with_escalated_permissions -> enum

2026-04-24 14:45:27 +00:00 · 2025-11-18 15:09:36 -08:00
parent 4560a7727e
commit a167bc630a
5 changed files with 44 additions and 18 deletions
--- a/codex-rs/core/src/command_safety/is_dangerous_command.rs
+++ b/codex-rs/core/src/command_safety/is_dangerous_command.rs
@@ -1,6 +1,8 @@
 use codex_protocol::protocol::AskForApproval;
 use codex_protocol::protocol::SandboxPolicy;

+use crate::sandboxing::SandboxPermissions;
+
 use crate::bash::parse_shell_lc_plain_commands;
 use crate::is_safe_command::is_known_safe_command;

@@ -8,7 +10,7 @@ pub fn requires_initial_appoval(
    policy: AskForApproval,
    sandbox_policy: &SandboxPolicy,
    command: &[String],
-    with_escalated_permissions: bool,
+    sandbox_permissions: SandboxPermissions,
 ) -> bool {
    if is_known_safe_command(command) {
        return false;
@@ -24,8 +26,7 @@ pub fn requires_initial_appoval(
            // In restricted sandboxes (ReadOnly/WorkspaceWrite), do not prompt for
            // non‑escalated, non‑dangerous commands — let the sandbox enforce
            // restrictions (e.g., block network/write) without a user prompt.
-            let wants_escalation: bool = with_escalated_permissions;
-            if wants_escalation {
+            if sandbox_permissions.requires_escalated_permissions() {
                return true;
            }
            command_might_be_dangerous(command)
--- a/codex-rs/core/src/exec_policy.rs
+++ b/codex-rs/core/src/exec_policy.rs
@@ -18,6 +18,7 @@ use tokio::io::AsyncWriteExt;
 use crate::bash::parse_shell_lc_plain_commands;
 use crate::features::Feature;
 use crate::features::Features;
+use crate::sandboxing::SandboxPermissions;
 use crate::tools::sandboxing::ApprovalRequirement;

 const FORBIDDEN_REASON: &str = "execpolicy forbids this command";
@@ -131,12 +132,12 @@ fn evaluate_with_policy(
    }
 }

-pub(crate) fn approval_requirement_for_command(
+pub(crate) fn create_approval_requirement_for_command(
    policy: &Policy,
    command: &[String],
    approval_policy: AskForApproval,
    sandbox_policy: &SandboxPolicy,
-    with_escalated_permissions: bool,
+    sandbox_permissions: SandboxPermissions,
 ) -> ApprovalRequirement {
    if let Some(requirement) = evaluate_with_policy(policy, command, approval_policy) {
        return requirement;
@@ -146,7 +147,7 @@ pub(crate) fn approval_requirement_for_command(
        approval_policy,
        sandbox_policy,
        command,
-        with_escalated_permissions,
+        sandbox_permissions,
    ) {
        ApprovalRequirement::NeedsApproval { reason: None }
    } else {
@@ -350,12 +351,12 @@ prefix_rule(pattern=["rm"], decision="forbidden")
        let policy = parser.build();
        let command = vec!["rm".to_string()];

-        let requirement = approval_requirement_for_command(
+        let requirement = create_approval_requirement_for_command(
            &policy,
            &command,
            AskForApproval::OnRequest,
            &SandboxPolicy::DangerFullAccess,
-            false,
+            SandboxPermissions::UseDefault,
        );

        assert_eq!(
@@ -376,12 +377,12 @@ prefix_rule(pattern=["rm"], decision="forbidden")
        let policy = parser.build();
        let command = vec!["rm".to_string()];

-        let requirement = approval_requirement_for_command(
+        let requirement = create_approval_requirement_for_command(
            &policy,
            &command,
            AskForApproval::Never,
            &SandboxPolicy::DangerFullAccess,
-            false,
+            SandboxPermissions::UseDefault,
        );

        assert_eq!(
@@ -397,12 +398,12 @@ prefix_rule(pattern=["rm"], decision="forbidden")
        let command = vec!["python".to_string()];

        let empty_policy = Policy::empty();
-        let requirement = approval_requirement_for_command(
+        let requirement = create_approval_requirement_for_command(
            &empty_policy,
            &command,
            AskForApproval::UnlessTrusted,
            &SandboxPolicy::ReadOnly,
-            false,
+            SandboxPermissions::UseDefault,
        );

        assert_eq!(
--- a/codex-rs/core/src/sandboxing/mod.rs
+++ b/codex-rs/core/src/sandboxing/mod.rs
@@ -26,6 +26,28 @@ use std::collections::HashMap;
 use std::path::Path;
 use std::path::PathBuf;

