Skip to content

windows-sandbox: add resolved permissions helper#22896

Merged
bolinfest merged 1 commit into
mainfrom
pr22896
May 20, 2026
Merged

windows-sandbox: add resolved permissions helper#22896
bolinfest merged 1 commit into
mainfrom
pr22896

Conversation

@bolinfest
Copy link
Copy Markdown
Collaborator

@bolinfest bolinfest commented May 15, 2026
edited
Loading

Why

The Windows sandbox migration away from the legacy SandboxPolicy abstraction needs a small local bridge before IPC and core wiring can move to PermissionProfile. Leaf helpers currently branch directly on WorkspaceWrite, which spreads legacy assumptions through path planning and token setup code.

This PR introduces a Windows-local resolved permissions view so those helpers can ask Windows-specific questions about runtime filesystem/network permissions without matching on the legacy policy enum everywhere.

What changed

  • Added ResolvedWindowsSandboxPermissions in windows-sandbox-rs/src/resolved_permissions.rs, with legacy SandboxPolicy constructors for the current call sites.
  • Moved allow.rs writable-root and read-only-subpath planning onto the resolved permissions type.
  • Preserved Windows TEMP/TMP writable-root behavior when the effective policy includes writable tmpdir access.
  • Avoided resolving Unix :slash_tmp or parent-process TMPDIR while computing Windows writable roots.
  • Reused the shared allow-path result for setup write-root gathering and routed network-block selection through the resolved abstraction.

Verification

  • cargo test -p codex-windows-sandbox
  • just fix -p codex-windows-sandbox
  • GitHub CI restarted on the amended commit; Windows Bazel is the required signal for the Windows-only code paths.

Stack created with Sapling. Best reviewed with ReviewStack.

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed May 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c0ed87b84a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread codex-rs/windows-sandbox-rs/src/resolved_permissions.rs
Comment thread codex-rs/windows-sandbox-rs/src/resolved_permissions.rs
@bolinfest bolinfest requested a review from iceweasel-oai May 15, 2026 22:32
@bolinfest bolinfest mentioned this pull request May 15, 2026
Merged
@bolinfest bolinfest mentioned this pull request May 15, 2026
Merged
@github-actions github-actions Bot mentioned this pull request May 16, 2026
Open
@bolinfest bolinfest mentioned this pull request May 17, 2026
Merged
This was referenced May 18, 2026
Open
Open
This was referenced May 20, 2026
Merged
Merged
@bolinfest bolinfest enabled auto-merge (squash) May 20, 2026 17:28
@bolinfest bolinfest merged commit 2b4898c into main May 20, 2026
47 of 62 checks passed
@bolinfest bolinfest deleted the pr22896 branch May 20, 2026 17:30
@github-actions github-actions Bot locked and limited conversation to collaborators May 20, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@iceweasel-oai iceweasel-oai iceweasel-oai approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bolinfest @iceweasel-oai