Skip to content

Thread Windows metadata targets through sessions#21033

Open
evawong-oai wants to merge 1 commit into
codex/windows-protected-metadata-direct-execfrom
codex/windows-protected-metadata-session-threading
Open

Thread Windows metadata targets through sessions#21033
evawong-oai wants to merge 1 commit into
codex/windows-protected-metadata-direct-execfrom
codex/windows-protected-metadata-session-threading

Conversation

@evawong-oai
Copy link
Copy Markdown
Contributor

@evawong-oai evawong-oai commented May 4, 2026
edited
Loading

Summary

  1. Threads Windows protected metadata targets through reusable Windows sandbox sessions.
  2. Keeps session wiring separate from direct exec wiring.

Why

  1. Session based commands are a different entry point from direct exec and need the same protected metadata decisions.
  2. Splitting this PR lets reviewers inspect session lifecycle wiring without also reviewing target planning or enforcement logic.

Stack Relation

This PR is part 7 of 21 in the Windows protected metadata stack.

  1. PR 20889 Add Windows metadata adapter target type
  2. PR 20890 Add Windows metadata setup target type
  3. PR 20891 Add Windows metadata enforcement guard
  4. PR 21030 Plan Windows metadata targets from filesystem policy
  5. PR 21031 Thread Windows metadata targets through setup request
  6. PR 21032 Pass Windows metadata targets to direct exec
  7. PR 21033 Thread Windows metadata targets through sessions
  8. PR 21035 Enforce Windows protected metadata targets
  9. PR 21036 Deny Windows protected metadata symlink targets
  10. PR 21037 Use Windows metadata targets in debug sandbox
  11. PR 21038 Allow Windows sandbox Git signal pipes
  12. PR 21039 Add Windows legacy Git read root helpers
  13. PR 21040 Grant Windows legacy Git read roots
  14. PR 21041 Inject Git safe directory for Windows legacy sandbox
  15. PR 21042 Test Windows runtime metadata target preparation
  16. PR 21043 Document Windows metadata request boundary
  17. PR 21172 Add Windows missing metadata monitor runtime
  18. PR 21173 Wire Windows metadata monitor through sandbox exits
  19. PR 21174 Add Windows missing metadata deny sentinel
  20. PR 21175 Wire missing Windows metadata to deny sentinel
  21. PR 21184 Use direct deny ACLs for Windows metadata sentinels

Validation

  1. Stack head local format and Rust tests passed on 95ef124d6194bd2126c11928cb3973214f9ac63a.
  2. Azure Windows VM 56 case validation is running on 95ef124d6194bd2126c11928cb3973214f9ac63a.

This was referenced May 4, 2026
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
@evawong-oai evawong-oai force-pushed the codex/windows-protected-metadata-session-threading branch from f21dcba to e62c735 Compare May 5, 2026 10:51
@evawong-oai evawong-oai force-pushed the codex/windows-protected-metadata-session-threading branch from e62c735 to 68d2d40 Compare May 6, 2026 22:09
@evawong-oai evawong-oai force-pushed the codex/windows-protected-metadata-direct-exec branch from 16cc0e9 to 461f186 Compare May 6, 2026 22:09
@evawong-oai evawong-oai marked this pull request as ready for review May 7, 2026 00:45
@evawong-oai evawong-oai requested a review from a team as a code owner May 7, 2026 00:45
This was referenced May 7, 2026
Open
Open
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@evawong-oai