feat: support managed permission profiles in requirements.toml

[viyatb-oai]

Why

Cloud-managed requirements.toml should be able to define the managed permission profiles a client may select and constrain that selectable set without requiring local user config to recreate the profile catalog.

This keeps requirements focused on restrictions. The selected default remains a config or session choice, while requirements contribute the managed profile bodies and allowed_permissions allowlist that the config-loading boundary validates before a resolved runtime PermissionProfile is installed.

What changed

• Add requirements.toml support for a managed permission-profile catalog plus its allowlist:

allowed_permissions = ["review", "build"]

[permissions.review]
extends = ":read-only"

[permissions.build]
extends = ":workspace"

• Merge requirements-defined profile bodies into the effective permission catalog and reject profile ids that collide with config-defined profiles.
• Validate that every allowed_permissions entry resolves to a built-in or catalog profile before selection uses it.
• Preserve allowed configured named-profile selections. When a configured named profile is disallowed, fall back to the first allowed requirements profile with a startup warning.
• Keep built-in selections and the stock trust-based :read-only / :workspace fallback path intact when no permission profile is explicitly selected.
• Centralize the managed catalog and allowlist selection path in EffectivePermissionSelection so the requirements boundary is visible in config loading.
• Surface allowedPermissions through configRequirements/read, and update the generated app-server schema fixtures plus the app-server README.

Validation

• cargo test -p codex-config
• cargo test -p codex-core system_requirements_
• cargo test -p codex-core system_allowed_permissions_
• cargo test -p codex-app-server-protocol
• just write-app-server-schema

Related work

• Uses merged permission-profile inheritance support from feat(permissions): resolve permission profile inheritance #22270 and feat(permissions): apply inherited profiles at runtime #23705.
• Kept separate from the in-flight permission profile listing API in feat: add permission profile list api #23412.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2525dd0355

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[bolinfest]

I will finish this review tomorrow!