chore: introduce SandboxPolicy::WorkspaceWrite::include_default_writable_roots (#1785)

Without this change, it is challenging to create integration tests to verify that the folders not included in `writable_roots` in `SandboxPolicy::WorkspaceWrite` are read-only because, by default, `get_writable_roots_with_cwd()` includes `TMPDIR`, which is where most integrationt tests do their work. This introduces a `use_exact_writable_roots` option to disable the default includes returned by `get_writable_roots_with_cwd()`. --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/openai/codex/pull/1785). * #1765 * __->__ #1785
2025-08-01 14:15:55 -07:00
parent f20de21cb6
commit 92f3566d78
4 changed files with 27 additions and 1 deletions
--- a/codex-rs/core/src/config.rs
+++ b/codex-rs/core/src/config.rs
@@ -356,6 +356,7 @@ impl ConfigToml {
                Some(s) => SandboxPolicy::WorkspaceWrite {
                    writable_roots: s.writable_roots.clone(),
                    network_access: s.network_access,
+                    include_default_writable_roots: true,
                },
                None => SandboxPolicy::new_workspace_write_policy(),
            },
@@ -727,6 +728,7 @@ writable_roots = [
            SandboxPolicy::WorkspaceWrite {
                writable_roots: vec![PathBuf::from("/tmp")],
                network_access: false,
+                include_default_writable_roots: true,
            },
            sandbox_workspace_write_cfg.derive_sandbox_policy(sandbox_mode_override)
        );