use a junction for the cwd while read ACLs are being applied (#8444)

The elevated setup synchronously applies read/write ACLs to any workspace roots. However, until we apply *read* permission to the full path, powershell cannot use some roots as a cwd as it needs access to all parts of the path in order to apply it as the working directory for a command. The solution is, while the async read-ACL part of setup is running, use a "junction" that lives in C:\Users\CodexSandbox{Offline|Online} that points to the cwd. Once the read ACLs are applied, we stop using the junction. ----- this PR also removes some dead code and overly-verbose logging, and has some light refactoring to the ACL-related functions
2026-05-01 03:42:05 +03:00 · 2025-12-22 12:23:13 -08:00
parent 7809e36a92
commit d65fe38b2c
11 changed files with 273 additions and 324 deletions
--- a/codex-rs/windows-sandbox-rs/src/env.rs
+++ b/codex-rs/windows-sandbox-rs/src/env.rs
@@ -29,7 +29,6 @@ pub fn ensure_non_interactive_pager(env_map: &mut HashMap<String, String>) {
 }

 // Keep PATH and PATHEXT stable for callers that rely on inheriting the parent process env.
-#[allow(dead_code)]
 pub fn inherit_path_env(env_map: &mut HashMap<String, String>) {
    if !env_map.contains_key("PATH") {
        if let Ok(path) = env::var("PATH") {