state: extract rollout permissions from profiles

state: derive metadata sandbox from permission profiles
2026-05-08 13:26:34 +00:00 · 2026-04-30 04:46:08 -07:00 · 2026-04-30 04:46:08 -07:00
6 changed files with 80 additions and 21 deletions
--- a/codex-rs/app-server/src/codex_message_processor.rs
+++ b/codex-rs/app-server/src/codex_message_processor.rs
@@ -3454,7 +3454,7 @@ impl CodexMessageProcessor {
            builder.model_provider = Some(model_provider.clone());
            builder.cwd = config_snapshot.cwd.to_path_buf();
            builder.cli_version = Some(env!("CARGO_PKG_VERSION").to_string());
-            builder.sandbox_policy = config_snapshot.sandbox_policy();
+            builder.permission_profile = config_snapshot.permission_profile;
            builder.approval_mode = config_snapshot.approval_policy;
            let metadata = builder.build(model_provider.as_str());
            if let Err(err) = state_db_ctx.insert_thread_if_absent(&metadata).await {
--- a/codex-rs/rollout/src/metadata.rs
+++ b/codex-rs/rollout/src/metadata.rs
@@ -12,7 +12,6 @@ use chrono::Utc;
 use codex_protocol::ThreadId;
 use codex_protocol::protocol::AskForApproval;
 use codex_protocol::protocol::RolloutItem;
-use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::protocol::SessionMetaLine;
 use codex_protocol::protocol::SessionSource;
 use codex_state::BackfillState;
@@ -54,7 +53,6 @@ pub(crate) fn builder_from_session_meta(
    builder.agent_path = session_meta.meta.agent_path.clone();
    builder.cwd = session_meta.meta.cwd.clone();
    builder.cli_version = Some(session_meta.meta.cli_version.clone());
-    builder.sandbox_policy = SandboxPolicy::new_read_only_policy();
    builder.approval_mode = AskForApproval::OnRequest;
    if let Some(git) = session_meta.git.as_ref() {
        builder.git_sha = git.commit_hash.as_ref().map(|sha| sha.0.clone());
--- a/codex-rs/state/src/extract.rs
+++ b/codex-rs/state/src/extract.rs
@@ -75,7 +75,10 @@ fn apply_turn_context(metadata: &mut ThreadMetadata, turn_ctx: &TurnContextItem)
    }
    metadata.model = Some(turn_ctx.model.clone());
    metadata.reasoning_effort = turn_ctx.effort;
-    metadata.sandbox_policy = enum_to_string(&turn_ctx.sandbox_policy);
+    metadata.sandbox_policy = crate::model::legacy_sandbox_policy_string(
+        &turn_ctx.permission_profile(),
+        turn_ctx.cwd.as_path(),
+    );
    metadata.approval_mode = enum_to_string(&turn_ctx.approval_policy);
 }

@@ -150,12 +153,12 @@ mod tests {
    use codex_protocol::ThreadId;
    use codex_protocol::config_types::ReasoningSummary;
    use codex_protocol::models::ContentItem;
+    use codex_protocol::models::PermissionProfile;
    use codex_protocol::models::ResponseItem;
    use codex_protocol::openai_models::ReasoningEffort;
    use codex_protocol::protocol::AskForApproval;
    use codex_protocol::protocol::EventMsg;
    use codex_protocol::protocol::RolloutItem;
-    use codex_protocol::protocol::SandboxPolicy;
    use codex_protocol::protocol::SessionMeta;
    use codex_protocol::protocol::SessionMetaLine;
    use codex_protocol::protocol::SessionSource;
@@ -165,6 +168,7 @@ mod tests {
    use codex_protocol::protocol::UserMessageEvent;

    use pretty_assertions::assert_eq;
+    use std::path::Path;
    use std::path::PathBuf;
    use uuid::Uuid;

@@ -299,8 +303,10 @@ mod tests {
                current_date: None,
                timezone: None,
                approval_policy: AskForApproval::Never,
-                sandbox_policy: SandboxPolicy::DangerFullAccess,
-                permission_profile: None,
+                sandbox_policy: PermissionProfile::read_only()
+                    .to_legacy_sandbox_policy(Path::new("/"))
+                    .expect("read-only profile should project to legacy sandbox"),
+                permission_profile: Some(PermissionProfile::Disabled),
                network: None,
                file_system_sandbox_policy: None,
                model: "gpt-5".to_string(),
@@ -318,10 +324,7 @@ mod tests {
        );

        assert_eq!(metadata.cwd, PathBuf::from("/child/worktree"));
-        assert_eq!(
-            metadata.sandbox_policy,
-            super::enum_to_string(&SandboxPolicy::DangerFullAccess)
-        );
+        assert_eq!(metadata.sandbox_policy, r#"{"type":"danger-full-access"}"#);
        assert_eq!(metadata.approval_mode, "never");
    }

