fix: merge skill permissions into escalated sandbox by default

Author: bolinfest

codex-rs/app-server-protocol/schema/json/ClientRequest.json

@@ -1618,6 +1618,10 @@
                 "type": "fullAccess"
               }
             },
+            "networkAccess": {
+              "default": false,
+              "type": "boolean"
+            },
             "type": {
               "enum": [
                 "readOnly"

codex-rs/app-server-protocol/schema/json/EventMsg.json

@@ -5261,6 +5261,10 @@
               ],
               "description": "Read access granted while running under this policy."
             },
+            "network_access": {
+              "description": "When set to `true`, outbound network access is allowed. `false` by default.",
+              "type": "boolean"
+            },
             "type": {
               "enum": [
                 "read-only"

codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.schemas.json

@@ -11772,6 +11772,10 @@
                   "type": "fullAccess"
                 }
               },
+              "networkAccess": {
+                "default": false,
+                "type": "boolean"
+              },
               "type": {
                 "enum": [
                   "readOnly"

codex-rs/app-server-protocol/schema/json/v2/CommandExecParams.json

@@ -89,6 +89,10 @@
                 "type": "fullAccess"
               }
             },
+            "networkAccess": {
+              "default": false,
+              "type": "boolean"
+            },
             "type": {
               "enum": [
                 "readOnly"

codex-rs/app-server-protocol/schema/json/v2/ThreadForkResponse.json

@@ -653,6 +653,10 @@
                 "type": "fullAccess"
               }
             },
+            "networkAccess": {
+              "default": false,
+              "type": "boolean"
+            },
             "type": {
               "enum": [
                 "readOnly"

codex-rs/app-server-protocol/schema/json/v2/ThreadResumeResponse.json

@@ -653,6 +653,10 @@
                 "type": "fullAccess"
               }
             },
+            "networkAccess": {
+              "default": false,
+              "type": "boolean"
+            },
             "type": {
               "enum": [
                 "readOnly"

codex-rs/app-server-protocol/schema/json/v2/ThreadStartResponse.json

@@ -653,6 +653,10 @@
                 "type": "fullAccess"
               }
             },
+            "networkAccess": {
+              "default": false,
+              "type": "boolean"
+            },
             "type": {
               "enum": [
                 "readOnly"

codex-rs/app-server-protocol/schema/json/v2/TurnStartParams.json

@@ -214,6 +214,10 @@
                 "type": "fullAccess"
               }
             },
+            "networkAccess": {
+              "default": false,
+              "type": "boolean"
+            },
             "type": {
               "enum": [
                 "readOnly"

codex-rs/app-server-protocol/schema/typescript/SandboxPolicy.ts

@@ -12,7 +12,12 @@ export type SandboxPolicy = { "type": "danger-full-access" } | { "type": "read-o
 /**
  * Read access granted while running under this policy.
  */
-access?: ReadOnlyAccess, } | { "type": "external-sandbox", 
+access?: ReadOnlyAccess, 
+/**
+ * When set to `true`, outbound network access is allowed. `false` by
+ * default.
+ */
+network_access?: boolean, } | { "type": "external-sandbox", 
 /**
  * Whether the external sandbox permits outbound network traffic.
  */

codex-rs/app-server-protocol/schema/typescript/v2/SandboxPolicy.ts

@@ -5,4 +5,4 @@ import type { AbsolutePathBuf } from "../AbsolutePathBuf";
 import type { NetworkAccess } from "./NetworkAccess";
 import type { ReadOnlyAccess } from "./ReadOnlyAccess";
 
-export type SandboxPolicy = { "type": "dangerFullAccess" } | { "type": "readOnly", access: ReadOnlyAccess, } | { "type": "externalSandbox", networkAccess: NetworkAccess, } | { "type": "workspaceWrite", writableRoots: Array<AbsolutePathBuf>, readOnlyAccess: ReadOnlyAccess, networkAccess: boolean, excludeTmpdirEnvVar: boolean, excludeSlashTmp: boolean, };
+export type SandboxPolicy = { "type": "dangerFullAccess" } | { "type": "readOnly", access: ReadOnlyAccess, networkAccess: boolean, } | { "type": "externalSandbox", networkAccess: NetworkAccess, } | { "type": "workspaceWrite", writableRoots: Array<AbsolutePathBuf>, readOnlyAccess: ReadOnlyAccess, networkAccess: boolean, excludeTmpdirEnvVar: boolean, excludeSlashTmp: boolean, };