Skip to content

feat(permissions): resolve permission profile inheritance#22270

Merged
viyatb-oai merged 4 commits into
mainfrom
codex/permissions-profile-extends
May 20, 2026
Merged

feat(permissions): resolve permission profile inheritance#22270
viyatb-oai merged 4 commits into
mainfrom
codex/permissions-profile-extends

Conversation

@viyatb-oai
Copy link
Copy Markdown
Collaborator

@viyatb-oai viyatb-oai commented May 12, 2026
edited
Loading

Stack

This is the foundation PR for the permission-profile inheritance stack.

Why

Permission profiles are starting to carry enough policy that copy-pasting near-identical definitions becomes hard to review and easy to drift. Before the runtime can consume inherited profiles, the config layer needs one explicit resolver that can merge parent chains and reject unsafe or invalid inheritance shapes.

What changed

  • Add extends to permission-profile TOML and resolve parent chains in inheritance order.
  • Merge inherited profile TOML with the existing config merge behavior while preserving the permission-specific normalization needed for network domain keys.
  • Keep parent descriptions out of resolved child profiles and record inherited profile names separately for downstream consumers.
  • Reject undefined parents, unsupported built-in parents, and inheritance cycles with targeted errors.
  • Cover resolver behavior with TOML fixture tests and refresh the generated config schema.

Validation

  • cargo test -p codex-config
  • cargo test -p codex-core permissions_profiles_

@viyatb-oai viyatb-oai force-pushed the codex/permissions-profile-extends branch from 6d6f15c to b129da1 Compare May 12, 2026 07:38
@viyatb-oai viyatb-oai changed the title [codex] Support permissions profile extends [codex] Support inheritable permissions profiles May 12, 2026
@viyatb-oai viyatb-oai marked this pull request as ready for review May 12, 2026 19:23
@viyatb-oai viyatb-oai requested a review from a team as a code owner May 12, 2026 19:23
@viyatb-oai viyatb-oai requested a review from bolinfest May 12, 2026 19:23
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed May 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a8a8ed4dff

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread codex-rs/core/src/network_proxy_loader.rs Outdated
@viyatb-oai viyatb-oai changed the title [codex] Support inheritable permissions profiles feat(permissions): support inheritable permissions profiles May 12, 2026
@viyatb-oai viyatb-oai force-pushed the codex/permissions-profile-extends branch from a8a8ed4 to c2cd30a Compare May 19, 2026 05:59
bolinfest
bolinfest reviewed May 19, 2026
View reviewed changes
Comment thread codex-rs/config/src/permissions_toml.rs
@bolinfest bolinfest mentioned this pull request May 19, 2026
Merged
@viyatb-oai viyatb-oai changed the title feat(permissions): support inheritable permissions profiles feat(permissions): support inheritable permission profiles May 19, 2026
@viyatb-oai viyatb-oai force-pushed the codex/permissions-profile-extends branch from c2cd30a to e5dc91a Compare May 20, 2026 03:28
@github-actions github-actions Bot mentioned this pull request May 20, 2026
Open
bolinfest
bolinfest reviewed May 20, 2026
View reviewed changes
Comment thread codex-rs/config/src/permissions_toml.rs
Comment thread codex-rs/config/src/permissions_toml.rs Outdated
Comment thread codex-rs/config/src/permissions_toml.rs Outdated
Comment thread codex-rs/config/src/permissions_toml.rs Outdated
Comment thread codex-rs/config/src/permissions_toml.rs Outdated
Comment thread codex-rs/core/src/config/mod.rs Outdated
Comment thread codex-rs/core/src/config/permissions.rs Outdated
Comment thread codex-rs/core/src/config/permissions.rs Outdated
Comment thread codex-rs/core/src/config/permissions_tests.rs Outdated
Comment thread codex-rs/core/src/config/permissions_tests.rs Outdated
@viyatb-oai viyatb-oai force-pushed the codex/permissions-profile-extends branch from 1130a3c to 3440740 Compare May 20, 2026 15:14
@viyatb-oai viyatb-oai mentioned this pull request May 20, 2026
Merged
@viyatb-oai viyatb-oai changed the title feat(permissions): support inheritable permission profiles feat(permissions): resolve permission profile inheritance May 20, 2026
bolinfest
bolinfest approved these changes May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@bolinfest bolinfest left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for splitting things up and changing the merge logic: this is much easier to follow!

