Skip to content

permissions: remove core legacy policy round trips#19394

Merged
bolinfest merged 1 commit intomainfrom
pr19394
Apr 27, 2026
Merged

permissions: remove core legacy policy round trips#19394
bolinfest merged 1 commit intomainfrom
pr19394

Conversation

@bolinfest
Copy link
Copy Markdown
Collaborator

@bolinfest bolinfest commented Apr 24, 2026
edited
Loading

Why

Several execution paths still converted profile-backed permissions into SandboxPolicy and then rebuilt runtime permissions from that legacy shape. Those round trips are unnecessary after the preceding PRs and can lose split filesystem semantics. Core approval and escalation should carry the resolved profile directly.

What Changed

  • Removes sandbox_policy from ResolvedPermissionProfile; the resolved permission object now carries the canonical PermissionProfile directly.
  • Updates exec-policy fallback, shell/unified-exec interception, escalation reruns, and related tests to pass profiles instead of legacy policies.
  • Removes legacy additional-permission merge helpers that built an effective SandboxPolicy before rebuilding runtime permissions.
  • Keeps legacy projections only at compatibility boundaries that still require SandboxPolicy, not in core permission computation.

Verification

  • cargo test -p codex-core direct_write_roots
  • cargo test -p codex-core runtime_roots_to_legacy_projection
  • cargo test -p codex-app-server requested_permissions_trust_project_uses_permission_profile_intent

Stack created with Sapling. Best reviewed with ReviewStack.

@bolinfest bolinfest requested a review from a team as a code owner April 24, 2026 16:02
This was referenced Apr 24, 2026
Merged
Merged
Merged
Merged
@bolinfest bolinfest force-pushed the pr19394 branch 2 times, most recently from 55c2f31 to 7010512 Compare April 24, 2026 16:47
@bolinfest bolinfest force-pushed the pr19393 branch 2 times, most recently from 2665e60 to 79f119e Compare April 24, 2026 17:05
@bolinfest bolinfest force-pushed the pr19394 branch 2 times, most recently from 5c02727 to 1bdc3bd Compare April 24, 2026 18:08
@bolinfest bolinfest mentioned this pull request Apr 24, 2026
Merged
@bolinfest bolinfest force-pushed the pr19394 branch 2 times, most recently from f044efc to f8fb073 Compare April 24, 2026 19:09
@bolinfest bolinfest force-pushed the pr19393 branch 2 times, most recently from 8171f53 to 4a21ac5 Compare April 24, 2026 20:19
@bolinfest bolinfest force-pushed the pr19393 branch 2 times, most recently from b55d950 to 828b90d Compare April 25, 2026 04:23
@bolinfest bolinfest force-pushed the pr19394 branch 2 times, most recently from af09a5c to 5408197 Compare April 25, 2026 15:57
@bolinfest bolinfest force-pushed the pr19393 branch 2 times, most recently from 66783f3 to d55d33b Compare April 25, 2026 17:25
@bolinfest bolinfest force-pushed the pr19394 branch 2 times, most recently from 7937eb3 to de2513e Compare April 25, 2026 20:48
@bolinfest bolinfest force-pushed the pr19393 branch 2 times, most recently from 0f8b225 to 480c5cb Compare April 25, 2026 22:28
@bolinfest bolinfest force-pushed the pr19394 branch 2 times, most recently from 39d56bc to e422ec7 Compare April 25, 2026 22:46
This was referenced Apr 25, 2026
Merged
Merged
This was referenced Apr 26, 2026
Open
Open
@bolinfest bolinfest mentioned this pull request Apr 26, 2026
Merged
This was referenced Apr 27, 2026
Merged
Merged
Merged
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@viyatb-oai viyatb-oai viyatb-oai approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bolinfest @viyatb-oai