Skip to content

core: refresh active permission profiles at runtime#22931

Merged
viyatb-oai merged 11 commits into
mainfrom
codex/viyatb/profile-permissions-runtime
May 20, 2026
Merged

core: refresh active permission profiles at runtime#22931
viyatb-oai merged 11 commits into
mainfrom
codex/viyatb/profile-permissions-runtime

Conversation

@viyatb-oai
Copy link
Copy Markdown
Collaborator

@viyatb-oai viyatb-oai commented May 15, 2026
edited
Loading

Why

Once a named permission profile is selected, runtime state has to keep that profile identity intact instead of collapsing back to anonymous effective permissions. The session refresh path also needs to rebuild profile-derived network proxy state so active profile switches take effect consistently.

What changed

  • Preserve the active permission profile through session updates.
  • Rebuild profile-derived runtime/network configuration when the active profile changes.
  • Keep the runtime path aligned with the current session configuration APIs.
  • Tighten the affected tests, including the Windows delete-pending memory-file case that was intermittently tripping CI.

Stack

  1. This PR: runtime/session/network propagation for active permission profiles.
  2. #23708: TUI selection plumbing and guardrail flow.
  3. #21559: profile-aware /permissions menu and custom profile display.
image

@viyatb-oai viyatb-oai requested a review from a team as a code owner May 15, 2026 23:54
This was referenced May 16, 2026
Merged
Merged
@github-actions github-actions Bot mentioned this pull request May 16, 2026
Open
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/profile-permissions-config branch from 7335c4a to a48a30d Compare May 18, 2026 17:57
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/profile-permissions-runtime branch from 96866bc to 5efda09 Compare May 18, 2026 17:57
@github-actions github-actions Bot mentioned this pull request May 19, 2026
Open
viyatb-oai added a commit that referenced this pull request May 19, 2026
@viyatb-oai
core: expose permission profile picker metadata (#22928)
3009e23 
## Why

The `/permissions` picker needs a config-level way to distinguish legacy
anonymous presets from named permission-profile mode. That signal cannot
be inferred reliably in the TUI, especially for the edge case where
`default_permissions = ":workspace"` is present without a
`[permissions]` table.

## What changed

- Expose whether the merged config is explicitly in permission-profile
mode.
- Expose the configured custom permission profile IDs alongside the
built-in profile semantics.
- Add regression coverage for profile mode detection and custom profile
metadata, including the `default_permissions = ":workspace"` case.
- Update the thread-manager sample config literal to match the expanded
config shape.

## Stack

1. **This PR**: config metadata needed by downstream permission-profile
consumers.
2. [#22931](#22931): refresh active
permission profiles through runtime/session/network state.
3. [#21559](#21559): switch
`/permissions` to the profile-aware TUI picker.

## Verification

- `cargo check -p codex-thread-manager-sample`
- `cargo test -p codex-core
default_permissions_can_select_builtin_profile_without_permissions_table`
- `cargo test -p codex-core
permissions_profiles_allow_direct_write_roots_outside_workspace_root`
Base automatically changed from codex/viyatb/profile-permissions-config to main May 19, 2026 06:26
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/profile-permissions-runtime branch 2 times, most recently from 98b8aab to 6d4a8df Compare May 20, 2026 04:22
@viyatb-oai viyatb-oai mentioned this pull request May 20, 2026
Merged
etraut-openai
etraut-openai approved these changes May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@etraut-openai etraut-openai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall code looks good. I left one question, and there's one codex-caught issue below.

I built and manually tested affected code paths in TUI using a test config file.

I ran a local code review with codex, and it spotted one potential problem that may be worth looking at. In turn_context.rs line 566, it performs an equality check to compare two PermissionProfiles. Two named profiles can compile to the same PermissionProfile while having different network proxy URLs/domains, so selecting the second profile rebuilds session config but skips the live proxy refresh.

Example config for repro:

[permissions.web-a.filesystem]
":minimal" = "read"
[permissions.web-a.network]
enabled = true
proxy_url = "http://127.0.0.1:1111"

[permissions.web-b.filesystem]
":minimal" = "read"
[permissions.web-b.network]
enabled = true
proxy_url = "http://127.0.0.1:2222"

Comment thread codex-rs/memories/write/src/startup_tests.rs Outdated
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/profile-permissions-runtime branch from e0764d3 to 923b79d Compare May 20, 2026 21:01
viyatb-oai added 9 commits May 20, 2026 14:04
@viyatb-oai
fix: refresh profile network proxy on permission switches
9e9a405 
Co-authored-by: Codex noreply@openai.com
@viyatb-oai
style: stabilize network proxy config formatting
b79b556 
Co-authored-by: Codex noreply@openai.com
@viyatb-oai
fix: align runtime profile refresh with current session APIs
7d923c5 
Co-authored-by: Codex noreply@openai.com
@viyatb-oai
style(core): satisfy session formatting
0f94819 
Co-authored-by: Codex noreply@openai.com
@viyatb-oai
fix(core): adopt permission snapshot refresh API
e84f80c 
Co-authored-by: Codex noreply@openai.com
@viyatb-oai
fix(tui): restore permission profile override plumbing
a912231 
Co-authored-by: Codex noreply@openai.com
@viyatb-oai
fix(ci): repair profile permission refresh
fcf5260 
Co-authored-by: Codex noreply@openai.com
@viyatb-oai
test(core): pin network proxy in profile refresh coverage
2ccc164 
Co-authored-by: Codex noreply@openai.com
@viyatb-oai
fix(core): populate profile descriptions in runtime tests
9badcc1 
Co-authored-by: Codex noreply@openai.com
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/profile-permissions-runtime branch from 923b79d to 9badcc1 Compare May 20, 2026 21:04
@viyatb-oai viyatb-oai enabled auto-merge (squash) May 20, 2026 21:12
viyatb-oai added 2 commits May 20, 2026 14:27
@viyatb-oai
fix(tui): align profile runtime with current settings
b526f8b 
Co-authored-by: Codex noreply@openai.com
@viyatb-oai
fix(tui): align profile runtime test override args
b7084b8 
Co-authored-by: Codex noreply@openai.com
@viyatb-oai viyatb-oai merged commit 40ad7be into main May 20, 2026
31 checks passed
@viyatb-oai viyatb-oai deleted the codex/viyatb/profile-permissions-runtime branch May 20, 2026 21:55
@github-actions github-actions Bot locked and limited conversation to collaborators May 20, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@etraut-openai etraut-openai etraut-openai approved these changes

@fcoury-oai fcoury-oai Awaiting requested review from fcoury-oai

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@viyatb-oai @etraut-openai