@@ -339,7 +342,9 @@ mod tests {
                current_date: None,
                timezone: None,
                approval_policy: AskForApproval::OnRequest,
-                sandbox_policy: SandboxPolicy::new_read_only_policy(),
+                sandbox_policy: PermissionProfile::read_only()
+                    .to_legacy_sandbox_policy(Path::new("/"))
+                    .expect("read-only profile should project to legacy sandbox"),
                permission_profile: None,
                network: None,
                file_system_sandbox_policy: None,
@@ -373,7 +378,9 @@ mod tests {
                current_date: None,
                timezone: None,
                approval_policy: AskForApproval::OnRequest,
-                sandbox_policy: SandboxPolicy::new_read_only_policy(),
+                sandbox_policy: PermissionProfile::read_only()
+                    .to_legacy_sandbox_policy(Path::new("/"))
+                    .expect("read-only profile should project to legacy sandbox"),
                permission_profile: None,
                network: None,
                file_system_sandbox_policy: None,
--- a/codex-rs/state/src/model/mod.rs
+++ b/codex-rs/state/src/model/mod.rs
@@ -44,3 +44,4 @@ pub(crate) use thread_metadata::anchor_from_item;
 pub(crate) use thread_metadata::datetime_to_epoch_millis;
 pub(crate) use thread_metadata::datetime_to_epoch_seconds;
 pub(crate) use thread_metadata::epoch_millis_to_datetime;
+pub(crate) use thread_metadata::legacy_sandbox_policy_string;
--- a/codex-rs/state/src/model/thread_metadata.rs
+++ b/codex-rs/state/src/model/thread_metadata.rs
@@ -2,12 +2,13 @@ use anyhow::Result;
 use chrono::DateTime;
 use chrono::Utc;
 use codex_protocol::ThreadId;
+use codex_protocol::models::PermissionProfile;
 use codex_protocol::openai_models::ReasoningEffort;
 use codex_protocol::protocol::AskForApproval;
-use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::protocol::SessionSource;
 use sqlx::Row;
 use sqlx::sqlite::SqliteRow;
+use std::path::Path;
 use std::path::PathBuf;

 /// The sort key to use when listing threads.
@@ -129,8 +130,9 @@ pub struct ThreadMetadataBuilder {
    pub cwd: PathBuf,
    /// Version of the CLI that created the thread.
    pub cli_version: Option<String>,
-    /// The sandbox policy.
-    pub sandbox_policy: SandboxPolicy,
+    /// Runtime permissions, projected to the legacy `sandbox_policy` string
+    /// stored in the state DB when metadata is built.
+    pub permission_profile: PermissionProfile,
    /// The approval mode.
    pub approval_mode: AskForApproval,
    /// The archive timestamp, if the thread is archived.
@@ -163,7 +165,7 @@ impl ThreadMetadataBuilder {
            model_provider: None,
            cwd: PathBuf::new(),
            cli_version: None,
-            sandbox_policy: SandboxPolicy::new_read_only_policy(),
+            permission_profile: PermissionProfile::read_only(),
            approval_mode: AskForApproval::OnRequest,
            archived_at: None,
            git_sha: None,
@@ -175,7 +177,8 @@ impl ThreadMetadataBuilder {
    /// Build canonical thread metadata, filling missing values from defaults.
    pub fn build(&self, default_provider: &str) -> ThreadMetadata {
        let source = crate::extract::enum_to_string(&self.source);
-        let sandbox_policy = crate::extract::enum_to_string(&self.sandbox_policy);
+        let sandbox_policy =
+            legacy_sandbox_policy_string(&self.permission_profile, self.cwd.as_path());
        let approval_mode = crate::extract::enum_to_string(&self.approval_mode);
        let created_at = canonicalize_datetime(self.created_at);
        let updated_at = self
@@ -215,6 +218,16 @@ impl ThreadMetadataBuilder {
    }
 }

