feat: support restricted ReadOnlyAccess in elevated Windows sandbox

[viyatb-oai]

Summary

• support legacy ReadOnlyAccess::Restricted on Windows in the elevated setup/runner backend
• keep the unelevated restricted-token backend on the legacy full-read model only, and fail closed for restricted read-only policies there
• keep the legacy full-read Windows path unchanged while deriving narrower read roots only for elevated restricted-read policies
• honor include_platform_defaults by adding backend-managed Windows system roots only when requested, while always keeping helper roots and the command cwd readable
• preserve workspace-write semantics by keeping writable roots readable when restricted read access is in use in the elevated backend
• document the current Windows boundary: legacy SandboxPolicy is supported on both backends, while richer split-only carveouts still fail closed instead of running with weaker enforcement

Testing

• cargo test -p codex-windows-sandbox
• cargo check -p codex-windows-sandbox --tests --target x86_64-pc-windows-msvc
• cargo clippy -p codex-windows-sandbox --tests --target x86_64-pc-windows-msvc -- -D warnings
• cargo test -p codex-core windows_restricted_token_

Notes

• local cargo test -p codex-windows-sandbox on macOS only exercises the non-Windows stubs; the Windows-targeted compile and clippy runs provide the local signal, and GitHub Windows CI exercises the runtime path

[chatgpt-codex-connector]

💡 Codex Review

codex/codex-rs/windows-sandbox-rs/src/lib.rs

Lines 278 to 280 in ffcda22

	SandboxPolicy::ReadOnly { .. } => {
	let psid = convert_string_sid_to_sid(&caps.readonly).unwrap();
	let (h, _) = super::token::create_readonly_token_with_cap(psid)?;

Enforce restricted read roots in legacy Windows sandbox

run_windows_sandbox_capture now accepts all ReadOnly policies, but this branch ignores the ReadOnlyAccess variant and always builds the same token path. The legacy restricted-token backend still only applies ACL changes for writable roots, so ReadOnlyAccess::Restricted in RestrictedToken mode does not enforce configured readable roots and can read more than policy intends.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[viyatb-oai]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ffcda22ea9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[viyatb-oai]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 94c55d09a4

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".