refactor sandboxing (1/?)

[nornagon-openai]

The sandboxing code has been getting a bit twisty. This is the first step of ??? to iron it out.

1. move all seatbelt code to a mac-only module under mac/. Goal: don't compile any Seatbelt-related code for platforms that don't have Seatbelt. Likewise for Landlock.
2. Remove codex_core::exec::SandboxType. This was just a bool with a different value for "true" on each platform. Now it's just a bool.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Respect platform sandbox availability

This new sandboxed flag ignores whether the current platform actually has a sandbox. In production we use get_platform_has_sandbox() (see core/src/safety.rs) to track e.g. the experimental Windows sandbox, and previously this code called get_platform_sandbox() to fall back to SandboxType::None when it was disabled. Now we always pass sandboxed = true for any policy that isn’t DangerFullAccess, so on Windows without the sandbox enabled we will still route through exec_windows_sandbox (see core/src/exec.rs around the new if sandboxed { return exec_windows_sandbox(...) }). That configuration is common, and those calls will start failing instead of running unsandboxed. Please gate this bool on get_platform_has_sandbox() the same way we did before.

Useful? React with 👍 / 👎.

[nornagon-openai]

@codex fix this build error on non-mac:

error: unused variable: `log_denials`
   --> cli/src/debug_sandbox.rs:109:5
    |
109 |     log_denials: bool,
    |     ^^^^^^^^^^^ help: if this is intentional, prefix it with an underscore: `_log_denials`
    |
    = note: `-D unused-variables` implied by `-D warnings`
    = help: to override `-D warnings` add `#[allow(unused_variables)]`

[chatgpt-codex-connector]

Summary

• Prevent unused-variable warnings for log_denials on non-macOS builds by marking the flag as used while keeping the sandbox helper signature consistent across platforms. cli/src/debug_sandbox.rsL104-L113

Testing

• ✅ just fmt
• ✅ just fix -p codex-cli
• ✅ cargo test -p codex-cli

View task →

[github-actions]

Closing this pull request because it has had no updates for more than 14 days. If you plan to continue working on it, feel free to reopen or open a new PR.