Celia Chen

This commit performs a significant **refactoring** of the **network permissions** system, transitioning from legacy allow/deny lists to explicit, typed rule maps for domains and Unix sockets. This change impacts the **app server protocol**, **configuration loading and merging**, **permissions profiles**, and the **network proxy's runtime enforcement**, establishing a single source of truth for network policy. The new model enhances clarity and consistency in how rules are defined, merged, and applied across the system. While **managed requirements** and **App-server v2** maintain backward compatibility by normalizing legacy inputs, **permissions profiles** now strictly require the new map-based format, necessitating updates to existing configurations and **documentation**.

This commit implements a **bug fix** within the **authentication system** to prevent "refresh storms" caused by repeated token refresh attempts after a permanent failure. The `AuthManager` (`codex-rs/login/src/auth/manager.rs`) now "poisons" the in-memory auth snapshot when a refresh permanently fails for an unchanged `AuthDotJson`, ensuring subsequent refresh attempts for that snapshot fail fast locally. This change affects the **app server's `getAuthStatus`** (`codex-rs/app-server/src/codex_message_processor.rs`) by causing it to omit `authToken` after such a failure. This significantly improves system robustness, reduces unnecessary network traffic, and avoids immediate user logout without breaking existing API contracts or requiring client-side changes.

This commit **enhances the proactive authentication refresh mechanism** for the **ChatGPT integration** by making it more reliable. It modifies the `is_token_refresh_needed` function within the **authentication manager** (`codex-rs/login/src/auth/manager.rs`) to prioritize checking the access token's **JWT expiration timestamp** over the previous `last_refresh` age. This **feature improvement** introduces new utilities in `codex-rs/login/src/token_data.rs` for decoding JWT payloads and parsing expiration claims, ensuring tokens are refreshed closer to their actual expiry. The change includes **updated and new test cases** across `codex-rs/core/tests/suite/auth_refresh.rs` and `codex-rs/login/src/token_data_tests.rs` to validate the new logic and parsing capabilities.

This commit delivers a **bug fix** to the **authentication system** by resolving an issue where stale `codexd` processes could proactively attempt to refresh tokens using outdated in-memory state. The `AuthManager::auth()` method in `codex-rs/login/src/auth/manager.rs` now reuses the existing guarded `refresh_token()` flow, ensuring that authentication state is reloaded from disk before any proactive refresh. This change prevents repeated refresh failures and noisy `ERROR` logs, significantly improving **multi-process stability** and ensuring **consistent authentication state** across different `codexd` instances. New regression tests in `codex-rs/core/tests/suite/auth_refresh.rs` validate this robust behavior.

This commit **fixes** a critical issue within the **filesystem sandboxing mechanism** that prevented **Codex's runtime-managed helper executables** from being read under restricted permission profiles. It introduces implicit readable roots for the configured `zsh` helper path and the main `execve` wrapper, and allowlists the shared `$CODEX_HOME/tmp/arg0` root to ensure session-specific helper paths work. This **bug fix** enhances the stability and usability of Codex for users employing strict security configurations by preventing "operation not permitted" errors. The `FileSystemSandboxPolicy` in `codex-rs/protocol` is updated with new methods like `with_additional_readable_roots` to manage these permissions, while `codex-rs/core` handles the configuration logic. New regression tests are also added to cover restricted read mode with helper executable overrides.

This commit introduces a **new capability** to define **skill-scoped managed network domain overrides** within skill configurations, enhancing the existing network permission system. It refactors the **skill loading and metadata management** in `codex-rs/core/src/skills/loader.rs` and `codex-rs/core/src/skills/model.rs` to distinguish between a skill's general network `enabled` status and specific `allowed_domains` or `denied_domains`. These domain rules are now encapsulated in a new `SkillManagedNetworkOverride` structure, allowing for fine-grained control over network access for individual skills. This change lays the groundwork for future features, such as spinning up skill-specific network proxies with custom domain rules, and includes extensive updates to related tests and metadata construction sites.

