remove sandbox globals. (#9797)

Threads sandbox updates through OverrideTurnContext for active turn Passes computed sandbox type into safety/exec
2026-05-05 05:42:33 +03:00 · 2026-01-27 11:04:23 -08:00
parent 894923ed5d
commit c40ad65bd8
35 changed files with 339 additions and 132 deletions
--- a/codex-rs/core/src/safety.rs
+++ b/codex-rs/core/src/safety.rs
@@ -10,45 +10,7 @@ use crate::util::resolve_path;

 use crate::protocol::AskForApproval;
 use crate::protocol::SandboxPolicy;
-
-#[cfg(target_os = "windows")]
-use std::sync::atomic::AtomicBool;
-#[cfg(target_os = "windows")]
-use std::sync::atomic::Ordering;
-
-#[cfg(target_os = "windows")]
-static WINDOWS_SANDBOX_ENABLED: AtomicBool = AtomicBool::new(false);
-#[cfg(target_os = "windows")]
-static WINDOWS_ELEVATED_SANDBOX_ENABLED: AtomicBool = AtomicBool::new(false);
-
-#[cfg(target_os = "windows")]
-pub fn set_windows_sandbox_enabled(enabled: bool) {
-    WINDOWS_SANDBOX_ENABLED.store(enabled, Ordering::Relaxed);
-}
-
-#[cfg(not(target_os = "windows"))]
-#[allow(dead_code)]
-pub fn set_windows_sandbox_enabled(_enabled: bool) {}
-
-#[cfg(target_os = "windows")]
-pub fn set_windows_elevated_sandbox_enabled(enabled: bool) {
-    WINDOWS_ELEVATED_SANDBOX_ENABLED.store(enabled, Ordering::Relaxed);
-}
-
-#[cfg(not(target_os = "windows"))]
-#[allow(dead_code)]
-pub fn set_windows_elevated_sandbox_enabled(_enabled: bool) {}
-
-#[cfg(target_os = "windows")]
-pub fn is_windows_elevated_sandbox_enabled() -> bool {
-    WINDOWS_ELEVATED_SANDBOX_ENABLED.load(Ordering::Relaxed)
-}
-
-#[cfg(not(target_os = "windows"))]
-#[allow(dead_code)]
-pub fn is_windows_elevated_sandbox_enabled() -> bool {
-    false
-}
+use codex_protocol::config_types::WindowsSandboxLevel;

 #[derive(Debug, PartialEq)]
 pub enum SafetyCheck {
@@ -67,6 +29,7 @@ pub fn assess_patch_safety(
    policy: AskForApproval,
    sandbox_policy: &SandboxPolicy,
    cwd: &Path,
+    windows_sandbox_level: WindowsSandboxLevel,
 ) -> SafetyCheck {
    if action.is_empty() {
        return SafetyCheck::Reject {
@@ -104,7 +67,7 @@ pub fn assess_patch_safety(
            // Only auto‑approve when we can actually enforce a sandbox. Otherwise
            // fall back to asking the user because the patch may touch arbitrary
            // paths outside the project.
-            match get_platform_sandbox() {
+            match get_platform_sandbox(windows_sandbox_level != WindowsSandboxLevel::Disabled) {
                Some(sandbox_type) => SafetyCheck::AutoApprove {
                    sandbox_type,
                    user_explicitly_approved: false,
@@ -122,19 +85,17 @@ pub fn assess_patch_safety(
    }
 }

-pub fn get_platform_sandbox() -> Option<SandboxType> {
+pub fn get_platform_sandbox(windows_sandbox_enabled: bool) -> Option<SandboxType> {
    if cfg!(target_os = "macos") {
        Some(SandboxType::MacosSeatbelt)
    } else if cfg!(target_os = "linux") {
        Some(SandboxType::LinuxSeccomp)
    } else if cfg!(target_os = "windows") {
-        #[cfg(target_os = "windows")]
-        {
-            if WINDOWS_SANDBOX_ENABLED.load(Ordering::Relaxed) {
-                return Some(SandboxType::WindowsRestrictedToken);
-            }
+        if windows_sandbox_enabled {
+            Some(SandboxType::WindowsRestrictedToken)
+        } else {
+            None
        }
-        None
    } else {
        None
    }
@@ -277,7 +238,13 @@ mod tests {
        };

        assert_eq!(
-            assess_patch_safety(&add_inside, AskForApproval::OnRequest, &policy, &cwd),
+            assess_patch_safety(
+                &add_inside,
+                AskForApproval::OnRequest,
+                &policy,
+                &cwd,
+                WindowsSandboxLevel::Disabled
+            ),
            SafetyCheck::AutoApprove {
                sandbox_type: SandboxType::None,
                user_explicitly_approved: false,