Scope OpenAI file temp roots per session

Co-authored-by: Codex <noreply@openai.com>

Author: caseychow-oai

codex-rs/core/src/codex.rs

@@ -230,6 +230,7 @@ use crate::mentions::collect_explicit_app_ids;
 use crate::mentions::collect_explicit_plugin_mentions;
 use crate::mentions::collect_tool_mentions_from_messages;
 use crate::network_policy_decision::execpolicy_network_rule_amendment;
+use crate::openai_files::managed_download_root_for_session;
 use crate::plugins::PluginsManager;
 use crate::plugins::build_plugin_injections;
 use crate::plugins::render_plugins_section;
@@ -1153,6 +1154,41 @@ pub(crate) struct SessionSettingsUpdate {
 }
 
 impl Session {
+    fn add_session_openai_file_root_to_sandbox(
+        session_configuration: &mut SessionConfiguration,
+        conversation_id: ThreadId,
+    ) -> anyhow::Result<()> {
+        let session_openai_file_root =
+            managed_download_root_for_session(&conversation_id.to_string());
+        let session_openai_file_root =
+            AbsolutePathBuf::from_absolute_path(&session_openai_file_root).map_err(|error| {
+                anyhow::anyhow!(
+                    "failed to resolve session OpenAI file root `{}`: {error}",
+                    session_openai_file_root.display()
+                )
+            })?;
+        session_configuration.file_system_sandbox_policy = session_configuration
+            .file_system_sandbox_policy
+            .clone()
+            .with_additional_readable_roots(
+                &session_configuration.cwd,
+                std::slice::from_ref(&session_openai_file_root),
+            );
+        if matches!(
+            session_configuration.sandbox_policy.get(),
+            SandboxPolicy::WorkspaceWrite { .. }
+        ) {
+            session_configuration.file_system_sandbox_policy = session_configuration
+                .file_system_sandbox_policy
+                .clone()
+                .with_additional_writable_roots(
+                    &session_configuration.cwd,
+                    std::slice::from_ref(&session_openai_file_root),
+                );
+        }
+        Ok(())
+    }
+
     /// Builds the `x-codex-beta-features` header value for this session.
     ///
     /// `ModelClient` is session-scoped and intentionally does not depend on the full `Config`, so
@@ -1462,6 +1498,7 @@ impl Session {
             ),
             InitialHistory::New | InitialHistory::Forked(_) => None,
         };
+        Self::add_session_openai_file_root_to_sandbox(&mut session_configuration, conversation_id)?;
 
         // Kick off independent async setup tasks in parallel to reduce startup latency.
         //

codex-rs/core/src/codex_tests.rs

@@ -12,6 +12,7 @@ use crate::exec::ExecToolCallOutput;
 use crate::function_tool::FunctionCallError;
 use crate::mcp_connection_manager::ToolInfo;
 use crate::models_manager::model_info;
+use crate::openai_files::managed_download_root_for_session;
 use crate::shell::default_user_shell;
 use crate::tools::format_exec_output_str;
 
@@ -2156,6 +2157,57 @@ async fn session_configuration_apply_preserves_split_file_system_policy_on_cwd_o
     );
 }
 
+#[tokio::test]
+async fn session_openai_file_root_is_scoped_to_the_current_session() {
+    let mut session_configuration = make_session_configuration_for_tests().await;
+    session_configuration.sandbox_policy =
+        codex_config::Constrained::allow_any(SandboxPolicy::WorkspaceWrite {
+            writable_roots: Vec::new(),
+            read_only_access: ReadOnlyAccess::Restricted {
+                include_platform_defaults: true,
+                readable_roots: Vec::new(),
+            },
+            network_access: false,
+            exclude_tmpdir_env_var: true,
+            exclude_slash_tmp: true,
+        });
+    session_configuration.file_system_sandbox_policy =
+        FileSystemSandboxPolicy::restricted(vec![FileSystemSandboxEntry {
+            path: FileSystemPath::Special {
+                value: FileSystemSpecialPath::CurrentWorkingDirectory,
+            },
+            access: FileSystemAccessMode::Write,
+        }]);
+
+    let session_id = ThreadId::new();
+    let session_root = managed_download_root_for_session(&session_id.to_string());
+    let other_session_root = managed_download_root_for_session(&ThreadId::new().to_string());
+
+    Session::add_session_openai_file_root_to_sandbox(&mut session_configuration, session_id)
+        .expect("session OpenAI file root should be added to sandbox");
+
+    assert!(
+        session_configuration
+            .file_system_sandbox_policy
+            .can_read_path_with_cwd(&session_root, &session_configuration.cwd)
+    );
+    assert!(
+        session_configuration
+            .file_system_sandbox_policy
+            .can_write_path_with_cwd(&session_root, &session_configuration.cwd)
+    );
+    assert!(
+        !session_configuration
+            .file_system_sandbox_policy
+            .can_read_path_with_cwd(&other_session_root, &session_configuration.cwd)
+    );
+    assert!(
+        !session_configuration
+            .file_system_sandbox_policy
+            .can_write_path_with_cwd(&other_session_root, &session_configuration.cwd)
+    );
+}
+
 #[cfg_attr(windows, ignore)]
 #[tokio::test]
 async fn new_default_turn_uses_config_aware_skills_for_role_overrides() {

