Elevated sandbox NUX (#8789)

Elevated Sandbox NUX: * prompt for elevated sandbox setup when agent mode is selected (via /approvals or at startup) * prompt for degraded sandbox if elevated setup is declined or fails * introduce /elevate-sandbox command to upgrade from degraded experience.
2026-05-04 13:21:54 +03:00 · 2026-01-08 16:23:06 -08:00
parent bdfdebcfa1
commit 6372ba9d5f
22 changed files with 1110 additions and 184 deletions
--- a/codex-rs/core/src/windows_sandbox.rs
+++ b/codex-rs/core/src/windows_sandbox.rs
@@ -0,0 +1,49 @@
+use crate::protocol::SandboxPolicy;
+use std::collections::HashMap;
+use std::path::Path;
+
+/// Kill switch for the elevated sandbox NUX on Windows.
+///
+/// When false, revert to the previous sandbox NUX, which only
+/// prompts users to enable the legacy sandbox feature.
+pub const ELEVATED_SANDBOX_NUX_ENABLED: bool = true;
+
+#[cfg(target_os = "windows")]
+pub fn sandbox_setup_is_complete(codex_home: &Path) -> bool {
+    codex_windows_sandbox::sandbox_setup_is_complete(codex_home)
+}
+
+#[cfg(not(target_os = "windows"))]
+pub fn sandbox_setup_is_complete(_codex_home: &Path) -> bool {
+    false
+}
+
+#[cfg(target_os = "windows")]
+pub fn run_elevated_setup(
+    policy: &SandboxPolicy,
+    policy_cwd: &Path,
+    command_cwd: &Path,
+    env_map: &HashMap<String, String>,
+    codex_home: &Path,
+) -> anyhow::Result<()> {
+    codex_windows_sandbox::run_elevated_setup(
+        policy,
+        policy_cwd,
+        command_cwd,
+        env_map,
+        codex_home,
+        None,
+        None,
+    )
+}
+
+#[cfg(not(target_os = "windows"))]
+pub fn run_elevated_setup(
+    _policy: &SandboxPolicy,
+    _policy_cwd: &Path,
+    _command_cwd: &Path,
+    _env_map: &HashMap<String, String>,
+    _codex_home: &Path,
+) -> anyhow::Result<()> {
+    anyhow::bail!("elevated Windows sandbox setup is only supported on Windows")
+}