openai · bolinfest · May 21, 2026
diff --git a/codex-rs/app-server/src/request_processors/windows_sandbox_processor.rs b/codex-rs/app-server/src/request_processors/windows_sandbox_processor.rs
@@ -76,10 +76,8 @@ impl WindowsSandboxRequestProcessor {
                 Ok(config) => {
                     let setup_request = WindowsSandboxSetupRequest {
                         mode,
-                        policy: config
-                            .permissions
-                            .legacy_sandbox_policy(config.cwd.as_path()),
-                        policy_cwd: config.cwd.to_path_buf(),
+                        permission_profile: config.permissions.effective_permission_profile(),
+                        permission_profile_cwd: config.cwd.to_path_buf(),
                         command_cwd,
                         env_map: std::env::vars().collect(),
                         codex_home: config.codex_home.to_path_buf(),

diff --git a/codex-rs/cli/src/debug_sandbox.rs b/codex-rs/cli/src/debug_sandbox.rs
@@ -198,9 +198,9 @@ async fn run_command_under_sandbox(
     // does not support `--cwd`, but let's use the config value for consistency.
     let cwd = config.cwd.clone();
     // For now, we always use the same cwd for both the command and the
-    // sandbox policy. In the future, we could add a CLI option to set them
+    // permission profile. In the future, we could add a CLI option to set them
     // separately.
-    let sandbox_policy_cwd = cwd.clone();
+    let permission_profile_cwd = cwd.clone();
 
     let env = create_env(
         &config.permissions.shell_environment_policy,
@@ -211,7 +211,8 @@ async fn run_command_under_sandbox(
     if let SandboxType::Windows = sandbox_type {
         #[cfg(target_os = "windows")]
         {
-            run_command_under_windows_session(&config, command, cwd, sandbox_policy_cwd, env).await;
+            run_command_under_windows_session(&config, command, cwd, permission_profile_cwd, env)
+                .await;
         }
         #[cfg(not(target_os = "windows"))]
         {
@@ -254,7 +255,7 @@ async fn run_command_under_sandbox(
                 command,
                 file_system_sandbox_policy: &file_system_sandbox_policy,
                 network_sandbox_policy,
-                sandbox_policy_cwd: sandbox_policy_cwd.as_path(),
+                sandbox_policy_cwd: permission_profile_cwd.as_path(),
                 enforce_managed_network: false,
                 network: network.as_ref(),
                 extra_allow_unix_sockets: allow_unix_sockets,
@@ -286,7 +287,7 @@ async fn run_command_under_sandbox(
                 command,
                 cwd.as_path(),
                 &config.permissions.effective_permission_profile(),
-                sandbox_policy_cwd.as_path(),
+                permission_profile_cwd.as_path(),
                 use_legacy_landlock,
                 allow_network_for_proxy(managed_network_requirements_enabled),
             );
@@ -338,34 +339,25 @@ async fn run_command_under_windows_session(
     config: &Config,
     command: Vec<String>,
     cwd: AbsolutePathBuf,
-    sandbox_policy_cwd: AbsolutePathBuf,
+    permission_profile_cwd: AbsolutePathBuf,
     env: std::collections::HashMap<String, String>,
 ) -> ! {
     use codex_core::windows_sandbox::WindowsSandboxLevelExt;
     use codex_protocol::config_types::WindowsSandboxLevel;
-    use codex_windows_sandbox::spawn_windows_sandbox_session_elevated;
+    use codex_windows_sandbox::spawn_windows_sandbox_session_elevated_for_permission_profile;
     use codex_windows_sandbox::spawn_windows_sandbox_session_legacy;
 
