viyatb-oai 6862b9c745 feat(permissions): add glob deny-read policy support (#15979) ...

## Summary
- adds first-class filesystem policy entries for deny-read glob patterns
- parses config such as :project_roots { "**/*.env" = "none" } into
pattern entries
- enforces deny-read patterns in direct read/list helpers
- fails closed for sandbox execution until platform backends enforce
glob patterns in #18096
- preserves split filesystem policy in turn context only when it cannot
be reconstructed from legacy sandbox policy

## Stack
1. This PR - glob deny-read policy/config/direct-tool support
2. #18096 - macOS and Linux sandbox enforcement
3. #17740 - managed deny-read requirements

## Verification
- just fmt
- cargo check -p codex-core -p codex-sandboxing --tests

---------

Co-authored-by: Codex <noreply@openai.com>

2026-04-16 10:31:51 -07:00

..

logs_migrations

Align SQLite feedback logs with feedback formatter (#13494)

2026-03-18 22:44:31 +00:00

migrations

Moving updated-at timestamps to unique millisecond times (#17489)

2026-04-14 11:55:34 -04:00

src

feat(permissions): add glob deny-read policy support (#15979)

2026-04-16 10:31:51 -07:00

BUILD.bazel

fix bazel build (#13787)

2026-03-06 12:12:20 -08:00

Cargo.toml

Move git utilities into a dedicated crate (#15564)

2026-03-24 13:26:23 -07:00