turn-context: stop writing legacy sandbox policy

2026-06-01 19:02:59 +00:00 · 2026-04-30 07:06:47 -07:00
parent 607dac40f8
commit 7a367c3db7
10 changed files with 46 additions and 64 deletions
--- a/codex-rs/protocol/src/protocol.rs
+++ b/codex-rs/protocol/src/protocol.rs
@@ -2856,7 +2856,8 @@ pub struct TurnContextItem {
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub timezone: Option<String>,
    pub approval_policy: AskForApproval,
-    pub sandbox_policy: SandboxPolicy,
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub sandbox_policy: Option<SandboxPolicy>,
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub permission_profile: Option<PermissionProfile>,
    #[serde(skip_serializing_if = "Option::is_none")]
@@ -2886,17 +2887,22 @@ pub struct TurnContextItem {
 impl TurnContextItem {
    pub fn permission_profile(&self) -> PermissionProfile {
        self.permission_profile.clone().unwrap_or_else(|| {
+            let Some(sandbox_policy) = self.sandbox_policy.as_ref() else {
+                panic!(
+                    "turn context item must contain permission_profile or legacy sandbox_policy"
+                );
+            };
            let file_system_sandbox_policy =
                self.file_system_sandbox_policy.clone().unwrap_or_else(|| {
                    FileSystemSandboxPolicy::from_legacy_sandbox_policy_for_cwd(
-                        &self.sandbox_policy,
+                        sandbox_policy,
                        &self.cwd,
                    )
                });
            PermissionProfile::from_runtime_permissions_with_enforcement(
-                SandboxEnforcement::from_legacy_sandbox_policy(&self.sandbox_policy),
+                SandboxEnforcement::from_legacy_sandbox_policy(sandbox_policy),
                &file_system_sandbox_policy,
-                NetworkSandboxPolicy::from(&self.sandbox_policy),
+                NetworkSandboxPolicy::from(sandbox_policy),
            )
        })
    }
@@ -5101,7 +5107,7 @@ mod tests {
            current_date: None,
            timezone: None,
            approval_policy: AskForApproval::Never,
-            sandbox_policy: SandboxPolicy::DangerFullAccess,
+            sandbox_policy: Some(SandboxPolicy::DangerFullAccess),
            permission_profile: None,
            network: Some(TurnContextNetworkItem {
                allowed_domains: vec!["api.example.com".to_string()],