test: pin sandbox denial parity

Co-authored-by: Codex noreply@openai.com
2026-05-16 17:23:57 +00:00 · 2026-04-13 18:06:24 -07:00
parent 6bb928c598
commit 43f9300564
1 changed files with 50 additions and 0 deletions
--- a/codex-rs/sandboxing/src/violation_tests.rs
+++ b/codex-rs/sandboxing/src/violation_tests.rs
@@ -22,6 +22,56 @@ fn make_exec_output(
    }
 }

+#[test]
+fn preserves_legacy_boolean_denial_keywords() {
+    for keyword in [
+        "operation not permitted",
+        "permission denied",
+        "read-only file system",
+        "seccomp",
+        "sandbox",
+        "landlock",
+        "failed to write file",
+    ] {
+        let output = make_exec_output(/*exit_code*/ 1, "", keyword, "");
+
+        assert_eq!(
+            is_likely_sandbox_denied(SandboxType::LinuxSeccomp, &output),
+            true,
+            "{keyword}"
+        );
+    }
+}
+
+#[test]
+fn preserves_legacy_boolean_denial_ordering() {
+    let quick_reject_without_keyword =
+        make_exec_output(/*exit_code*/ 127, "", "command not found", "");
+    let quick_reject_with_keyword =
+        make_exec_output(/*exit_code*/ 127, "", "Permission denied", "");
+    let zero_exit_with_keyword =
+        make_exec_output(/*exit_code*/ 0, "", "Operation not permitted", "");
+    let non_sandbox_with_keyword =
+        make_exec_output(/*exit_code*/ 1, "", "Operation not permitted", "");
+
+    assert!(!is_likely_sandbox_denied(
+        SandboxType::LinuxSeccomp,
+        &quick_reject_without_keyword
+    ));
+    assert!(is_likely_sandbox_denied(
+        SandboxType::LinuxSeccomp,
+        &quick_reject_with_keyword
+    ));
+    assert!(!is_likely_sandbox_denied(
+        SandboxType::LinuxSeccomp,
+        &zero_exit_with_keyword
+    ));
+    assert!(!is_likely_sandbox_denied(
+        SandboxType::None,
+        &non_sandbox_with_keyword
+    ));
+}
+
 #[test]
 fn classifies_filesystem_violation_with_path() {
    let output = make_exec_output(