-    let sandbox_policy = config
-        .permissions
-        .legacy_sandbox_policy(sandbox_policy_cwd.as_path());
-    let policy_str = match serde_json::to_string(&sandbox_policy) {
-        Ok(policy_str) => policy_str,
-        Err(err) => {
-            eprintln!("windows sandbox failed to serialize policy: {err}");
-            std::process::exit(1);
-        }
-    };
+    let permission_profile = config.permissions.effective_permission_profile();
 
     let use_elevated = matches!(
         WindowsSandboxLevel::from_config(config),
         WindowsSandboxLevel::Elevated
     );
 
     let spawned = if use_elevated {
-        spawn_windows_sandbox_session_elevated(
-            policy_str.as_str(),
-            sandbox_policy_cwd.as_path(),
+        spawn_windows_sandbox_session_elevated_for_permission_profile(
+            &permission_profile,
+            permission_profile_cwd.as_path(),
             config.codex_home.as_path(),
             command,
             cwd.as_path(),
@@ -383,8 +375,8 @@ async fn run_command_under_windows_session(
         .await
     } else {
         spawn_windows_sandbox_session_legacy(
-            policy_str.as_str(),
-            sandbox_policy_cwd.as_path(),
+            &permission_profile,
+            permission_profile_cwd.as_path(),
             config.codex_home.as_path(),
             command,
             cwd.as_path(),

@@ -423,7 +423,6 @@ pub(crate) async fn execute_exec_request(
     stdout_stream: Option<StdoutStream>,
     after_spawn: Option<Box<dyn FnOnce() + Send>>,
 ) -> Result<ExecToolCallOutput> {
-    let sandbox_policy = exec_request.compatibility_sandbox_policy();
     let ExecRequest {
         command,
         cwd,
@@ -464,7 +463,6 @@ pub(crate) async fn execute_exec_request(
         stdout_stream,
         after_spawn,
         sandbox,
-        &sandbox_policy,
         &permission_profile,
         &windows_sandbox_policy_cwd,
         windows_sandbox_filesystem_overrides.as_ref(),
@@ -481,7 +479,6 @@ async fn get_raw_output_result(
     stdout_stream: Option<StdoutStream>,
     after_spawn: Option<Box<dyn FnOnce() + Send>>,
     #[cfg_attr(not(windows), allow(unused_variables))] sandbox: SandboxType,
-    #[cfg_attr(not(windows), allow(unused_variables))] sandbox_policy: &SandboxPolicy,
     #[cfg_attr(not(windows), allow(unused_variables))] permission_profile: &PermissionProfile,
     #[cfg_attr(not(windows), allow(unused_variables))] windows_sandbox_policy_cwd: &AbsolutePathBuf,
     #[cfg_attr(not(windows), allow(unused_variables))] windows_sandbox_filesystem_overrides: Option<
@@ -492,7 +489,6 @@ async fn get_raw_output_result(
     if sandbox == SandboxType::WindowsRestrictedToken {
         return exec_windows_sandbox(
             params,
-            sandbox_policy,
             permission_profile,
             windows_sandbox_policy_cwd,
             windows_sandbox_filesystem_overrides,
@@ -572,7 +568,6 @@ fn record_windows_sandbox_spawn_failure(
 #[cfg(target_os = "windows")]
 async fn exec_windows_sandbox(
     params: ExecParams,
-    sandbox_policy: &SandboxPolicy,
     permission_profile: &PermissionProfile,
     windows_sandbox_policy_cwd: &AbsolutePathBuf,
     windows_sandbox_filesystem_overrides: Option<&WindowsSandboxFilesystemOverrides>,
@@ -604,11 +599,6 @@ async fn exec_windows_sandbox(
         None
     };
 
-    let policy_str = serde_json::to_string(sandbox_policy).map_err(|err| {
-        CodexErr::Io(io::Error::other(format!(
-            "failed to serialize Windows sandbox policy: {err}"
-        )))
-    })?;
     let sandbox_cwd = windows_sandbox_policy_cwd.clone();
     let permission_profile = permission_profile.clone();
     let codex_home = find_codex_home().map_err(|err| {
@@ -655,7 +645,7 @@ async fn exec_windows_sandbox(
             )
         } else {
             run_windows_sandbox_capture_with_filesystem_overrides(
-                policy_str.as_str(),
+                &permission_profile,
                 &sandbox_cwd,
                 codex_home.as_ref(),
                 command,

