test(core): align macos request permissions expectations

2026-04-24 14:45:27 +00:00 · 2026-03-07 10:00:10 -08:00
parent 6b56da734d
commit f3be0723af
1 changed files with 27 additions and 17 deletions
--- a/codex-rs/core/tests/suite/request_permissions.rs
+++ b/codex-rs/core/tests/suite/request_permissions.rs
@@ -208,14 +208,17 @@ async fn with_additional_permissions_requires_approval_under_on_request() -> Res
    });
    let test = builder.build(&server).await?;

-    let requested_write = test.workspace_path("requested-but-unused.txt");
+    let requested_dir = test.workspace_path("requested-dir");
+    fs::create_dir_all(&requested_dir)?;
+    let requested_dir_canonical = requested_dir.canonicalize()?;
+    let requested_write = requested_dir.join("requested-but-unused.txt");
    let _ = fs::remove_file(&requested_write);
    let call_id = "request_permissions_skip_approval";
-    let command = "touch requested-but-unused.txt";
+    let command = "touch requested-dir/requested-but-unused.txt";
    let requested_permissions = PermissionProfile {
        file_system: Some(FileSystemPermissions {
            read: Some(vec![]),
-            write: Some(vec![absolute_path(&requested_write)]),
+            write: Some(vec![absolute_path(&requested_dir_canonical)]),
        }),
        ..Default::default()
    };
@@ -292,6 +295,7 @@ async fn relative_additional_permissions_resolve_against_tool_workdir() -> Resul

    let nested_dir = test.workspace_path("nested");
    fs::create_dir_all(&nested_dir)?;
+    let nested_dir_canonical = nested_dir.canonicalize()?;
    let requested_write = nested_dir.join("relative-write.txt");
    let _ = fs::remove_file(&requested_write);

@@ -300,7 +304,7 @@ async fn relative_additional_permissions_resolve_against_tool_workdir() -> Resul
    let expected_permissions = PermissionProfile {
        file_system: Some(FileSystemPermissions {
            read: None,
-            write: Some(vec![absolute_path(&requested_write)]),
+            write: Some(vec![absolute_path(&nested_dir_canonical)]),
        }),
        ..Default::default()
    };
@@ -310,7 +314,7 @@ async fn relative_additional_permissions_resolve_against_tool_workdir() -> Resul
        Some("nested"),
        json!({
            "file_system": {
-                "write": ["./relative-write.txt"],
+                "write": ["."],
            },
        }),
    )?;
@@ -366,7 +370,8 @@ async fn relative_additional_permissions_resolve_against_tool_workdir() -> Resul

 #[tokio::test(flavor = "current_thread")]
 #[cfg(target_os = "macos")]
-async fn read_only_with_additional_permissions_widens_to_unrequested_cwd_write() -> Result<()> {
+async fn read_only_with_additional_permissions_does_not_widen_to_unrequested_cwd_write()
+-> Result<()> {
    skip_if_no_network!(Ok(()));
    skip_if_sandbox!(Ok(()));

@@ -440,16 +445,18 @@ async fn read_only_with_additional_permissions_widens_to_unrequested_cwd_write()

    let result = parse_result(&results.single_request().function_call_output(call_id));
    assert!(
-        result.exit_code.is_none() || result.exit_code == Some(0),
-        "unexpected exit code/output: {:?} {}",
+        result.exit_code != Some(0),
+        "unrequested cwd write should stay denied: {:?} {}",
        result.exit_code,
        result.stdout
    );
-    assert!(result.stdout.contains("cwd-widened"));
-    assert_eq!(fs::read_to_string(&unrequested_write)?, "cwd-widened");
    assert!(
        !requested_write.exists(),
-        "only the unrequested cwd path should have been written"
+        "requested path should remain untouched when the command targets an unrequested file"
+    );
+    assert!(
+        !unrequested_write.exists(),
+        "unrequested cwd write should remain blocked"
    );

    let _ = fs::remove_file(unrequested_write);
@@ -459,7 +466,8 @@ async fn read_only_with_additional_permissions_widens_to_unrequested_cwd_write()

 #[tokio::test(flavor = "current_thread")]
 #[cfg(target_os = "macos")]
-async fn read_only_with_additional_permissions_widens_to_unrequested_tmp_write() -> Result<()> {
+async fn read_only_with_additional_permissions_does_not_widen_to_unrequested_tmp_write()
+-> Result<()> {
    skip_if_no_network!(Ok(()));
    skip_if_sandbox!(Ok(()));

@@ -534,16 +542,18 @@ async fn read_only_with_additional_permissions_widens_to_unrequested_tmp_write()

    let result = parse_result(&results.single_request().function_call_output(call_id));
    assert!(
-        result.exit_code.is_none() || result.exit_code == Some(0),
-        "unexpected exit code/output: {:?} {}",
+        result.exit_code != Some(0),
+        "unrequested tmp write should stay denied: {:?} {}",
        result.exit_code,
        result.stdout
    );
-    assert!(result.stdout.contains("tmp-widened"));
-    assert_eq!(fs::read_to_string(&tmp_write)?, "tmp-widened");
    assert!(
        !requested_write.exists(),
-        "only the unrequested tmp path should have been written"
+        "requested path should remain untouched when the command targets an unrequested file"
+    );
+    assert!(
+        !tmp_write.exists(),
+        "unrequested tmp write should remain blocked"
    );

    let _ = fs::remove_file(tmp_write);