Skip to content

Propagate runtime permission profiles#19849

Draft
evawong-oai wants to merge 1 commit intocodex/bugb15632-preserved-path-preflightfrom
codex/bugb15632-runtime-permissions
Draft

Propagate runtime permission profiles#19849
evawong-oai wants to merge 1 commit intocodex/bugb15632-preserved-path-preflightfrom
codex/bugb15632-runtime-permissions

Conversation

@evawong-oai
Copy link
Copy Markdown
Contributor

@evawong-oai evawong-oai commented Apr 27, 2026
edited
Loading

Summary

Propagate active runtime permission profiles through embedded turn start paths so later sandbox checks use the current policy.

Scope

  1. Pass runtime permission profiles through thread routing.
  2. Preserve legacy sandbox behavior for remote turns.
  3. Add focused coverage for embedded and remote turn start cases.

Reviewer Focus

  1. This PR is separate because it updates active session permission flow, not platform sandbox implementation.
  2. Embedded turns should receive the active runtime profile when one exists.
  3. Remote turns should keep the existing legacy sandbox behavior.

Stack

  1. Policy primitive: Add workspace metadata protection policy primitive #19846
  2. macOS Seatbelt enforcement: Enforce workspace metadata protections in Seatbelt #19847
  3. Shell preflight UX: Add workspace metadata shell preflight #19848
  4. Runtime permission propagation: this PR
  5. Linux bubblewrap enforcement: Enforce workspace metadata protections in Linux sandbox #19852

Validation

  1. cargo test --manifest-path codex-rs/Cargo.toml -p codex-tui app_server_session
  2. cargo test --manifest-path codex-rs/Cargo.toml -p codex-tui thread_routing
  3. cargo fmt --manifest-path codex-rs/Cargo.toml --package codex-tui

This was referenced Apr 27, 2026
Merged
Open
Draft
Draft
@evawong-oai evawong-oai force-pushed the codex/bugb15632-runtime-permissions branch from 05f4eb2 to f23239c Compare April 27, 2026 18:16
@evawong-oai evawong-oai mentioned this pull request Apr 27, 2026
Draft
@evawong-oai evawong-oai force-pushed the codex/bugb15632-preserved-path-preflight branch from fca3989 to 1bc0b13 Compare April 27, 2026 18:32
@evawong-oai evawong-oai force-pushed the codex/bugb15632-runtime-permissions branch 2 times, most recently from 2e4f779 to 774934a Compare April 27, 2026 18:40
@evawong-oai evawong-oai force-pushed the codex/bugb15632-preserved-path-preflight branch 2 times, most recently from 2b511ae to b0df7b1 Compare April 27, 2026 18:55
@evawong-oai evawong-oai force-pushed the codex/bugb15632-runtime-permissions branch from 774934a to 21cfe9c Compare April 27, 2026 18:55
@evawong-oai evawong-oai force-pushed the codex/bugb15632-preserved-path-preflight branch from b0df7b1 to e76a989 Compare April 27, 2026 19:07
@evawong-oai evawong-oai force-pushed the codex/bugb15632-runtime-permissions branch from 21cfe9c to 4e95f07 Compare April 27, 2026 19:07
@evawong-oai evawong-oai force-pushed the codex/bugb15632-preserved-path-preflight branch from e76a989 to 6c3c566 Compare April 27, 2026 19:48
@evawong-oai evawong-oai force-pushed the codex/bugb15632-runtime-permissions branch 2 times, most recently from 5f6cf03 to a73dc93 Compare April 27, 2026 20:52
@evawong-oai evawong-oai force-pushed the codex/bugb15632-preserved-path-preflight branch from 6c3c566 to 669222a Compare April 27, 2026 20:52
@evawong-oai evawong-oai force-pushed the codex/bugb15632-runtime-permissions branch from a73dc93 to f483023 Compare April 27, 2026 21:14
@evawong-oai evawong-oai force-pushed the codex/bugb15632-preserved-path-preflight branch 2 times, most recently from a1666bf to 427c425 Compare April 27, 2026 22:22
@evawong-oai evawong-oai force-pushed the codex/bugb15632-runtime-permissions branch 2 times, most recently from 9d4f283 to 4db4407 Compare April 28, 2026 00:10
@evawong-oai evawong-oai force-pushed the codex/bugb15632-preserved-path-preflight branch from 427c425 to 5259804 Compare April 28, 2026 00:10
@evawong-oai evawong-oai force-pushed the codex/bugb15632-runtime-permissions branch from 4db4407 to e8365c7 Compare April 28, 2026 01:10
@evawong-oai evawong-oai force-pushed the codex/bugb15632-preserved-path-preflight branch from 5259804 to f9a5bc4 Compare April 28, 2026 01:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@evawong-oai