Codex Handbook
utils/sandbox-summary/src/sandbox_summary.rs 182 lines
use codex_protocol::models::PermissionProfile;use codex_protocol::protocol::NetworkAccess;use codex_protocol::protocol::SandboxPolicy;use codex_utils_absolute_path::AbsolutePathBuf;pub fn summarize_sandbox_policy(sandbox_policy: &SandboxPolicy) -> String {    match sandbox_policy {        SandboxPolicy::DangerFullAccess => "danger-full-access".to_string(),        SandboxPolicy::ReadOnly { network_access, .. } => {            let mut summary = "read-only".to_string();            if *network_access {                summary.push_str(" (network access enabled)");            }            summary        }        SandboxPolicy::ExternalSandbox { network_access } => {            let mut summary = "external-sandbox".to_string();            if matches!(network_access, NetworkAccess::Enabled) {                summary.push_str(" (network access enabled)");            }            summary        }        SandboxPolicy::WorkspaceWrite {            writable_roots,            network_access,            exclude_tmpdir_env_var,            exclude_slash_tmp,        } => {            let mut summary = "workspace-write".to_string();            let mut writable_entries = Vec::<String>::new();            writable_entries.push("workdir".to_string());            if !*exclude_slash_tmp {                writable_entries.push("/tmp".to_string());            }            if !*exclude_tmpdir_env_var {                writable_entries.push("$TMPDIR".to_string());            }            writable_entries.extend(                writable_roots                    .iter()                    .map(|p| p.to_string_lossy().to_string()),            );            summary.push_str(&format!(" [{}]", writable_entries.join(", ")));            if *network_access {                summary.push_str(" (network access enabled)");            }            summary        }    }}pub fn summarize_permission_profile(    permission_profile: &PermissionProfile,    cwd: &AbsolutePathBuf,    workspace_roots: &[AbsolutePathBuf],) -> String {    match permission_profile.to_legacy_sandbox_policy(cwd.as_path()) {        Ok(SandboxPolicy::WorkspaceWrite {            network_access,            exclude_tmpdir_env_var,            exclude_slash_tmp,            ..        }) => {            let mut summary = "workspace-write".to_string();            let mut writable_entries = vec!["workdir".to_string()];            if !exclude_slash_tmp {                writable_entries.push("/tmp".to_string());            }            if !exclude_tmpdir_env_var {                writable_entries.push("$TMPDIR".to_string());            }            writable_entries.extend(                workspace_roots                    .iter()                    .filter(|root| *root != cwd)                    .map(|root| root.to_string_lossy().to_string()),            );            summary.push_str(&format!(" [{}]", writable_entries.join(", ")));            if network_access {                summary.push_str(" (network access enabled)");            }            summary        }        Ok(policy) => summarize_sandbox_policy(&policy),        Err(_) => {            if permission_profile.network_sandbox_policy().is_enabled() {                "custom permissions (network access enabled)".to_string()            } else {                "custom permissions".to_string()            }        }    }}#[cfg(test)]mod tests {    use super::*;    use codex_protocol::permissions::NetworkSandboxPolicy;    use codex_utils_absolute_path::AbsolutePathBuf;    use pretty_assertions::assert_eq;    #[test]    fn summarizes_external_sandbox_without_network_access_suffix() {        let summary = summarize_sandbox_policy(&SandboxPolicy::ExternalSandbox {            network_access: NetworkAccess::Restricted,        });        assert_eq!(summary, "external-sandbox");    }    #[test]    fn summarizes_external_sandbox_with_enabled_network() {        let summary = summarize_sandbox_policy(&SandboxPolicy::ExternalSandbox {            network_access: NetworkAccess::Enabled,        });        assert_eq!(summary, "external-sandbox (network access enabled)");    }    #[test]    fn summarizes_read_only_with_enabled_network() {        let summary = summarize_sandbox_policy(&SandboxPolicy::ReadOnly {            network_access: true,        });        assert_eq!(summary, "read-only (network access enabled)");    }    #[test]    fn workspace_write_summary_still_includes_network_access() {        let root = if cfg!(windows) { "C:\\repo" } else { "/repo" };        let writable_root = AbsolutePathBuf::try_from(root).unwrap();        let summary = summarize_sandbox_policy(&SandboxPolicy::WorkspaceWrite {            writable_roots: vec![writable_root.clone()],            network_access: true,            exclude_tmpdir_env_var: true,            exclude_slash_tmp: true,        });        assert_eq!(            summary,            format!(                "workspace-write [workdir, {}] (network access enabled)",                writable_root.to_string_lossy()            )        );    }    #[test]    fn permission_profile_summary_uses_runtime_workspace_roots_and_hides_internal_writes() {        let cwd =            AbsolutePathBuf::try_from(if cfg!(windows) { "C:\\repo" } else { "/repo" }).unwrap();        let extra_root = AbsolutePathBuf::try_from(if cfg!(windows) {            "C:\\repo-extra"        } else {            "/repo-extra"        })        .unwrap();        let hidden_root = AbsolutePathBuf::try_from(if cfg!(windows) {            "C:\\Users\\test\\.codex\\memories"        } else {            "/Users/test/.codex/memories"        })        .unwrap();        let profile = PermissionProfile::workspace_write_with(            std::slice::from_ref(&hidden_root),            NetworkSandboxPolicy::Restricted,            /*exclude_tmpdir_env_var*/ false,            /*exclude_slash_tmp*/ false,        );        let summary =            summarize_permission_profile(&profile, &cwd, &[cwd.clone(), extra_root.clone()]);        assert_eq!(            summary,            format!(                "workspace-write [workdir, /tmp, $TMPDIR, {}]",                extra_root.display()            )        );    }}