Resolve managed-config relative writable roots against codex home

2026-04-24 06:35:50 +00:00 · 2026-03-10 08:22:09 -07:00
2 changed files with 48 additions and 1 deletions
--- a/codex-rs/core/src/config_loader/mod.rs
+++ b/codex-rs/core/src/config_loader/mod.rs
@@ -282,9 +282,11 @@ pub async fn load_config_layers_state(
        ));
    }
    if let Some(config) = managed_config_from_mdm {
+        let managed_config =
+            resolve_relative_paths_in_config_toml(config.managed_config, codex_home)?;
        layers.push(ConfigLayerEntry::new_with_raw_toml(
            ConfigLayerSource::LegacyManagedConfigTomlFromMdm,
-            config.managed_config,
+            managed_config,
            config.raw_toml,
        ));
    }
--- a/codex-rs/core/src/config_loader/tests.rs
+++ b/codex-rs/core/src/config_loader/tests.rs
@@ -380,6 +380,51 @@ flag = false
    assert!(raw.contains("value = \"managed\""));
 }

+#[cfg(target_os = "macos")]
+#[tokio::test]
+async fn managed_preferences_resolve_relative_workspace_write_roots() -> std::io::Result<()> {
+    use base64::Engine;
+
+    let codex_home = tempdir().expect("tempdir");
+
+    let overrides = LoaderOverrides {
+        managed_config_path: Some(codex_home.path().join("managed_config.toml")),
+        managed_preferences_base64: Some(
+            base64::prelude::BASE64_STANDARD.encode(
+                r#"
+sandbox_mode = "workspace-write"
+
+[sandbox_workspace_write]
+writable_roots = ["managed-write"]
+"#
+                .as_bytes(),
+            ),
+        ),
+        macos_managed_config_requirements_base64: None,
+    };
+
+    let config = ConfigBuilder::default()
+        .codex_home(codex_home.path().to_path_buf())
+        .fallback_cwd(Some(codex_home.path().to_path_buf()))
+        .loader_overrides(overrides)
+        .build()
+        .await?;
+
+    let expected_root =
+        AbsolutePathBuf::resolve_path_against_base("managed-write", codex_home.path())?;
+    match config.permissions.sandbox_policy.get() {
+        SandboxPolicy::WorkspaceWrite { writable_roots, .. } => {
+            assert!(
+                writable_roots.contains(&expected_root),
+                "expected writable_roots to contain {expected_root:?}, got {writable_roots:?}"
+            );
+        }
+        other => panic!("expected workspace-write sandbox policy, got {other:?}"),
+    }
+
+    Ok(())
+}
+
 #[cfg(target_os = "macos")]
 #[tokio::test]
 async fn managed_preferences_requirements_are_applied() -> anyhow::Result<()> {