refactoring with_escalated_permissions to use SandboxPermissions instead (#7750)

helpful in the future if we want more granularity for requesting escalated permissions: e.g when running in readonly sandbox, model can request to escalate to a sandbox that allows writes
2026-05-03 19:06:58 +00:00 · 2025-12-10 09:18:48 -08:00
parent 97b90094cd
commit e0fb3ca1db
27 changed files with 216 additions and 179 deletions
--- a/codex-rs/core/src/tools/runtimes/mod.rs
+++ b/codex-rs/core/src/tools/runtimes/mod.rs
@@ -6,6 +6,7 @@ small and focused and reuses the orchestrator for approvals + sandbox + retry.
 */
 use crate::exec::ExecExpiration;
 use crate::sandboxing::CommandSpec;
+use crate::sandboxing::SandboxPermissions;
 use crate::tools::sandboxing::ToolError;
 use std::collections::HashMap;
 use std::path::Path;
@@ -21,7 +22,7 @@ pub(crate) fn build_command_spec(
    cwd: &Path,
    env: &HashMap<String, String>,
    expiration: ExecExpiration,
-    with_escalated_permissions: Option<bool>,
+    sandbox_permissions: SandboxPermissions,
    justification: Option<String>,
 ) -> Result<CommandSpec, ToolError> {
    let (program, args) = command
@@ -33,7 +34,7 @@ pub(crate) fn build_command_spec(
        cwd: cwd.to_path_buf(),
        env: env.clone(),
        expiration,
-        with_escalated_permissions,
+        sandbox_permissions,
        justification,
    })
 }