+#[derive(Clone, Copy, Debug, Eq, PartialEq)]
+pub enum SandboxPermissions {
+    UseDefault,
+    RequireEscalated,
+}
+
+impl SandboxPermissions {
+    pub fn requires_escalated_permissions(self) -> bool {
+        matches!(self, SandboxPermissions::RequireEscalated)
+    }
+}
+
+impl From<bool> for SandboxPermissions {
+    fn from(with_escalated_permissions: bool) -> Self {
+        if with_escalated_permissions {
+            SandboxPermissions::RequireEscalated
+        } else {
+            SandboxPermissions::UseDefault
+        }
+    }
+}
+
 #[derive(Clone, Debug)]
 pub struct CommandSpec {
    pub program: String,
--- a/codex-rs/core/src/tools/handlers/shell.rs
+++ b/codex-rs/core/src/tools/handlers/shell.rs
@@ -9,10 +9,11 @@ use crate::apply_patch::convert_apply_patch_to_protocol;
 use crate::codex::TurnContext;
 use crate::exec::ExecParams;
 use crate::exec_env::create_env;
-use crate::exec_policy::approval_requirement_for_command;
+use crate::exec_policy::create_approval_requirement_for_command;
 use crate::function_tool::FunctionCallError;
 use crate::is_safe_command::is_known_safe_command;
 use crate::protocol::ExecCommandSource;
+use crate::sandboxing::SandboxPermissions;
 use crate::tools::context::ToolInvocation;
 use crate::tools::context::ToolOutput;
 use crate::tools::context::ToolPayload;
@@ -303,12 +304,12 @@ impl ShellHandler {
            env: exec_params.env.clone(),
            with_escalated_permissions: exec_params.with_escalated_permissions,
            justification: exec_params.justification.clone(),
-            approval_requirement: approval_requirement_for_command(
+            approval_requirement: create_approval_requirement_for_command(
                &turn.exec_policy,
                &exec_params.command,
                turn.approval_policy,
                &turn.sandbox_policy,
-                exec_params.with_escalated_permissions.unwrap_or(false),
+                SandboxPermissions::from(exec_params.with_escalated_permissions.unwrap_or(false)),
            ),
        };
        let mut orchestrator = ToolOrchestrator::new();
--- a/codex-rs/core/src/unified_exec/session_manager.rs
+++ b/codex-rs/core/src/unified_exec/session_manager.rs
@@ -11,11 +11,12 @@ use crate::codex::TurnContext;
 use crate::exec::ExecToolCallOutput;
 use crate::exec::StreamOutput;
 use crate::exec_env::create_env;
-use crate::exec_policy::approval_requirement_for_command;
+use crate::exec_policy::create_approval_requirement_for_command;
 use crate::protocol::BackgroundEventEvent;
 use crate::protocol::EventMsg;
 use crate::protocol::ExecCommandSource;
 use crate::sandboxing::ExecEnv;
+use crate::sandboxing::SandboxPermissions;
 use crate::tools::events::ToolEmitter;
 use crate::tools::events::ToolEventCtx;
 use crate::tools::events::ToolEventFailure;
@@ -450,12 +451,12 @@ impl UnifiedExecSessionManager {
            create_env(&context.turn.shell_environment_policy),
            with_escalated_permissions,
            justification,
-            approval_requirement_for_command(
+            create_approval_requirement_for_command(
                &context.turn.exec_policy,
                command,
                context.turn.approval_policy,
                &context.turn.sandbox_policy,
-                with_escalated_permissions.unwrap_or(false),
+                SandboxPermissions::from(with_escalated_permissions.unwrap_or(false)),
            ),
        );
        let tool_ctx = ToolCtx {