fix(permissions): preserve managed deny-read during escalation

[viyatb-oai]

Why

Managed filesystem deny_read requirements are administrator-enforced restrictions on specific paths. Once those requirements are active, Codex should not drop them just because an execution path would otherwise leave the sandbox.

Before this change, an explicit escalation, a prefix-rule allow, a sandbox-denial retry, or an app-server legacy sandbox override could rebuild the runtime policy without those managed read-deny entries and expose a path the administrator had marked unreadable.

This is narrower than general sandbox-mode constraints. If an enterprise only sets allowed_sandbox_modes, a trusted prefix_rule(..., decision = "allow") can still run its matching command unsandboxed; this PR only preserves managed filesystem deny_read restrictions across those paths.

What Changed

• Mark filesystem policies built from managed deny_read requirements so callers can tell when those deny entries must survive escalation.
• Preserve managed deny-read entries when runtime permission profiles are rebuilt through protocol, app-server, or legacy sandbox-policy compatibility paths.
• Keep managed deny-read attempts inside the selected sandbox on the first attempt and after sandbox-denial retries.
• Preserve the same behavior in the zsh-fork escalation path, including prefix-rule-driven escalation.
• Add a regression test showing the opposite case too: without managed deny-read, a prefix-rule allow still chooses unsandboxed execution.

Verification

Targeted automated verification:

cargo test -p codex-core shell_request_escalation_execution_is_explicit -- --nocapture
cargo test -p codex-core prefix_rule_uses_unsandboxed_execution_without_managed_deny_read -- --nocapture
cargo test -p codex-core prefix_rule_preserves_managed_deny_read_escalation -- --nocapture
cargo test -p codex-protocol permission_profile_round_trip_preserves_filesystem_policy_metadata -- --nocapture
cargo test -p codex-protocol preserving_deny_entries_keeps_unrestricted_policy_enforceable -- --nocapture
cargo test -p codex-app-server-protocol permission_profile_file_system_permissions_preserves_policy_metadata -- --nocapture
cargo check -p codex-app-server -p codex-tui

Smoke-test invocations:

# macOS exact deny + allowed control
codex exec --skip-git-repo-check -C "$ROOT" \
  -c 'default_permissions="deny_read_smoke"' \
  -c 'permissions.deny_read_smoke.filesystem={":minimal"="read",":project_roots"={"."="write","secrets"="none","future-secret"="none","**/*.env"="none"}}' \
  'Run shell commands only. Print the contents of allowed.txt. Then test whether reading secrets/exact-secret.txt succeeds without printing that file if it does. End with exactly two lines: allowed=<contents> and exact_secret=<BLOCKED or READABLE>.'

# Linux exact deny + allowed control
codex exec --skip-git-repo-check -C "$ROOT" \
  -c 'default_permissions="deny_read_smoke"' \
  -c 'permissions.deny_read_smoke.filesystem={":minimal"="read",glob_scan_max_depth=3,":project_roots"={"."="write","secrets"="none","future-secret"="none","**/*.env"="none"}}' \
  'Run shell commands only. Print the contents of allowed.txt. Then test whether reading secrets/exact-secret.txt succeeds without printing that file if it does. End with exactly two lines: allowed=<contents> and exact_secret=<BLOCKED or READABLE>.'

Observed manual smoke matrix:

Case	macOS Seatbelt	Linux bubblewrap
cat allowed.txt	Pass	Pass
cat secrets/exact-secret.txt	Blocked	Blocked
cat envs/root.env	Blocked	Blocked
cat envs/nested/one.env	Blocked	Blocked
cat envs/nested/two.env	Blocked	Blocked
cat alias-to-secrets/exact-secret.txt	Blocked	Blocked
Missing denied path	A file created after sandbox setup remained unreadable	Creation was blocked by the reserved missing-path placeholder, and the placeholder was cleaned up after exit
Real codex exec shell turn	Pass	Pass

Notes:

• The Linux smoke run used the fallback glob walker because the devbox did not have rg installed.
• The smoke matrix verifies the end-to-end filesystem behavior on macOS and Linux; the escalation-specific behavior is covered by the focused tests above.

[github-actions]

Closing this pull request because it has had no updates for more than 14 days. If you plan to continue working on it, feel free to reopen or open a new PR.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a5d463d15e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".