }
+        | SandboxPolicy::DangerFullAccess => Some(
+            codex_protocol::models::PermissionProfile::from_legacy_sandbox_policy(sandbox_policy),
+        ),
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use codex_protocol::protocol::SandboxPolicy;
+    use pretty_assertions::assert_eq;
+
+    #[test]
+    fn runtime_permission_profile_for_turn_start_only_when_sandbox_was_overridden() {
+        let sandbox_policy = SandboxPolicy::DangerFullAccess;
+
+        assert_eq!(
+            runtime_permission_profile_for_turn_start(
+                /*runtime_sandbox_policy_override*/ None,
+                &sandbox_policy,
+            ),
+            None
+        );
+
+        let profile =
+            runtime_permission_profile_for_turn_start(Some(&sandbox_policy), &sandbox_policy)
+                .expect("runtime sandbox override should send active permissions");
+
+        assert_eq!(
+            profile,
+            codex_protocol::models::PermissionProfile::from_legacy_sandbox_policy(&sandbox_policy)
+        );
+    }
+}