windows-sandbox: accept permission profiles from callers

[bolinfest]

Why

The TUI had to create legacy SandboxPolicy values before asking the Windows sandbox setup and world-writable scan helpers to run. That kept legacy conversion logic in UI code even though the Windows sandbox backend is the only consumer that still needs the legacy policy JSON.

This continues the permissions migration by making core's Windows sandbox boundary accept PermissionProfile directly and localizing the compatibility projection inside that boundary.

What changed

• Updated codex_core::windows_sandbox setup/preflight/read-root refresh helpers to take PermissionProfile instead of SandboxPolicy.
• Added a core wrapper for apply_world_writable_scan_and_denies() that takes a PermissionProfile and derives the legacy policy internally.
• Removed TUI-side legacy policy construction from Windows elevated setup, legacy setup preflight, and world-writable scan paths.
• Removed a duplicate compatibility projection from windows_sandbox_read_grants.

Verification

• cargo check -p codex-core -p codex-tui --tests
• just fix -p codex-core
• just fix -p codex-tui

---

Stack created with Sapling. Best reviewed with ReviewStack.

• windows-sandbox: isolate allow path computation from legacy policy #20469
• docs: avoid stale SandboxPolicy references #20468
• config tests: assert sandbox-mode fallbacks via profiles #20467
• config tests: assert permission profile runtime state #20466
• config tests: derive permission profiles directly #20465
• tui tests: assert permission profiles directly #20459
• config: gate legacy writable roots from profiles #20456
• -> windows-sandbox: accept permission profiles from callers #20455
• exec: localize legacy Windows sandbox projection #20452
• session: stop exposing legacy sandbox policy #20450
• protocol: remove legacy sandbox turn-context overrides #20449
• protocol: drop legacy sandbox from user turns #20446
• protocol: require permission profiles for user turns #20441
• protocol: canonicalize turn context permissions #20440
• session: localize legacy sandbox turn fallback #20438
• rollout-trace: record permission profiles #20436
• protocol: make user-turn sandbox policy optional #20433
• session: tag turns with permission profiles #20432
• core tests: submit turns with permission profiles #20431
• turn-context: stop writing legacy sandbox policy #20430
• app-server: normalize command sandbox overrides as profiles #20429
• app-server: validate turn sandbox overrides as profiles #20428
• session: convert legacy sandbox updates before settings apply #20426
• sandboxing: exercise seatbelt with runtime policies #20424
• app-server: compare resume sandbox from permission profile #20423
• mcp: send sandbox metadata as permission profile only #20422
• thread-store: stop exposing legacy sandbox policy #20421
• tui: centralize legacy sandbox projection #20420
• test support: derive turn sandbox from permission profiles #20414
• windows setup: derive sandbox from permission profile #20412
• exec tests: derive thread sandbox from profile #20411
• windows read grants: accept permission profiles #20410
• session tests: configure permissions with profiles #20409
• analytics tests: derive sandbox fixtures from profiles #20408
• approval tests: configure scenarios with permission profiles #20407
• tui: hydrate thread permissions from profiles #20406
• rollout tests: seed turn contexts from permission profiles #20404
• state: extract rollout permissions from profiles #20403
• state: derive metadata sandbox from permission profiles #20401
• otel: report conversation permissions from profiles #20400
• protocol: drop cwd-less legacy profile constructor #20398
• app-server-test-client: select permission profiles by name #20397
• session tests: configure runtime permissions directly #20396
• tests: mutate spawn-agent permission profile directly #20394
• app-server tests: select turn permission profiles by name #20393
• file-system: drop unused legacy sandbox constructor #20390
• tests: use disabled profile in exec capture check #20389
• tests: use profile constructors in config checks #20388
• tests: use permission profiles in multi-agent config checks #20387
• tests: remove sandbox policy fixture from rollout trace #20386
• tests: use permission profiles in session network checks #20384
• tests: use permission profiles in config loader checks #20382
• tests: submit websocket turns with permission profiles #20381
• tests: use permission profiles in exec policy checks #20380
• tests: use permission profiles in request permission suite #20378
• tests: use permission profiles in unified exec suite #20376
• core: use permission profiles in small read-only contexts #20375
• exec tests: launch sandbox cases from permission profiles #20372
• tests: use permission profiles in suite turn submits #20370
• guardian: configure review session permissions directly #20369
• tests: use permission profiles in small core fixtures #20368
• exec-server: use permission profiles in file system handler tests #20367
• memories: configure consolidation permissions directly #20365
• analytics: distinguish custom managed permission profiles #20363
• tests: use permission profiles in guardian config checks #20362
• tests: use permission profiles in unix escalation checks #20360
• tests: use permission profiles in patch safety checks #20359
• tests: use permission profiles in tool sandbox tests #20358
• tests: use permission profile fixtures in config checks #20357
• core: build permission instructions from profiles only #20356
• utils: summarize permission profiles directly #20355
• tests: copy plugin stdio server before launch #20373

[chatgpt-codex-connector]

💡 Codex Review

codex/codex-rs/app-server/src/codex_message_processor.rs

Line 9584 in bb346d3

let sandbox_cwd = cwd.unwrap_or(snapshot.cwd.as_path());

Normalize turn cwd before projecting legacy sandbox policy

When turn/start uses legacy sandboxPolicy plus a relative cwd, this helper passes the raw relative path into from_legacy_sandbox_policy_preserving_deny_entries. That conversion only applies workspace default protected subpaths when cwd is absolute, so relative overrides can skip expected deny carveouts (for example under the workdir) and produce a looser PermissionProfile than before. Prior behavior normalized cwd in core before projecting legacy policy, so this is a regression for relative-cwd callers.

---

codex/codex-rs/core/src/session/session.rs

Line 196 in bb346d3

if let Some(permission_profile) = updates.permission_profile.clone() {

Preserve legacy sandbox overrides when permission profile is absent

After removing sandbox_policy from Op::UserInputWithTurnContext/OverrideTurnContext, older payloads that still send only sandbox_policy deserialize with permission_profile = None (unknown fields are ignored), and this update path now becomes a no-op because settings changes are applied only when permission_profile is Some. In mixed-version scenarios, sandbox overrides are silently dropped and the previous session permissions remain active.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".