Protect workspace .agents directory in Windows sandbox (#11970)

The Mac and Linux implementations of the sandbox recently added write
protections for `.codex` and `.agents` subdirectories in all writable
roots. When adding documentation for this, I noticed that this change
was never made for the Windows sandbox.

Summary
- make compute_allow_paths treat .codex/.agents as protected alongside
.git, and cover their behavior in new tests
- wire protect_workspace_agents_dir through the sandbox lib and setup
path to apply deny ACEs when `.agents` exists
- factor shared ACL logic for workspace subdirectories

codex-rs/windows-sandbox-rs/src/lib.rs

@@ -127,6 +127,8 @@ pub use winutil::to_wide;
 #[cfg(target_os = "windows")]
 pub use workspace_acl::is_command_cwd_root;
 #[cfg(target_os = "windows")]
+pub use workspace_acl::protect_workspace_agents_dir;
+#[cfg(target_os = "windows")]
 pub use workspace_acl::protect_workspace_codex_dir;
 
 #[cfg(not(target_os = "windows"))]
@@ -165,6 +167,7 @@ mod windows_impl {
     use super::winutil::quote_windows_arg;
     use super::winutil::to_wide;
     use super::workspace_acl::is_command_cwd_root;
+    use super::workspace_acl::protect_workspace_agents_dir;
     use super::workspace_acl::protect_workspace_codex_dir;
     use anyhow::Result;
     use std::collections::HashMap;
@@ -344,6 +347,7 @@ mod windows_impl {
             if let Some(psid) = psid_workspace {
                 allow_null_device(psid);
                 let _ = protect_workspace_codex_dir(&current_dir, psid);
+                let _ = protect_workspace_agents_dir(&current_dir, psid);
             }
         }
 
@@ -552,6 +556,7 @@ mod windows_impl {
             allow_null_device(psid_generic);
             allow_null_device(psid_workspace);
             let _ = protect_workspace_codex_dir(&current_dir, psid_workspace);
+            let _ = protect_workspace_agents_dir(&current_dir, psid_workspace);
         }
 
         Ok(())