[codex] reduce module visibility (#16978)

## Summary - reduce public module visibility across Rust crates, preferring private or crate-private modules with explicit crate-root public exports - update external call sites and tests to use the intended public crate APIs instead of reaching through module trees - add the module visibility guideline to AGENTS.md ## Validation - `cargo check --workspace --all-targets --message-format=short` passed before the final fix/format pass - `just fix` completed successfully - `just fmt` completed successfully - `git diff --check` passed
2026-05-02 12:21:26 +03:00 · 2026-04-07 08:03:35 -07:00
parent 89f1a44afa
commit 413c1e1fdf
129 changed files with 695 additions and 496 deletions
--- a/codex-rs/windows-sandbox-rs/src/elevated/command_runner_win.rs
+++ b/codex-rs/windows-sandbox-rs/src/elevated/command_runner_win.rs
@@ -12,31 +12,33 @@

 use anyhow::Context;
 use anyhow::Result;
+use codex_windows_sandbox::ErrorPayload;
+use codex_windows_sandbox::ExitPayload;
+use codex_windows_sandbox::FramedMessage;
+use codex_windows_sandbox::Message;
+use codex_windows_sandbox::OutputPayload;
+use codex_windows_sandbox::OutputStream;
 use codex_windows_sandbox::PipeSpawnHandles;
 use codex_windows_sandbox::SandboxPolicy;
+use codex_windows_sandbox::SpawnReady;
+use codex_windows_sandbox::SpawnRequest;
 use codex_windows_sandbox::StderrMode;
 use codex_windows_sandbox::StdinMode;
 use codex_windows_sandbox::allow_null_device;
 use codex_windows_sandbox::convert_string_sid_to_sid;
 use codex_windows_sandbox::create_readonly_token_with_caps_from;
 use codex_windows_sandbox::create_workspace_write_token_with_caps_from;
+use codex_windows_sandbox::decode_bytes;
+use codex_windows_sandbox::encode_bytes;
 use codex_windows_sandbox::get_current_token_for_restriction;
 use codex_windows_sandbox::hide_current_user_profile_dir;
-use codex_windows_sandbox::ipc_framed::ErrorPayload;
-use codex_windows_sandbox::ipc_framed::ExitPayload;
-use codex_windows_sandbox::ipc_framed::FramedMessage;
-use codex_windows_sandbox::ipc_framed::Message;
-use codex_windows_sandbox::ipc_framed::OutputPayload;
-use codex_windows_sandbox::ipc_framed::OutputStream;
-use codex_windows_sandbox::ipc_framed::decode_bytes;
-use codex_windows_sandbox::ipc_framed::encode_bytes;
-use codex_windows_sandbox::ipc_framed::read_frame;
-use codex_windows_sandbox::ipc_framed::write_frame;
 use codex_windows_sandbox::log_note;
 use codex_windows_sandbox::parse_policy;
+use codex_windows_sandbox::read_frame;
 use codex_windows_sandbox::read_handle_loop;
 use codex_windows_sandbox::spawn_process_with_pipes;
 use codex_windows_sandbox::to_wide;
+use codex_windows_sandbox::write_frame;
 use std::ffi::c_void;
 use std::fs::File;
 use std::os::windows::io::FromRawHandle;
@@ -144,9 +146,7 @@ fn send_error(writer: &Arc<StdMutex<File>>, code: &str, message: String) -> Resu
 }

 /// Read and validate the initial spawn request frame.
-fn read_spawn_request(
-    reader: &mut File,
-) -> Result<codex_windows_sandbox::ipc_framed::SpawnRequest> {
+fn read_spawn_request(reader: &mut File) -> Result<SpawnRequest> {
    let Some(msg) = read_frame(reader)? else {
        anyhow::bail!("runner: pipe closed before spawn_request");
    };
@@ -184,9 +184,7 @@ fn effective_cwd(req_cwd: &Path, log_dir: Option<&Path>) -> PathBuf {
    }
 }

-fn spawn_ipc_process(
-    req: &codex_windows_sandbox::ipc_framed::SpawnRequest,
-) -> Result<IpcSpawnedProcess> {
+fn spawn_ipc_process(req: &SpawnRequest) -> Result<IpcSpawnedProcess> {
    let log_dir = req.codex_home.clone();
    hide_current_user_profile_dir(req.codex_home.as_path());
    log_note(
@@ -466,7 +464,7 @@ pub fn main() -> Result<()> {
    let msg = FramedMessage {
        version: 1,
        message: Message::SpawnReady {
-            payload: codex_windows_sandbox::ipc_framed::SpawnReady {
+            payload: SpawnReady {
                process_id: unsafe { GetProcessId(pi.hProcess) },
            },
        },
--- a/codex-rs/windows-sandbox-rs/src/lib.rs
+++ b/codex-rs/windows-sandbox-rs/src/lib.rs
@@ -34,7 +34,7 @@ mod conpty;

 #[cfg(target_os = "windows")]
 #[path = "elevated/ipc_framed.rs"]
-pub mod ipc_framed;
+pub(crate) mod ipc_framed;

 #[cfg(target_os = "windows")]
 #[path = "setup_orchestrator.rs"]
@@ -88,6 +88,30 @@ pub use identity::require_logon_sandbox_creds;
 #[cfg(target_os = "windows")]
 pub use identity::sandbox_setup_is_complete;
 #[cfg(target_os = "windows")]
+pub use ipc_framed::ErrorPayload;
+#[cfg(target_os = "windows")]
+pub use ipc_framed::ExitPayload;
+#[cfg(target_os = "windows")]
+pub use ipc_framed::FramedMessage;
+#[cfg(target_os = "windows")]
+pub use ipc_framed::Message;
+#[cfg(target_os = "windows")]
+pub use ipc_framed::OutputPayload;
+#[cfg(target_os = "windows")]
+pub use ipc_framed::OutputStream;
+#[cfg(target_os = "windows")]
+pub use ipc_framed::SpawnReady;
+#[cfg(target_os = "windows")]
+pub use ipc_framed::SpawnRequest;
+#[cfg(target_os = "windows")]
+pub use ipc_framed::decode_bytes;
+#[cfg(target_os = "windows")]
+pub use ipc_framed::encode_bytes;
+#[cfg(target_os = "windows")]
+pub use ipc_framed::read_frame;
+#[cfg(target_os = "windows")]
+pub use ipc_framed::write_frame;
+#[cfg(target_os = "windows")]
 pub use logging::LOG_FILE_NAME;
 #[cfg(target_os = "windows")]
 pub use logging::log_note;