[codex] Scope Windows sandbox write-root capability SIDs

[adrianbravo-oai]

Summary

• add per-write-root capability SIDs for Windows workspace-write roots
• build legacy/elevated tokens from only the active effective write roots
• align setup/audit deny ACL handling with active root-specific SIDs

Testing

• just fmt
• git diff --check --cached

[adrianbravo-oai]

@codex review

[codex-loop invocation 20260507T041022Z-88104 iteration 1] Please review current head a339386.

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Keep it up!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[adrianbravo-oai]

@codex review

[codex-loop invocation 20260507T041937Z-23384 iteration 1] Please review current head c94598d.

[adrianbravo-oai]

@codex review

[codex-loop invocation 20260507T042124Z-36430 iteration 1] Please review current head c94598d.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c94598d733

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve read-only ACL grants when write-root SIDs are absent

Handle the read-only path explicitly instead of skipping it. apply_legacy_session_acl_rules now selects SIDs only via matching_root_capability; for SandboxPolicy::ReadOnly, write_root_sids is empty, so every allow path is skipped. That drops capability allow ACE application for legacy read-only sessions, which can block expected file reads under restricted tokens.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Delightful!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".