Grant sandbox users access to desktop runtime bin

[iceweasel-oai]

Why

Codex desktop copies bundled Windows binaries out of WindowsApps into a LocalAppData runtime cache before launching codex.exe. Sandboxed commands can then need to execute helpers from that cache, but the sandbox user group may not have read/execute access to the runtime bin directory.

This makes the Windows sandbox refresh path repair that access directly so the packaged desktop runtime remains usable from sandboxed sessions.

What changed

• Added setup_runtime_bin to locate %LOCALAPPDATA%\OpenAI\Codex\bin, matching the desktop bundled-binaries destination path, with the same USERPROFILE\AppData\Local fallback shape.
• During refresh setup, check whether CodexSandboxUsers already has read/execute access to the runtime bin directory.
• If access is missing, grant CodexSandboxUsers OI/CI/RX inheritance on that directory.
• If the runtime bin directory does not exist, no-op cleanly.

Verification

• cargo build -p codex-windows-sandbox --bin codex-windows-sandbox-setup
• cargo test -p codex-windows-sandbox --bin codex-windows-sandbox-setup
• Manual Windows ACL exercise against the installed packaged runtime bin:
  • existing inherited CodexSandboxUsers:(I)(OI)(CI)(RX) no-ops without changing SDDL
  • after disabling inheritance and removing the group ACE, setup adds CodexSandboxUsers:(OI)(CI)(RX)
  • with LOCALAPPDATA pointed at a fake location without OpenAI\Codex\bin, setup exits successfully and does not create the directory
  • restored the real runtime bin with inherited ACLs and confirmed the final SDDL matched the baseline exactly

[johnl-oai]

awesome