clone/codex
1
0
Fork 0
mirror of https://github.com/openai/codex.git synced 2026-04-25 15:15:15 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
15448da5f93b9d0137aef782d752c2d7ff203d68
codex/codex-rs/app-server-protocol/schema/json/v2/ItemGuardianApprovalReviewCompletedNotification.json
Michael Bolin 8bc667b07b app-server: include filesystem entries in permission requests (#19086) 
## Why

`item/permissions/requestApproval` sends a requested permission profile
to app-server clients. The core profile already stores filesystem
permissions as `entries`, but the v2 compatibility conversion used the
legacy `read`/`write` projection whenever possible and left `entries`
unset.

That made the request ambiguous for clients that consume the canonical
v2 shape: `permissions.fileSystem.entries` was missing even though
filesystem access was being requested. A client that rendered or echoed
grants from `entries` could treat the request as having no filesystem
permission entries, then return an empty or incomplete grant. The
app-server intersects responses with the original request, so omitted
filesystem permissions are denied.

## What Changed

- Populate `AdditionalFileSystemPermissions.entries` when converting
legacy read/write roots for request permission payloads, while
preserving `read` and `write` for compatibility.
- Mark `read` and `write` as transitional schema fields in the generated
app-server schema.
- Add regression coverage for the v2 conversion, the app-server
`item/permissions/requestApproval` round trip, and TUI app-server
approval conversion expectations.
- Refresh generated JSON and TypeScript schema fixtures.

## Verification

- `just fmt`
- `cargo test -p codex-app-server-protocol`
- `cargo test -p codex-app-server request_permissions_round_trip`
- `cargo test -p codex-tui
converts_request_permissions_into_granted_permissions`
- `cargo test -p codex-tui
resolves_permissions_and_user_input_through_app_server_request_id`
2026-04-23 00:21:59 -07:00