@@ -866,12 +866,6 @@ impl UnifiedExecProcessManager {
 
         #[cfg(target_os = "windows")]
         if request.sandbox == codex_sandboxing::SandboxType::WindowsRestrictedToken {
-            let sandbox_policy = request.compatibility_sandbox_policy();
-            let policy_json = serde_json::to_string(&sandbox_policy).map_err(|err| {
-                UnifiedExecError::create_process(format!(
-                    "failed to serialize Windows sandbox policy: {err}"
-                ))
-            })?;
             let codex_home = crate::config::find_codex_home().map_err(|err| {
                 UnifiedExecError::create_process(format!(
                     "windows sandbox: failed to resolve codex_home: {err}"
@@ -923,7 +917,7 @@ impl UnifiedExecProcessManager {
                 codex_protocol::config_types::WindowsSandboxLevel::RestrictedToken
                 | codex_protocol::config_types::WindowsSandboxLevel::Disabled => {
                     codex_windows_sandbox::spawn_windows_sandbox_session_legacy(
-                        policy_json.as_str(),
+                        &request.permission_profile,
                         request.windows_sandbox_policy_cwd.as_path(),
                         codex_home.as_ref(),
                         request.command.clone(),

@@ -9,7 +9,7 @@ use codex_features::FeaturesToml;
 use codex_login::default_client::originator;
 use codex_otel::sanitize_metric_tag_value;
 use codex_protocol::config_types::WindowsSandboxLevel;
-use codex_protocol::protocol::SandboxPolicy;
+use codex_protocol::models::PermissionProfile;
 use std::collections::BTreeMap;
 use std::collections::HashMap;
 use std::path::Path;
@@ -173,16 +173,17 @@ pub fn elevated_setup_failure_metric_name(_err: &anyhow::Error) -> &'static str
 
 #[cfg(target_os = "windows")]
 pub fn run_elevated_setup(
-    policy: &SandboxPolicy,
-    policy_cwd: &Path,
+    permission_profile: &PermissionProfile,
+    permission_profile_cwd: &Path,
     command_cwd: &Path,
     env_map: &HashMap<String, String>,
     codex_home: &Path,
 ) -> anyhow::Result<()> {
     let permissions =
-        codex_windows_sandbox::ResolvedWindowsSandboxPermissions::from_legacy_policy_for_cwd(
-            policy, policy_cwd,
-        );
+        codex_windows_sandbox::ResolvedWindowsSandboxPermissions::try_from_permission_profile_for_cwd(
+            permission_profile,
+            permission_profile_cwd,
+        )?;
     codex_windows_sandbox::run_elevated_setup(
         codex_windows_sandbox::SandboxSetupRequest {
             permissions: &permissions,
@@ -197,8 +198,8 @@ pub fn run_elevated_setup(
 
 #[cfg(not(target_os = "windows"))]
 pub fn run_elevated_setup(
-    _policy: &SandboxPolicy,
-    _policy_cwd: &Path,
+    _permission_profile: &PermissionProfile,
+    _permission_profile_cwd: &Path,
     _command_cwd: &Path,
     _env_map: &HashMap<String, String>,
     _codex_home: &Path,
@@ -208,15 +209,15 @@ pub fn run_elevated_setup(
 
 #[cfg(target_os = "windows")]
 pub fn run_legacy_setup_preflight(
-    policy: &SandboxPolicy,
-    policy_cwd: &Path,
+    permission_profile: &PermissionProfile,
+    permission_profile_cwd: &Path,
     command_cwd: &Path,
     env_map: &HashMap<String, String>,
     codex_home: &Path,
 ) -> anyhow::Result<()> {
     codex_windows_sandbox::run_windows_sandbox_legacy_preflight(
-        policy,
-        policy_cwd,
+        permission_profile,
+        permission_profile_cwd,
         codex_home,
         command_cwd,
         env_map,
@@ -225,16 +226,16 @@ pub fn run_legacy_setup_preflight(
 
 #[cfg(target_os = "windows")]
 pub fn run_setup_refresh_with_extra_read_roots(
-    policy: &SandboxPolicy,
-    policy_cwd: &Path,
+    permission_profile: &PermissionProfile,
+    permission_profile_cwd: &Path,
     command_cwd: &Path,
     env_map: &HashMap<String, String>,
     codex_home: &Path,
     extra_read_roots: Vec<PathBuf>,
 ) -> anyhow::Result<()> {
     codex_windows_sandbox::run_setup_refresh_with_extra_read_roots(
-        policy,
-        policy_cwd,
+        permission_profile,
+        permission_profile_cwd,
         command_cwd,
         env_map,
         codex_home,
@@ -245,8 +246,8 @@ pub fn run_setup_refresh_with_extra_read_roots(
 
