protocol: canonicalize file system permissions (#18274)

## Why `PermissionProfile` needs stable, canonical file-system semantics before it can become the primary runtime permissions abstraction. Without a canonical form, callers have to keep re-deriving legacy sandbox maps and profile comparisons remain lossy or order-dependent. ## What changed This adds canonicalization helpers for `FileSystemPermissions` and `PermissionProfile`, expands special paths into explicit sandbox entries, and updates permission request/conversion paths to consume those canonical entries. It also tightens the legacy bridge so root-wide write profiles with narrower carveouts are not silently projected as full-disk legacy access. ## Verification - `cargo test -p codex-protocol root_write_with_read_only_child_is_not_full_disk_write -- --nocapture` - `cargo test -p codex-sandboxing permission -- --nocapture` - `cargo test -p codex-tui permissions -- --nocapture`
2026-06-01 19:02:59 +00:00 · 2026-04-20 09:57:03 -07:00
parent ac7c9a685f
commit dcec516313
41 changed files with 2076 additions and 385 deletions
--- a/codex-rs/core/src/tools/handlers/apply_patch.rs
+++ b/codex-rs/core/src/tools/handlers/apply_patch.rs
@@ -196,10 +196,10 @@ fn write_permissions_for_paths(
        .ok()?;

    let permissions = (!write_paths.is_empty()).then_some(PermissionProfile {
-        file_system: Some(FileSystemPermissions {
-            read: Some(vec![]),
-            write: Some(write_paths),
-        }),
+        file_system: Some(FileSystemPermissions::from_read_write_roots(
+            Some(vec![]),
+            Some(write_paths),
+        )),
        ..Default::default()
    })?;

--- a/codex-rs/core/src/tools/handlers/apply_patch_tests.rs
+++ b/codex-rs/core/src/tools/handlers/apply_patch_tests.rs
@@ -148,7 +148,10 @@ fn write_permissions_for_paths_keep_dirs_outside_workspace_root() {
        dunce::simplified(&outside.canonicalize().expect("canonicalize outside dir")).abs();

    assert_eq!(
-        permissions.and_then(|profile| profile.file_system.and_then(|fs| fs.write)),
+        permissions
+            .and_then(|profile| profile.file_system)
+            .and_then(|fs| fs.legacy_read_write_roots())
+            .and_then(|(_read, write)| write),
        Some(vec![expected_outside])
    );
 }
--- a/codex-rs/core/src/tools/handlers/mod.rs
+++ b/codex-rs/core/src/tools/handlers/mod.rs
@@ -238,12 +238,12 @@ mod tests {

    fn file_system_permissions(path: &std::path::Path) -> PermissionProfile {
        PermissionProfile {
-            file_system: Some(FileSystemPermissions {
-                read: None,
-                write: Some(vec![
+            file_system: Some(FileSystemPermissions::from_read_write_roots(
+                /*read*/ None,
+                Some(vec![
                    AbsolutePathBuf::from_absolute_path(path).expect("absolute path"),
                ]),
-            }),
+            )),
            ..Default::default()
        }
    }
--- a/codex-rs/core/src/tools/handlers/unified_exec_tests.rs
+++ b/codex-rs/core/src/tools/handlers/unified_exec_tests.rs
@@ -188,10 +188,10 @@ fn exec_command_args_resolve_relative_additional_permissions_against_workdir() -
    assert_eq!(
        args.additional_permissions,
        Some(PermissionProfile {
-            file_system: Some(FileSystemPermissions {
-                read: None,
-                write: Some(vec![expected_write.abs()]),
-            }),
+            file_system: Some(FileSystemPermissions::from_read_write_roots(
+                /*read*/ None,
+                Some(vec![expected_write.abs()]),
+            )),
            ..Default::default()
        })
    );
--- a/codex-rs/core/src/tools/runtimes/apply_patch_tests.rs
+++ b/codex-rs/core/src/tools/runtimes/apply_patch_tests.rs
@@ -85,10 +85,10 @@ fn file_system_sandbox_context_uses_active_attempt() {
        .abs();
    let additional_permissions = PermissionProfile {
        network: None,
-        file_system: Some(FileSystemPermissions {
-            read: Some(vec![path.clone()]),
-            write: Some(Vec::new()),
-        }),
+        file_system: Some(FileSystemPermissions::from_read_write_roots(
+            Some(vec![path.clone()]),
+            Some(Vec::new()),
+        )),
    };
    let req = ApplyPatchRequest {
        action: ApplyPatchAction::new_add_for_test(&path, "hello".to_string()),
--- a/codex-rs/core/src/tools/runtimes/shell/unix_escalation_tests.rs
+++ b/codex-rs/core/src/tools/runtimes/shell/unix_escalation_tests.rs
@@ -258,12 +258,12 @@ fn map_exec_result_preserves_stdout_and_stderr() {
 #[test]
 fn shell_request_escalation_execution_is_explicit() {
    let requested_permissions = PermissionProfile {
-        file_system: Some(FileSystemPermissions {
-            read: None,
-            write: Some(vec![
+        file_system: Some(FileSystemPermissions::from_read_write_roots(
+            /*read*/ None,
+            Some(vec![
                AbsolutePathBuf::from_absolute_path("/tmp/output").unwrap(),
            ]),
-        }),
+        )),
        ..Default::default()
    };
    let sandbox_policy = SandboxPolicy::WorkspaceWrite {