fix: support split carveouts in windows elevated sandbox

codex-rs/cli/src/debug_sandbox.rs

@@ -174,6 +174,9 @@ async fn run_command_under_sandbox(
                             timeout_ms: None,
                             use_private_desktop: config.permissions.windows_sandbox_private_desktop,
                             proxy_enforced: false,
+                            read_roots_override: None,
+                            write_roots_override: None,
+                            deny_write_paths_override: &[],
                         },
                     )
                 } else {

codex-rs/core/README.md

@@ -59,19 +59,24 @@ backend-managed system read roots required for basic execution, such as
 `C:\Windows`, `C:\Program Files`, `C:\Program Files (x86)`, and
 `C:\ProgramData`. When it is `false`, those extra system roots are omitted.
 
+The elevated Windows sandbox also supports:
+
+- legacy `ReadOnly` and `WorkspaceWrite` behavior
+- split filesystem policies that need exact readable roots, exact writable
+  roots, or extra read-only carveouts under writable roots
+
 The unelevated restricted-token backend still supports the legacy full-read
 Windows model for legacy `ReadOnly` and `WorkspaceWrite` behavior. It also
 supports a narrow split-filesystem subset: full-read split policies whose
 writable roots still match the legacy `WorkspaceWrite` root set, but add extra
 read-only carveouts under those writable roots.
 
 New `[permissions]` / split filesystem policies remain supported on Windows
-only when they round-trip through the legacy `SandboxPolicy` model without
-changing semantics. Policies that would require direct read restriction,
-explicit unreadable carveouts, reopened writable descendants under read-only
-carveouts, different writable root sets, or split carveout support in the
-elevated setup/runner backend still fail closed instead of running with weaker
-enforcement.
+only when they can be enforced directly by the selected Windows backend or
+round-trip through the legacy `SandboxPolicy` model without changing semantics.
+Policies that would require direct explicit unreadable carveouts (`none`) or
+reopened writable descendants under read-only carveouts still fail closed
+instead of running with weaker enforcement.
 
 ### All Platforms