 #[cfg(not(target_os = "windows"))]
 pub fn run_legacy_setup_preflight(
-    _policy: &SandboxPolicy,
-    _policy_cwd: &Path,
+    _permission_profile: &PermissionProfile,
+    _permission_profile_cwd: &Path,
     _command_cwd: &Path,
     _env_map: &HashMap<String, String>,
     _codex_home: &Path,
@@ -256,8 +257,8 @@ pub fn run_legacy_setup_preflight(
 
 #[cfg(not(target_os = "windows"))]
 pub fn run_setup_refresh_with_extra_read_roots(
-    _policy: &SandboxPolicy,
-    _policy_cwd: &Path,
+    _permission_profile: &PermissionProfile,
+    _permission_profile_cwd: &Path,
     _command_cwd: &Path,
     _env_map: &HashMap<String, String>,
     _codex_home: &Path,
@@ -275,8 +276,8 @@ pub enum WindowsSandboxSetupMode {
 #[derive(Debug, Clone)]
 pub struct WindowsSandboxSetupRequest {
     pub mode: WindowsSandboxSetupMode,
-    pub policy: SandboxPolicy,
-    pub policy_cwd: PathBuf,
+    pub permission_profile: PermissionProfile,
+    pub permission_profile_cwd: PathBuf,
     pub command_cwd: PathBuf,
     pub env_map: HashMap<String, String>,
     pub codex_home: PathBuf,
@@ -314,8 +315,8 @@ async fn run_windows_sandbox_setup_and_persist(
     request: WindowsSandboxSetupRequest,
 ) -> anyhow::Result<()> {
     let mode = request.mode;
-    let policy = request.policy;
-    let policy_cwd = request.policy_cwd;
+    let permission_profile = request.permission_profile;
+    let permission_profile_cwd = request.permission_profile_cwd;
     let command_cwd = request.command_cwd;
     let env_map = request.env_map;
     let codex_home = request.codex_home;
@@ -327,8 +328,8 @@ async fn run_windows_sandbox_setup_and_persist(
             WindowsSandboxSetupMode::Elevated => {
                 if !sandbox_setup_is_complete(setup_codex_home.as_path()) {
                     run_elevated_setup(
-                        &policy,
-                        policy_cwd.as_path(),
+                        &permission_profile,
+                        permission_profile_cwd.as_path(),
                         command_cwd.as_path(),
                         &env_map,
                         setup_codex_home.as_path(),
@@ -337,8 +338,8 @@ async fn run_windows_sandbox_setup_and_persist(
             }
             WindowsSandboxSetupMode::Unelevated => {
                 run_legacy_setup_preflight(
-                    &policy,
-                    policy_cwd.as_path(),
+                    &permission_profile,
+                    permission_profile_cwd.as_path(),
                     command_cwd.as_path(),
                     &env_map,
                     setup_codex_home.as_path(),

@@ -1,13 +1,13 @@
 use crate::windows_sandbox::run_setup_refresh_with_extra_read_roots;
 use anyhow::Result;
-use codex_protocol::protocol::SandboxPolicy;
+use codex_protocol::models::PermissionProfile;
 use std::collections::HashMap;
 use std::path::Path;
 use std::path::PathBuf;
 
 pub fn grant_read_root_non_elevated(
-    policy: &SandboxPolicy,
-    policy_cwd: &Path,
+    permission_profile: &PermissionProfile,
+    permission_profile_cwd: &Path,
     command_cwd: &Path,
     env_map: &HashMap<String, String>,
     codex_home: &Path,
@@ -25,8 +25,8 @@ pub fn grant_read_root_non_elevated(
 
     let canonical_root = dunce::canonicalize(read_root)?;
     run_setup_refresh_with_extra_read_roots(
-        policy,
-        policy_cwd,
+        permission_profile,
+        permission_profile_cwd,
         command_cwd,
         env_map,
         codex_home,