This commit introduces a **granular rejection policy** by adding a dedicated `skill_approval` flag to the `RejectConfig` and `AskForApproval::Reject` payloads within the **app server protocol**. This **feature enhancement** allows for independent configuration of rejection behavior specifically for **skill-script prompts**, separating them from sandbox and rule-based prompts. The core **Unix shell escalation logic** has been updated to leverage this new flag, ensuring prompts are rejected based on their actual decision source (rules, sandbox, or skill scripts). This provides finer-grained control over prompt approval/rejection, impacting how rejection policies are communicated and enforced across the system. The change includes necessary **protocol updates** and expanded unit/integration test coverage.

This commit implements a **new capability** to include **experimental skill metadata** in **command approval requests**, allowing `app-server` clients to identify when an approval originates from a skill script. The **app-server protocol** is updated to add a `skillMetadata` field to `ExecApprovalRequestEvent` and `CommandExecutionRequestApprovalParams`, which is then **threaded through the core shell escalation logic** when a skill triggers a command. This enhancement enables clients to provide a richer user experience by linking approval prompts directly to their originating `SKILL.md` definitions. The change involves **protocol updates**, **schema regeneration** for JSON and TypeScript, and comprehensive **test coverage** across `app-server`, `core`, and `tui` modules.

This commit provides a **bug fix** and **refactoring** to **correct the handling of rejection policies for skill scripts** within the **Unix shell escalation** mechanism. It refines the `decide_escalation` logic in `codex-rs/core/src/tools/runtimes/shell/unix_escalation.rs` to properly distinguish between prefix-rule and sandbox approvals. This ensures that skill script execution is not prematurely denied when `rules=true` but `sandbox_approval=false`, instead correctly prompting the user as intended. The change improves the **reliability and user experience** of skill script execution and is reinforced by new **regression tests** in `codex-rs/core/tests/suite/skill_approval.rs`.

This commit **fixes** an issue in the **`core` module's skill execution flow** by **skipping the exec approval prompt** for **permissionless skill scripts**. Specifically, skill scripts with no permission profile or an explicitly empty one are now treated as permissionless and run directly within the turn's existing sandbox, reducing unnecessary user friction. The `escalate` function in `codex-rs/core/src/tools/runtimes/shell/unix_escalation.rs` was modified to implement this change, while the approval flow for skills declaring additional permissions remains unchanged. This **quality-of-life improvement** streamlines interactions with certain skill types. The new behavior is validated by updated **skill approval tests** in `codex-rs/core/tests/suite/skill_approval.rs` that confirm permissionless scripts no longer prompt for approval on initial or subsequent runs.

This commit **fixes a critical deserialization bug** within the **`app-server-protocol`** and **`protocol`** crates, specifically impacting **macOS automation permission approval payloads**. It updates the `MacOsAutomationPermissionDe` deserializer in `codex-rs/protocol/src/models.rs` to correctly accept `bundle_ids` when provided as an object (`{ "bundle_ids": [...] }`), resolving errors where `data did not match any variant of untagged enum MacOsAutomationPermissionDe`. Additionally, `#[serde(default)]` is applied to `MacOsSeatbeltProfileExtensions` to ensure omitted fields deserialize to secure defaults, enhancing the robustness of **`CommandExecutionRequestApprovalParams`** processing. This **bug fix** ensures compatibility with new wire shapes for macOS automation permissions, preventing failures in approval workflows and improving the overall stability of the system.

This commit performs **maintenance cleanup** by **removing unused legacy macOS permission types** from the `codex-rs/protocol/src/models.rs` file. Specifically, the `MacOsPermissions`, `MacOsPreferencesValue`, and `MacOsAutomationValue` data structures are eliminated as they are no longer utilized. This change streamlines the **macOS permission handling** within the `codex-rs` protocol, ensuring it exclusively relies on the current `MacOsSeatbeltProfileExtensions` model for all macOS permission data. The removal of these obsolete structures simplifies the codebase and reduces potential confusion regarding permission model definitions.

This commit introduces **strongly-typed macOS additional permissions** across the `app-server-protocol`, `core`, and `protocol` modules, enabling granular control over macOS-specific sandbox policies. It **integrates these new permission types**, such as `MacOsAutomationPermission` and `MacOsPreferencesPermission`, into the effective sandbox execution, including the generation of macOS seatbelt profile extensions. This **feature enhancement** refactors permission handling, updates schema definitions, and expands the `tui` to display detailed macOS permissions for user approval. The changes significantly improve the **security model** by providing more precise control over macOS operations and enhance user transparency regarding requested permissions.