+pub(crate) fn legacy_sandbox_policy_string(
+    permission_profile: &PermissionProfile,
+    cwd: &Path,
+) -> String {
+    permission_profile
+        .to_legacy_sandbox_policy(cwd)
+        .map(|policy| crate::extract::enum_to_string(&policy))
+        .unwrap_or_else(|_| "custom".to_string())
+}
+
 impl ThreadMetadata {
    /// Preserve existing non-null Git fields when rollout-derived metadata is reconciled.
    pub fn prefer_existing_git_info(&mut self, existing: &Self) {
@@ -465,14 +478,26 @@ pub struct BackfillStats {
 #[cfg(test)]
 mod tests {
    use super::ThreadMetadata;
+    use super::ThreadMetadataBuilder;
    use super::ThreadRow;
    use chrono::DateTime;
    use chrono::Utc;
    use codex_protocol::ThreadId;
+    use codex_protocol::models::PermissionProfile;
    use codex_protocol::openai_models::ReasoningEffort;
+    use codex_protocol::protocol::SessionSource;
    use pretty_assertions::assert_eq;
    use std::path::PathBuf;

+    fn metadata_builder() -> ThreadMetadataBuilder {
+        ThreadMetadataBuilder::new(
+            ThreadId::from_string("00000000-0000-0000-0000-000000000123").expect("valid thread id"),
+            PathBuf::from("/tmp/rollout-123.jsonl"),
+            DateTime::<Utc>::from_timestamp(1_700_000_000, 0).expect("timestamp"),
+            SessionSource::Cli,
+        )
+    }
+
    fn thread_row(reasoning_effort: Option<&str>) -> ThreadRow {
        ThreadRow {
            id: "00000000-0000-0000-0000-000000000123".to_string(),
@@ -549,4 +574,34 @@ mod tests {
            expected_thread_metadata(/*reasoning_effort*/ None)
        );
    }
+
+    #[test]
+    fn thread_metadata_builder_projects_permission_profile_to_legacy_sandbox_string() {
+        let mut builder = metadata_builder();
+        builder.cwd = PathBuf::from("/tmp/workspace");
+        builder.permission_profile = PermissionProfile::workspace_write();
+
+        let metadata = builder.build("openai");
+
+        assert_eq!(
+            serde_json::from_str::<serde_json::Value>(&metadata.sandbox_policy)
+                .expect("sandbox policy should be valid json"),
+            serde_json::json!({
+                "type": "workspace-write",
+                "network_access": false,
+                "exclude_tmpdir_env_var": false,
+                "exclude_slash_tmp": false,
+            })
+        );
+    }
+
+    #[test]
+    fn thread_metadata_builder_projects_disabled_profile_to_legacy_sandbox_string() {
+        let mut builder = metadata_builder();
+        builder.permission_profile = PermissionProfile::Disabled;
+
+        let metadata = builder.build("openai");
+
+        assert_eq!(metadata.sandbox_policy, r#"{"type":"danger-full-access"}"#);
+    }
 }
--- a/codex-rs/state/src/runtime/test_support.rs
+++ b/codex-rs/state/src/runtime/test_support.rs
@@ -9,8 +9,6 @@ use codex_protocol::openai_models::ReasoningEffort;
 #[cfg(test)]
 use codex_protocol::protocol::AskForApproval;
 #[cfg(test)]
-use codex_protocol::protocol::SandboxPolicy;
-#[cfg(test)]
 use std::path::Path;
 #[cfg(test)]
 use std::path::PathBuf;
@@ -57,7 +55,7 @@ pub(super) fn test_thread_metadata(
        cwd,
        cli_version: "0.0.0".to_string(),
        title: String::new(),
-        sandbox_policy: crate::extract::enum_to_string(&SandboxPolicy::new_read_only_policy()),
+        sandbox_policy: r#"{"type":"read-only"}"#.to_string(),
        approval_mode: crate::extract::enum_to_string(&AskForApproval::OnRequest),
        tokens_used: 0,
        first_user_message: Some("hello".to_string()),
Author	SHA1	Message	Date
Michael Bolin	fa0b3f30f4	state: extract rollout permissions from profiles	2026-04-30 04:46:08 -07:00
Michael Bolin	c6d275f2a5	state: derive metadata sandbox from permission profiles	2026-04-30 04:46:08 -07:00