Thread Windows metadata targets through setup request

[evawong-oai]

Summary

1. Threads planned Windows protected metadata targets into the setup request.
2. Keeps execution behavior unchanged until the direct exec and session paths consume the field.

Why

1. This PR moves the planned target list across the request boundary as its own small wiring step.
2. The full stack needs setup to receive the same metadata decisions that policy planned, without recomputing them in the elevated process.

Stack Relation

This PR is part 5 of 21 in the Windows protected metadata stack.

1. PR 20889 Add Windows metadata adapter target type
2. PR 20890 Add Windows metadata setup target type
3. PR 20891 Add Windows metadata enforcement guard
4. PR 21030 Plan Windows metadata targets from filesystem policy
5. PR 21031 Thread Windows metadata targets through setup request
6. PR 21032 Pass Windows metadata targets to direct exec
7. PR 21033 Thread Windows metadata targets through sessions
8. PR 21035 Enforce Windows protected metadata targets
9. PR 21036 Deny Windows protected metadata symlink targets
10. PR 21037 Use Windows metadata targets in debug sandbox
11. PR 21038 Allow Windows sandbox Git signal pipes
12. PR 21039 Add Windows legacy Git read root helpers
13. PR 21040 Grant Windows legacy Git read roots
14. PR 21041 Inject Git safe directory for Windows legacy sandbox
15. PR 21042 Test Windows runtime metadata target preparation
16. PR 21043 Document Windows metadata request boundary
17. PR 21172 Add Windows missing metadata monitor runtime
18. PR 21173 Wire Windows metadata monitor through sandbox exits
19. PR 21174 Add Windows missing metadata deny sentinel
20. PR 21175 Wire missing Windows metadata to deny sentinel
21. PR 21184 Use direct deny ACLs for Windows metadata sentinels

Validation

1. Stack head local format and Rust tests passed on 95ef124d6194bd2126c11928cb3973214f9ac63a.
2. Azure Windows VM 56 case validation is running on 95ef124d6194bd2126c11928cb3973214f9ac63a.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 230dcf45c2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Pass protected metadata targets to elevated setup

resolve_windows_*_filesystem_overrides populates protected_metadata_targets, but the elevated capture request is always given &[] here. Any split policy metadata protections are dropped before setup/refresh, so the elevated backend still lets sandboxed commands create or modify protected metadata paths.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Apply protected metadata targets in the setup helper

The helper now deserializes protected_metadata_targets, but the field is marked dead code and is never read; setup only applies ACLs from deny_write_paths. Even after callers pass targets, ExistingDeny/MissingCreationMonitor modes have no effect in elevated setup, leaving protected metadata writable/creatable.

Useful? React with 👍 / 👎.