app-server: compare resume sandbox from permission profile

2026-05-06 04:17:03 +00:00 · 2026-04-30 06:26:47 -07:00
3 changed files with 8 additions and 19 deletions
--- a/codex-rs/app-server/src/codex_message_processor.rs
+++ b/codex-rs/app-server/src/codex_message_processor.rs
@@ -8603,21 +8603,24 @@ fn collect_resume_override_mismatches(
        }
    }
    if let Some(requested_sandbox) = request.sandbox.as_ref() {
-        let active_sandbox = config_snapshot.sandbox_policy();
+        let active_sandbox = thread_response_sandbox_policy(
+            &config_snapshot.permission_profile,
+            config_snapshot.cwd.as_path(),
+        );
        let sandbox_matches = matches!(
            (requested_sandbox, &active_sandbox),
            (
                SandboxMode::ReadOnly,
-                codex_protocol::protocol::SandboxPolicy::ReadOnly { .. }
+                codex_app_server_protocol::SandboxPolicy::ReadOnly { .. }
            ) | (
                SandboxMode::WorkspaceWrite,
-                codex_protocol::protocol::SandboxPolicy::WorkspaceWrite { .. }
+                codex_app_server_protocol::SandboxPolicy::WorkspaceWrite { .. }
            ) | (
                SandboxMode::DangerFullAccess,
-                codex_protocol::protocol::SandboxPolicy::DangerFullAccess
+                codex_app_server_protocol::SandboxPolicy::DangerFullAccess
            ) | (
                SandboxMode::DangerFullAccess,
-                codex_protocol::protocol::SandboxPolicy::ExternalSandbox { .. }
+                codex_app_server_protocol::SandboxPolicy::ExternalSandbox { .. }
            )
        );
        if !sandbox_matches {
--- a/codex-rs/core/src/codex_thread.rs
+++ b/codex-rs/core/src/codex_thread.rs
@@ -57,18 +57,6 @@ pub struct ThreadConfigSnapshot {
    pub session_source: SessionSource,
 }

-impl ThreadConfigSnapshot {
-    pub fn sandbox_policy(&self) -> SandboxPolicy {
-        let file_system_sandbox_policy = self.permission_profile.file_system_sandbox_policy();
-        codex_sandboxing::compatibility_sandbox_policy_for_permission_profile(
-            &self.permission_profile,
-            &file_system_sandbox_policy,
-            self.permission_profile.network_sandbox_policy(),
-            self.cwd.as_path(),
-        )
-    }
-}
-
 /// Turn context overrides that app-server validates before starting a turn.
 #[derive(Clone, Default)]
 pub struct CodexThreadTurnContextOverrides {
--- a/codex-rs/core/src/tools/handlers/multi_agents_tests.rs
+++ b/codex-rs/core/src/tools/handlers/multi_agents_tests.rs
@@ -1783,7 +1783,6 @@ async fn spawn_agent_reapplies_runtime_sandbox_after_role_config() {
    let (mut session, mut turn) = make_session_and_context().await;
    let manager = thread_manager();
    session.services.agent_control = manager.agent_control();
-    let expected_sandbox = turn.config.legacy_sandbox_policy();
    let mut expected_permission_profile = turn.config.permissions.permission_profile();
    let PermissionProfile::Managed { file_system, .. } = &mut expected_permission_profile else {
        panic!("test fixture should use managed permissions");
@@ -1840,7 +1839,6 @@ async fn spawn_agent_reapplies_runtime_sandbox_after_role_config() {
        .expect("spawned agent thread should exist")
        .config_snapshot()
        .await;
-    assert_eq!(snapshot.sandbox_policy(), expected_sandbox);
    assert_eq!(snapshot.approval_policy, AskForApproval::OnRequest);
    assert_eq!(snapshot.permission_profile, expected_permission_profile);
    let child_thread = manager