Include legacy deny paths in elevated Windows sandbox setup

[iceweasel-oai]

Summary

This updates the Windows elevated sandbox setup/refresh path to include the legacy compute_allow_paths(...).deny protected children in the same deny-write payload pipe added for split filesystem carveouts.

Concretely, elevated setup and elevated refresh now both build deny-write payload paths from:

• explicit split-policy deny-write paths, preserving missing paths so setup can materialize them before applying ACLs
• legacy compute_allow_paths(...).deny, which includes existing .git, .codex, and .agents children under writable roots

This lets the elevated backend protect .git consistently with the unelevated/restricted-token path, and removes the old janky hard-coded .codex / .agents elevated setup helpers in favor of the shared payload path.

Root Cause

The landed split-carveout PR threaded a deny_write_paths pipe through elevated setup/refresh, but the legacy workspace-write deny set from compute_allow_paths(...).deny was not included in that payload. As a result, elevated workspace-write did not apply the intended deny-write ACLs for existing protected children like <cwd>/.git.

Notes

The legacy protected children still only enter the deny set if they already exist, because compute_allow_paths filters .git, .codex, and .agents with exists(). Missing explicit split-policy deny paths are preserved separately because setup intentionally materializes those before applying ACLs.

Validation

• cargo fmt --check -p codex-windows-sandbox
• cargo test -p codex-windows-sandbox
• cargo build -p codex-cli -p codex-windows-sandbox --bins
• Elevated codex exec smoke with windows.sandbox='elevated': fresh git repo, attempted append to .git/config, observed Access is denied, marker not written, Deny ACE present on .git
• Unelevated codex exec smoke with windows.sandbox='unelevated': fresh git repo, attempted append to .git/config, observed Access is denied, marker not written, Deny ACE present on .git