codex-rs/core/src/mcp_tool_call.rs

@@ -1089,6 +1089,7 @@ async fn rewrite_mcp_tool_result_for_openai_files(
             continue;
         };
         rewrite_output_value_for_openai_files(
+            sess,
             turn_context,
             auth.as_ref(),
             call_id,
@@ -1102,6 +1103,7 @@ async fn rewrite_mcp_tool_result_for_openai_files(
 }
 
 async fn rewrite_output_value_for_openai_files(
+    sess: &Session,
     turn_context: &TurnContext,
     auth: Option<&crate::CodexAuth>,
     call_id: &str,
@@ -1111,6 +1113,7 @@ async fn rewrite_output_value_for_openai_files(
     match value {
         serde_json::Value::String(file_ref) => {
             if let Some(downloaded_path) = auto_download_openai_file_value(
+                sess,
                 turn_context,
                 auth,
                 call_id,
@@ -1128,6 +1131,7 @@ async fn rewrite_output_value_for_openai_files(
                     continue;
                 };
                 if let Some(downloaded_path) = auto_download_openai_file_value(
+                    sess,
                     turn_context,
                     auth,
                     call_id,
@@ -1145,6 +1149,7 @@ async fn rewrite_output_value_for_openai_files(
 }
 
 async fn auto_download_openai_file_value(
+    sess: &Session,
     turn_context: &TurnContext,
     auth: Option<&crate::CodexAuth>,
     call_id: &str,
@@ -1160,6 +1165,7 @@ async fn auto_download_openai_file_value(
         turn_context.config.as_ref(),
         auth,
         file_ref,
+        &sess.conversation_id.to_string(),
         call_id,
         max_bytes,
     )

codex-rs/core/src/openai_files.rs

@@ -379,6 +379,7 @@ pub(crate) async fn download_file_to_managed_temp(
     config: &Config,
     auth: Option<&CodexAuth>,
     reference: &str,
+    session_id: &str,
     scope: &str,
     max_bytes: u64,
 ) -> Result<DownloadedOpenAiFile, OpenAiFileError> {
@@ -393,7 +394,7 @@ pub(crate) async fn download_file_to_managed_temp(
         });
     }
 
-    let download_dir = managed_download_dir(scope)?;
+    let download_dir = managed_download_dir(session_id, scope)?;
 
     let file_name = sanitize_download_file_name(
         resolved
@@ -483,8 +484,17 @@ pub(crate) async fn download_file_to_managed_temp(
     })
 }
 
-pub(crate) fn managed_download_dir(scope: &str) -> Result<PathBuf, OpenAiFileError> {
-    let parent = std::env::temp_dir().join("codex-openai-files").join(scope);
+pub(crate) fn managed_download_root_for_session(session_id: &str) -> PathBuf {
+    std::env::temp_dir()
+        .join("codex-openai-files")
+        .join(sanitize_download_file_name(session_id))
+}
+
+pub(crate) fn managed_download_dir(
+    session_id: &str,
+    scope: &str,
+) -> Result<PathBuf, OpenAiFileError> {
+    let parent = managed_download_root_for_session(session_id).join(scope);
     std::fs::create_dir_all(&parent).map_err(|source| OpenAiFileError::CreateDirectory {
         path: parent.clone(),
         source,
@@ -658,6 +668,7 @@ mod tests {
             &test_config_for(&server),
             Some(&chatgpt_auth()),
             "sediment://file_123",
+            "session-1",
             "call-1",
             OPENAI_FILE_DOWNLOAD_LIMIT_BYTES,
         )
@@ -670,7 +681,7 @@ mod tests {
         assert!(
             downloaded
                 .destination_path
-                .starts_with(std::env::temp_dir().join("codex-openai-files/call-1"))
+                .starts_with(std::env::temp_dir().join("codex-openai-files/session-1/call-1"))
         );
         assert_eq!(
             tokio::fs::read_to_string(&downloaded.destination_path)
@@ -699,6 +710,7 @@ mod tests {
             &test_config_for(&server),
             Some(&chatgpt_auth()),
             "file_123",
+            "session-2",
             "call-2",
             128,
         )
@@ -739,6 +751,7 @@ mod tests {
             &test_config_for(&server),
             Some(&auth),
             "sediment://file_123",
+            "session-3",
             "call-3",
             OPENAI_FILE_DOWNLOAD_LIMIT_BYTES,
         )

codex-rs/core/src/tools/handlers/openai_file.rs

@@ -60,6 +60,7 @@ impl ToolHandler for DownloadOpenAiFileHandler {
             turn.config.as_ref(),
             auth.as_ref(),
             &args.file_id,
+            &session.conversation_id.to_string(),
             &unique_manual_download_scope(),
             OPENAI_FILE_DOWNLOAD_LIMIT_BYTES,
         )