This commit **enhances the Unix shell escalation path** for `zsh-fork` executables by **merging skill permission profiles additively** into the existing turn/request sandbox policy. Instead of replacing the sandbox policy with a standalone compiled profile, skill-matched executables now have their permissions combined with the base sandbox. This **feature enhancement** and **refactoring** affects how **skill-matched executables** receive their permissions within the **shell sandbox**, ensuring **consistent additive permission merging** for filesystem and network access. It also removes the now-unused skill permission compiler module, streamlining the permission handling process for `unix_escalation.rs`.

This commit **refactors** the **permission system** by nesting **skill and protocol network permissions** under an `enabled` field within a `network` object. Specifically, the `PermissionProfile.network` field in `codex-rs/protocol` is changed from `Option<bool>` to `Option<NetworkPermissions>` (containing `enabled: Option<bool>`), allowing for future expansion of network controls. This **schema evolution** impacts **`codex-rs/core`** for skill metadata parsing and permission consumption, updates **`codex-rs/app-server-protocol`** with new JSON schemas and TypeScript types, and adjusts the **`codex-rs/tui`** to correctly display these new permission structures. The change ensures that network permissions are now represented in a more structured and extensible way across the application.

This commit introduces a **`network_access` field** to the `SandboxPolicy::ReadOnly` variant, enabling **read-only sandbox policies** to explicitly grant network access. Previously, network access could not be preserved when a policy resolved to `ReadOnly`, leading to unintended permission loss. This **feature** updates the **core protocol**, **app-server v2 protocol**, and **sandboxing logic** to correctly compile, normalize, and merge permissions while maintaining network access for read-only policies. It also updates the **UI approval overlay** and **sandbox summary** to reflect this new capability, ensuring accurate representation and user visibility of network permissions. Backward compatibility is maintained by defaulting the new field to `false` in protocol schemas.

This commit **refactors** the **skill permission management** system by **removing the redundant `permissions` field from `SkillMetadata`**, establishing `permission_profile` as the single source of truth for sandboxing. It updates **skill loading** and the **zsh-fork skill escalation path** within `codex-rs/core` to derive sandbox configurations directly from `skill.permission_profile` only when needed, rather than compiling permissions eagerly. This **maintenance** change simplifies the system, making skill sandbox behavior more **predictable and intuitive**, particularly ensuring that an empty `permissions: {}` declaration is treated identically to omitting permissions.

This commit introduces a **new capability** to the **Codex environment context**, enabling the system to capture and persist the user's **local date and IANA timezone**. It extends the `EnvironmentContext` and `TurnContextItem` structures in the **`codex-rs/core` and `codex-rs/protocol` modules** to include `current_date` and `timezone` fields, which are then serialized into the model's `<environment_context>` payload. This ensures the model receives accurate, session-specific time information, preventing stale context from being reused by treating date/timezone changes as environment updates that invalidate prompt caches. The change significantly enhances the **model's contextual awareness** and ensures consistency across various flows, including history, subagent review, and resume, with comprehensive test updates validating the new fields' propagation and handling.

This commit **reverts** the previous introduction of a dedicated **skill approval event/response mechanism**, effectively **removing** the `SkillRequestApproval` event handling from the system. It impacts the **execution event processing** within `codex-rs/exec` by removing specific logic from `process_event` and the **Terminal User Interface (TUI)** chat widget by removing `handle_event` logic related to these events. This **refactoring** streamlines permission handling by eliminating a redundant event type. The system will now exclusively use `additional_permissions` within standard execution command approval server requests for managing skill authorizations, simplifying the overall architecture for skill permission requests.

This commit **reverts** the previous implementation that specifically ensured **shell command skills** triggered an approval prompt. It **removes** the dedicated logic, the `original_command` field from `ExecParams`, and associated test cases from the **skill approval system** within `codex-rs/app-server` and `codex-rs/core`. While removing the specific shell command approval, this change also introduces a **general skill approval request trigger** within the core turn execution flow (`run_turn`). This **refactoring** simplifies command handling by moving away from specialized checks for shell commands towards a more unified approach for skill invocation approvals. The downstream impact is that shell commands will no longer be subject to the previously implemented explicit approval mechanism.