core tests: submit turns with permission profiles (#20010)

## Summary - Add `PermissionProfile`-based turn submission helpers to `core_test_support`, while keeping the legacy `SandboxPolicy` helper for tests that intentionally exercise legacy fallback behavior. - Switch the default `TestCodex::submit_turn()` path to send a real `PermissionProfile` plus the required legacy compatibility projection in `Op::UserTurn`. - Migrate straightforward app/search/shell/truncation tests from `SandboxPolicy::{DangerFullAccess, ReadOnly}` to `PermissionProfile::{Disabled, read_only}`. - Add a TUI compatibility projection helper for legacy app-server fields so non-legacy writable roots are preserved instead of being downgraded to read-only. - Fix remote start/resume/fork sandbox-mode projection to classify any managed profile with writable roots as workspace-write, not only profiles that can write `cwd`. - Reduce `SandboxPolicy` references in `codex-rs/core/tests` from 47 files to 41 files without changing production behavior. ## Testing - `cargo check -p codex-core --tests` - `cargo test -p codex-tui compatibility_profile_preserves_unbridgeable_write_roots` - `cargo test -p codex-tui sandbox_mode_preserves_non_cwd_write_roots_for_remote_sessions` - `just fmt` - `just fix -p core_test_support` - `just fix -p codex-core`
2026-05-02 10:26:45 +00:00 · 2026-04-28 16:01:40 -07:00
parent 2dbde94aa9
commit 891722849d
11 changed files with 354 additions and 118 deletions
--- a/codex-rs/core/tests/suite/web_search.rs
+++ b/codex-rs/core/tests/suite/web_search.rs
@@ -2,7 +2,7 @@

 use codex_features::Feature;
 use codex_protocol::config_types::WebSearchMode;
-use codex_protocol::protocol::SandboxPolicy;
+use codex_protocol::models::PermissionProfile;
 use core_test_support::responses;
 use core_test_support::responses::start_mock_server;
 use core_test_support::skip_if_no_network;
@@ -44,9 +44,9 @@ async fn web_search_mode_cached_sets_external_web_access_false() {
        .await
        .expect("create test Codex conversation");

-    test.submit_turn_with_policy(
+    test.submit_turn_with_permission_profile(
        "hello cached web search",
-        SandboxPolicy::new_read_only_policy(),
+        PermissionProfile::read_only(),
    )
    .await
    .expect("submit turn");
@@ -86,9 +86,9 @@ async fn web_search_mode_takes_precedence_over_legacy_flags() {
        .await
        .expect("create test Codex conversation");

-    test.submit_turn_with_policy(
+    test.submit_turn_with_permission_profile(
        "hello cached+live flags",
-        SandboxPolicy::new_read_only_policy(),
+        PermissionProfile::read_only(),
    )
    .await
    .expect("submit turn");
@@ -132,9 +132,9 @@ async fn web_search_mode_defaults_to_cached_when_features_disabled() {
        .await
        .expect("create test Codex conversation");

-    test.submit_turn_with_policy(
+    test.submit_turn_with_permission_profile(
        "hello default cached web search",
-        SandboxPolicy::new_read_only_policy(),
+        PermissionProfile::read_only(),
    )
    .await
    .expect("submit turn");
@@ -149,7 +149,7 @@ async fn web_search_mode_defaults_to_cached_when_features_disabled() {
 }

 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn web_search_mode_updates_between_turns_with_sandbox_policy() {
+async fn web_search_mode_updates_between_turns_with_permission_profile() {
    skip_if_no_network!();

    let server = start_mock_server().await;
@@ -187,10 +187,10 @@ async fn web_search_mode_updates_between_turns_with_sandbox_policy() {
        .await
        .expect("create test Codex conversation");

-    test.submit_turn_with_policy("hello cached", SandboxPolicy::new_read_only_policy())
+    test.submit_turn_with_permission_profile("hello cached", PermissionProfile::read_only())
        .await
        .expect("submit first turn");
-    test.submit_turn_with_policy("hello live", SandboxPolicy::DangerFullAccess)
+    test.submit_turn_with_permission_profile("hello live", PermissionProfile::Disabled)
        .await
        .expect("submit second turn");

@@ -248,9 +248,9 @@ location = { country = "US", city = "New York", timezone = "America/New_York" }
        .await
        .expect("create test Codex conversation");

-    test.submit_turn_with_policy(
+    test.submit_turn_with_permission_profile(
        "hello configured web search",
-        SandboxPolicy::DangerFullAccess,
+        PermissionProfile::Disabled,
    )
    .await
    .expect("submit turn");