permissions: derive config defaults as profiles

[bolinfest]

Why

This continues the permissions migration by making legacy config default resolution produce the canonical PermissionProfile first. The legacy SandboxPolicy projection should stay available at compatibility boundaries, but config loading should not create a legacy policy just to immediately convert it back into a profile.

Specifically, when default_permissions is not specified in config.toml, instead of creating a SandboxPolicy in codex-rs/core/src/config/mod.rs and then trying to derive a PermissionProfile from it, we use derive_permission_profile() to create a more faithful PermissionProfile using the values of ConfigToml directly.

This also keeps the existing behavior of sandbox_workspace_write and extra writable roots after #19841 replaced :cwd with :project_roots. Legacy workspace-write defaults are represented as symbolic :project_roots write access plus symbolic project-root metadata carveouts. Extra absolute writable roots are still added directly and continue to get concrete metadata protections for paths that exist under those roots.

The platform sandboxes differ when a symbolic project-root subpath does not exist yet.

• Seatbelt can encode literal/subpath exclusions directly, so macOS emits project-root metadata subpath policies even if .git, .agents, or .codex do not exist.
• bwrap has to materialize bind-mount targets. Binding /dev/null to a missing .git can create a host-visible placeholder that changes Git repo discovery. Binding missing .agents would not affect Git discovery, but it would still create a host-visible project metadata placeholder from an automatic compatibility carveout. Linux therefore skips only missing automatic .git and .agents read-only metadata masks; missing .codex remains protected so first-time project config creation goes through the protected-path approval flow. User-authored read and none subpath rules keep normal bwrap behavior, and none can still mask the first missing component to prevent creation under writable roots.

What Changed

• Adds profile-native helpers for legacy workspace-write semantics, including PermissionProfile::workspace_write_with(), FileSystemSandboxPolicy::workspace_write(), and FileSystemSandboxPolicy::with_additional_legacy_workspace_writable_roots().
• Makes FileSystemSandboxPolicy::workspace_write() the single legacy workspace-write constructor so both from_legacy_sandbox_policy() and From<&SandboxPolicy> include the project-root metadata carveouts.
• Removes the no-carveout legacy_workspace_write_base_policy() path and the prune_read_entries_under_writable_roots() cleanup that was only needed by that split construction.
• Adds ConfigToml::derive_permission_profile() for legacy sandbox-mode fallback resolution; named default_permissions profiles continue through the permissions profile pipeline instead of being reconstructed from sandbox_mode.
• Updates Config::load() to start from the derived profile, validate that it still has a legacy compatibility projection, and apply additional writable roots directly to managed workspace-write filesystem policies.
• Updates Linux bwrap argument construction so missing automatic .git/.agents symbolic project-root read-only carveouts are skipped before emitting bind args; missing .codex, user-authored read/none subpath rules, and existing missing writable-root behavior are preserved.
• Adds coverage that legacy workspace-write config produces symbolic project-root metadata carveouts, extra legacy workspace writable roots still protect existing metadata paths such as .git, and bwrap skips missing .git/.agents project-root carveouts while preserving missing .codex and user-authored missing subpath rules.

---

Stack created with Sapling. Best reviewed with ReviewStack.

• permissions: store thread sessions as profiles #19776
• permissions: derive snapshot sandbox projections #19775
• permissions: make SessionConfigured profile-only #19774
• permissions: require profiles in TUI thread state #19773
• -> permissions: derive config defaults as profiles #19772

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f858b35bc1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Restore cwd projection for legacy sandbox defaults

Converting legacy sandbox_mode defaults with permission_profile.to_runtime_permissions() changes workspace-write behavior: PermissionProfile::workspace_write() carries unconditional project_roots(".git") / project_roots(".agents") read rules, so ${cwd}/.git and ${cwd}/.agents become read-only even when they do not exist yet. The previous path (from_legacy_sandbox_policy_for_cwd) only added those carveouts when present on disk (except .codex), so operations like git init in a fresh directory could create .git. This regression can block common write flows under legacy workspace-write configs.

Useful? React with 👍 / 👎.

[bolinfest]

Addressed in c70c0f5c94. Config loading now projects the derived profile through to_legacy_sandbox_policy(resolved_cwd) and rehydrates it with PermissionProfile::from_legacy_sandbox_policy_for_cwd(...), so legacy workspace-write keeps the cwd-aware .git / .agents behavior. Coverage includes legacy_sandbox_mode_builds_profiles_with_compatible_projection and with_additional_legacy_workspace_writable_roots_protects_metadata.