626 lines
15 KiB
JSON
Generated
Raw Blame History

{
"$schema": "http://json-schema.org/draft-07/schema#",
"definitions": {
"AbsolutePathBuf": {
"description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
"type": "string"
},
"AdditionalFileSystemPermissions": {
"properties": {
"entries": {
"items": {
"$ref": "#/definitions/FileSystemSandboxEntry"
},
"type": [
"array",
"null"
]
},
"globScanMaxDepth": {
"format": "uint",
"minimum": 1.0,
"type": [
"integer",
"null"
]
},
"read": {
"description": "This will be removed in favor of `entries`.",
"items": {
"$ref": "#/definitions/AbsolutePathBuf"
},
"type": [
"array",
"null"
]
},
"write": {
"description": "This will be removed in favor of `entries`.",
"items": {
"$ref": "#/definitions/AbsolutePathBuf"
},
"type": [
"array",
"null"
]
}
},
"type": "object"
},
"AdditionalNetworkPermissions": {
"properties": {
"enabled": {
"type": [
"boolean",
"null"
]
}
},
"type": "object"
},
"AutoReviewDecisionSource": {
"description": "[UNSTABLE] Source that produced a terminal approval auto-review decision.",
"enum": [
"agent"
],
"type": "string"
},
"FileSystemAccessMode": {
"enum": [
"read",
"write",
"none"
],
"type": "string"
},
"FileSystemPath": {
"oneOf": [
{
"properties": {
"path": {
"$ref": "#/definitions/AbsolutePathBuf"
},
"type": {
"enum": [
"path"
],
"title": "PathFileSystemPathType",
"type": "string"
}
},
"required": [
"path",
"type"
],
"title": "PathFileSystemPath",
"type": "object"
},
{
"properties": {
"pattern": {
"type": "string"
},
"type": {
"enum": [
"glob_pattern"
],
"title": "GlobPatternFileSystemPathType",
"type": "string"
}
},
"required": [
"pattern",
"type"
],
"title": "GlobPatternFileSystemPath",
"type": "object"
},
{
"properties": {
"type": {
"enum": [
"special"
],
"title": "SpecialFileSystemPathType",
"type": "string"
},
"value": {
"$ref": "#/definitions/FileSystemSpecialPath"
}
},
"required": [
"type",
"value"
],
"title": "SpecialFileSystemPath",
"type": "object"
}
]
},
"FileSystemSandboxEntry": {
"properties": {
"access": {
"$ref": "#/definitions/FileSystemAccessMode"
},
"path": {
"$ref": "#/definitions/FileSystemPath"
}
},
"required": [
"access",
"path"
],
"type": "object"
},
"FileSystemSpecialPath": {
"oneOf": [
{
"properties": {
"kind": {
"enum": [
"root"
],
"type": "string"
}
},
"required": [
"kind"
],
"title": "RootFileSystemSpecialPath",
"type": "object"
},
{
"properties": {
"kind": {
"enum": [
"minimal"
],
"type": "string"
}
},
"required": [
"kind"
],
"title": "MinimalFileSystemSpecialPath",
"type": "object"
},
{
"properties": {
"kind": {
"enum": [
"current_working_directory"
],
"type": "string"
}
},
"required": [
"kind"
],
"title": "CurrentWorkingDirectoryFileSystemSpecialPath",
"type": "object"
},
{
"properties": {
"kind": {
"enum": [
"project_roots"
],
"type": "string"
},
"subpath": {
"type": [
"string",
"null"
]
}
},
"required": [
"kind"
],
"title": "KindFileSystemSpecialPath",
"type": "object"
},
{
"properties": {
"kind": {
"enum": [
"tmpdir"
],
"type": "string"
}
},
"required": [
"kind"
],
"title": "TmpdirFileSystemSpecialPath",
"type": "object"
},
{
"properties": {
"kind": {
"enum": [
"slash_tmp"
],
"type": "string"
}
},
"required": [
"kind"
],
"title": "SlashTmpFileSystemSpecialPath",
"type": "object"
},
{
"properties": {
"kind": {
"enum": [
"unknown"
],
"type": "string"
},
"path": {
"type": "string"
},
"subpath": {
"type": [
"string",
"null"
]
}
},
"required": [
"kind",
"path"
],
"type": "object"
}
]
},
"GuardianApprovalReview": {
"description": "[UNSTABLE] Temporary approval auto-review payload used by `item/autoApprovalReview/*` notifications. This shape is expected to change soon.",
"properties": {
"rationale": {
"type": [
"string",
"null"
]
},
"riskLevel": {
"anyOf": [
{
"$ref": "#/definitions/GuardianRiskLevel"
},
{
"type": "null"
}
]
},
"status": {
"$ref": "#/definitions/GuardianApprovalReviewStatus"
},
"userAuthorization": {
"anyOf": [
{
"$ref": "#/definitions/GuardianUserAuthorization"
},
{
"type": "null"
}
]
}
},
"required": [
"status"
],
"type": "object"
},
"GuardianApprovalReviewAction": {
"oneOf": [
{
"properties": {
"command": {
"type": "string"
},
"cwd": {
"$ref": "#/definitions/AbsolutePathBuf"
},
"source": {
"$ref": "#/definitions/GuardianCommandSource"
},
"type": {
"enum": [
