## Summary
This PR adds support for skill-level permissions in .codex/openai.yaml
and wires that through the skill loading pipeline.
## What’s included
1. Added a new permissions section for skills (network, filesystem, and
macOS-related access).
2. Implemented permission parsing/normalization and translation into
runtime permission profiles.
3. Threaded the new permission profile through SkillMetadata and loader
flow.
## Follow-up
A follow-up PR will connect these permission profiles to actual sandbox
enforcement and add user approval prompts for executing binaries/scripts
from skill directories.
## Example
`openai.yaml` snippet:
```
permissions:
network: true
fs_read:
- "./data"
- "./data"
fs_write:
- "./output"
macos_preferences: "readwrite"
macos_automation:
- "com.apple.Notes"
macos_accessibility: true
macos_calendar: true
```
compiled skill permission profile metadata (macOS):
```
SkillPermissionProfile {
sandbox_policy: SandboxPolicy::WorkspaceWrite {
writable_roots: vec![
AbsolutePathBuf::try_from("/ABS/PATH/TO/SKILL/output").unwrap(),
],
read_only_access: ReadOnlyAccess::Restricted {
include_platform_defaults: true,
readable_roots: vec![
AbsolutePathBuf::try_from("/ABS/PATH/TO/SKILL/data").unwrap(),
],
},
network_access: true,
exclude_tmpdir_env_var: false,
exclude_slash_tmp: false,
},
// Truncated for readability; actual generated profile is longer.
macos_seatbelt_permission_file: r#"
(allow user-preference-write)
(allow appleevent-send
(appleevent-destination "com.apple.Notes"))
(allow mach-lookup (global-name "com.apple.axserver"))
(allow mach-lookup (global-name "com.apple.CalendarAgent"))
...
"#.to_string(),
```
codex-core
This crate implements the business logic for Codex. It is designed to be used by the various Codex UIs written in Rust.
Dependencies
Note that codex-core makes some assumptions about certain helper utilities being available in the environment. Currently, this support matrix is:
macOS
Expects /usr/bin/sandbox-exec to be present.
When using the workspace-write sandbox policy, the Seatbelt profile allows
writes under the configured writable roots while keeping .git (directory or
pointer file), the resolved gitdir: target, and .codex read-only.
Network access and filesystem read/write roots are controlled by
SandboxPolicy. Seatbelt consumes the resolved policy and enforces it.
Seatbelt also supports macOS permission-profile extensions layered on top of
SandboxPolicy:
- no extension profile provided:
keeps legacy default preferences read access (
user-preference-read). - extension profile provided with no
macos_preferencesgrant: does not add preferences access clauses. macos_preferences = "readonly": enables cfprefs read clauses anduser-preference-read.macos_preferences = "readwrite": includes readonly clauses plususer-preference-writeand cfprefs shm write clauses.macos_automation = true: enables broad Apple Events send permissions.macos_automation = ["com.apple.Notes", ...]: enables Apple Events send only to listed bundle IDs.macos_accessibility = true: enablescom.apple.axservermach lookup.macos_calendar = true: enablescom.apple.CalendarAgentmach lookup.
Linux
Expects the binary containing codex-core to run the equivalent of codex sandbox linux (legacy alias: codex debug landlock) when arg0 is codex-linux-sandbox. See the codex-arg0 crate for details.
All Platforms
Expects the binary containing codex-core to simulate the virtual apply_patch CLI when arg1 is --codex-run-as-apply-patch. See the codex-arg0 crate for details.