feat(approvals) RejectConfig for request_permissions

[dylan-hurd-oai]

Summary

We need to support allowing request_permissions calls when using Reject policy

Note that this is a backwards-incompatible change for Reject policy. I'm not sure if we need to add a default based on our current use/setup

Testing

• Added tests
• Tested locally

[dylan-hurd-oai]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0e28720f3d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Keep RejectConfig backward-compatible on deserialization

Adding request_permissions as a required field without a serde default makes old Reject payloads fail to decode. Existing configs/clients that only send sandbox_approval, rules, and mcp_elicitations will now error instead of loading. This introduces a breaking change for persisted config and API consumers; deserialize missing request_permissions as false to keep compatibility.

Useful? React with 👍 / 👎.

[dylan-hurd-oai]

@celia-oai I think this is my primary concern here - the other values are not optional, so it feels a bit weird to make this one optional. but conflicts with backwards-compatibility

[celia-oai]

I think the correct thing to do here is prob to make Reject an experimental field, since i think we'll keep making breaking changes here as we iterate

[dylan-hurd-oai]

Yep, can do!