"command"
],
"title": "CommandGuardianApprovalReviewActionType",
"type": "string"
}
},
"required": [
"command",
"cwd",
"source",
"type"
],
"title": "CommandGuardianApprovalReviewAction",
"type": "object"
},
{
"properties": {
"argv": {
"items": {
"type": "string"
},
"type": "array"
},
"cwd": {
"$ref": "#/definitions/AbsolutePathBuf"
},
"program": {
"type": "string"
},
"source": {
"$ref": "#/definitions/GuardianCommandSource"
},
"type": {
"enum": [
"execve"
],
"title": "ExecveGuardianApprovalReviewActionType",
"type": "string"
}
},
"required": [
"argv",
"cwd",
"program",
"source",
"type"
],
"title": "ExecveGuardianApprovalReviewAction",
"type": "object"
},
{
"properties": {
"cwd": {
"$ref": "#/definitions/AbsolutePathBuf"
},
"files": {
"items": {
"$ref": "#/definitions/AbsolutePathBuf"
},
"type": "array"
},
"type": {
"enum": [
"applyPatch"
],
"title": "ApplyPatchGuardianApprovalReviewActionType",
"type": "string"
}
},
"required": [
"cwd",
"files",
"type"
],
"title": "ApplyPatchGuardianApprovalReviewAction",
"type": "object"
},
{
"properties": {
"host": {
"type": "string"
},
"port": {
"format": "uint16",
"minimum": 0.0,
"type": "integer"
},
"protocol": {
"$ref": "#/definitions/NetworkApprovalProtocol"
},
"target": {
"type": "string"
},
"type": {
"enum": [
"networkAccess"
],
"title": "NetworkAccessGuardianApprovalReviewActionType",
"type": "string"
}
},
"required": [
"host",
"port",
"protocol",
"target",
"type"
],
"title": "NetworkAccessGuardianApprovalReviewAction",
"type": "object"
},
{
"properties": {
"connectorId": {
"type": [
"string",
"null"
]
},
"connectorName": {
"type": [
"string",
"null"
]
},
"server": {
"type": "string"
},
"toolName": {
"type": "string"
},
"toolTitle": {
"type": [
"string",
"null"
]
},
"type": {
"enum": [
"mcpToolCall"
],
"title": "McpToolCallGuardianApprovalReviewActionType",
"type": "string"
}
},
"required": [
"server",
"toolName",
"type"
],
"title": "McpToolCallGuardianApprovalReviewAction",
"type": "object"
},
{
"properties": {
"permissions": {
"$ref": "#/definitions/RequestPermissionProfile"
},
"reason": {
"type": [
"string",
"null"
]
},
"type": {
"enum": [
"requestPermissions"
],
"title": "RequestPermissionsGuardianApprovalReviewActionType",
"type": "string"
}
},
"required": [
"permissions",
"type"
],
"title": "RequestPermissionsGuardianApprovalReviewAction",
"type": "object"
}
]
},
"GuardianApprovalReviewStatus": {
"description": "[UNSTABLE] Lifecycle state for an approval auto-review.",
"enum": [
"inProgress",
"approved",
"denied",
"timedOut",
"aborted"
],
"type": "string"
},
"GuardianCommandSource": {
"enum": [
"shell",
"unifiedExec"
],
"type": "string"
},
"GuardianRiskLevel": {
"description": "[UNSTABLE] Risk level assigned by approval auto-review.",
"enum": [
"low",
"medium",
"high",
"critical"
],
"type": "string"
},
"GuardianUserAuthorization": {
"description": "[UNSTABLE] Authorization level assigned by approval auto-review.",
"enum": [
"unknown",
"low",
"medium",
"high"
],
"type": "string"
},
"NetworkApprovalProtocol": {
"enum": [
"http",
"https",
"socks5Tcp",
"socks5Udp"
],
"type": "string"
},
"RequestPermissionProfile": {
"additionalProperties": false,
"properties": {
"fileSystem": {
"anyOf": [
{
"$ref": "#/definitions/AdditionalFileSystemPermissions"
},
{
"type": "null"
}
]
},
"network": {
"anyOf": [
{
"$ref": "#/definitions/AdditionalNetworkPermissions"
},
{
"type": "null"
}
]
}
},
"type": "object"
}
},
"description": "[UNSTABLE] Temporary notification payload for approval auto-review. This shape is expected to change soon.",
"properties": {
"action": {
"$ref": "#/definitions/GuardianApprovalReviewAction"
},
"decisionSource": {
"$ref": "#/definitions/AutoReviewDecisionSource"
},
"review": {
"$ref": "#/definitions/GuardianApprovalReview"
},
"reviewId": {
"description": "Stable identifier for this review.",
"type": "string"
},
"targetItemId": {
"description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
"type": [
"string",
"null"
]
},
"threadId": {
"type": "string"
},
"turnId": {
"type": "string"
}
},
"required": [
"action",
"decisionSource",
"review",
"reviewId",
"threadId",
"turnId"
],
"title": "ItemGuardianApprovalReviewCompletedNotification",
"type": "object"
}
Reference in New Issue View Git Blame Copy Permalink