Comment thread codex-rs/config/src/permissions_toml.rs
Comment thread codex-rs/config/src/permissions_toml.rs
bolinfest pushed a commit that referenced this pull request May 20, 2026
@viyatb-oai
feat(permissions): apply inherited profiles at runtime (#23705)
7155129 
## Stack

This PR is stacked on #22270. Review #22270 first for the config-level
`extends` resolver and merge semantics; this follow-up contains the
runtime and protocol wiring on top of that foundation.

## Why

The resolver in #22270 makes inherited permission profiles well-defined
in config, but selected profiles still need to flow through runtime
permission compilation, network-proxy selection, and the active-profile
metadata exposed to clients. This PR keeps that integration separate
from the inheritance rules themselves so each diff has a narrower review
surface.

## What changed

- Resolve selected custom permission profiles before compiling runtime
sandbox and network policy, including supported built-in baselines such
as `:read-only` and `:workspace`.
- Preserve the selected profile's `extends` metadata on the active
permission profile while the resolved permissions drive runtime
behavior.
- Update network proxy profile loading so built-in defaults and
inherited custom profiles select the effective network policy
consistently.
- Add runtime coverage for built-in extension baselines, active-profile
metadata, and network-proxy selection.
- Refresh app-server protocol comments and generated schema/TypeScript
fixtures for the now-active `extends` field.

## Validation

Run on the full inheritance stack before the PR split:

- `cargo test -p codex-config`
- `cargo test -p codex-core permissions_profiles_`
- `cargo test -p codex-core selected_network_from_tables_`
- `cargo test -p codex-core
default_permissions_profile_can_extend_builtin_workspace`
viyatb-oai added 3 commits May 20, 2026 12:37
@viyatb-oai
feat(permissions): resolve profile inheritance
c3d7d1e 
Co-authored-by: Codex noreply@openai.com
@viyatb-oai
fix(permissions): preserve normalized domain precedence
05e0dc1 
Co-authored-by: Codex noreply@openai.com
@viyatb-oai
feat(permissions): apply inherited profiles at runtime (#23705)
4be6e4d 
## Stack

This PR is stacked on #22270. Review #22270 first for the config-level
`extends` resolver and merge semantics; this follow-up contains the
runtime and protocol wiring on top of that foundation.

## Why

The resolver in #22270 makes inherited permission profiles well-defined
in config, but selected profiles still need to flow through runtime
permission compilation, network-proxy selection, and the active-profile
metadata exposed to clients. This PR keeps that integration separate
from the inheritance rules themselves so each diff has a narrower review
surface.

## What changed

- Resolve selected custom permission profiles before compiling runtime
sandbox and network policy, including supported built-in baselines such
as `:read-only` and `:workspace`.
- Preserve the selected profile's `extends` metadata on the active
permission profile while the resolved permissions drive runtime
behavior.
- Update network proxy profile loading so built-in defaults and
inherited custom profiles select the effective network policy
consistently.
- Add runtime coverage for built-in extension baselines, active-profile
metadata, and network-proxy selection.
- Refresh app-server protocol comments and generated schema/TypeScript
fixtures for the now-active `extends` field.

## Validation

Run on the full inheritance stack before the PR split:

- `cargo test -p codex-config`
- `cargo test -p codex-core permissions_profiles_`
- `cargo test -p codex-core selected_network_from_tables_`
- `cargo test -p codex-core
default_permissions_profile_can_extend_builtin_workspace`
@viyatb-oai viyatb-oai force-pushed the codex/permissions-profile-extends branch from 7155129 to 4be6e4d Compare May 20, 2026 19:37
@viyatb-oai viyatb-oai enabled auto-merge (squash) May 20, 2026 19:40
@viyatb-oai
fix(app-server-protocol): refresh permission profile schema
7dc178c 
Co-authored-by: Codex noreply@openai.com
@viyatb-oai viyatb-oai merged commit fe7c069 into main May 20, 2026
31 checks passed
@viyatb-oai viyatb-oai deleted the codex/permissions-profile-extends branch May 20, 2026 20:12
@github-actions github-actions Bot locked and limited conversation to collaborators May 20, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@bolinfest bolinfest bolinfest approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@viyatb-oai @bolinfest