Files
codex/codex-rs
T
canvrno-oai 8534912df9 Show effective sandbox modes in /debug-config (#27068)
## Summary
- Render `/debug-config`'s `allowed_sandbox_modes` from the finalized
permission constraints instead of the raw requirements list.
- Add regression coverage for configured full-access and external
sandbox modes being omitted when effective permissions reject them.

## Details
`allowed_sandbox_modes` comes from managed requirements, but the final
permissions can be further constrained by derived validation rules. For
example, `permissions.filesystem.deny_read` requires sandbox
enforcement, so modes that disable or externalize Codex's sandbox are
not actually usable even if they were present in the raw requirements
TOML.

The debug renderer now enumerates the configured sandbox-mode labels and
keeps only those accepted by `Config.permissions`. That makes
`/debug-config` reflect the same effective permission-profile constraint
path used by runtime config validation, while preserving the existing
source/provenance display.

## Validation
- Added a regression test for effective sandbox-mode filtering in
`/debug-config`.
8534912df9 ยท 2026-06-08 17:03:52 -07:00
History
..
2026-06-08 16:33:41 -07:00
2026-05-18 21:33:05 -07:00
2026-04-24 17:49:29 -07:00
2026-06-08 16:33:41 -07:00
2026-06-08 16:33:41 -07:00
2026-06-04 09:16:03 -07:00