Windows Sandbox - Alpha version (#4905)

- Added the new codex-windows-sandbox crate that builds both a library entry point (run_windows_sandbox_capture) and a CLI executable to launch commands inside a Windows restricted-token sandbox, including ACL management, capability SID provisioning, network lockdown, and output capture (windows-sandbox-rs/src/lib.rs:167, windows-sandbox-rs/src/main.rs:54). - Introduced the experimental WindowsSandbox feature flag and wiring so Windows builds can opt into the sandbox: SandboxType::WindowsRestrictedToken, the in-process execution path, and platform sandbox selection now honor the flag (core/src/features.rs:47, core/src/config.rs:1224, core/src/safety.rs:19, core/src/sandboxing/mod.rs:69, core/src/exec.rs:79, core/src/exec.rs:172). - Updated workspace metadata to include the new crate and its Windows-specific dependencies so the core crate can link against it (codex-rs/ Cargo.toml:91, core/Cargo.toml:86). - Added a PowerShell bootstrap script that installs the Windows toolchain, required CLI utilities, and builds the workspace to ease development on the platform (scripts/setup-windows.ps1:1). - Landed a Python smoke-test suite that exercises read-only/workspace-write policies, ACL behavior, and network denial for the Windows sandbox binary (windows-sandbox-rs/sandbox_smoketests.py:1).
2025-10-30 15:51:57 -07:00
parent ff6d4cec6b
commit 87cce88f48
34 changed files with 2994 additions and 30 deletions
--- a/codex-rs/tui/src/chatwidget.rs
+++ b/codex-rs/tui/src/chatwidget.rs
@@ -1862,7 +1862,10 @@ impl ChatWidget {
                current_approval == preset.approval && current_sandbox == preset.sandbox;
            let name = preset.label.to_string();
            let description_text = preset.description;
-            let description = if cfg!(target_os = "windows") && preset.id == "auto" {
+            let description = if cfg!(target_os = "windows")
+                && preset.id == "auto"
+                && codex_core::get_platform_sandbox().is_none()
+            {
                Some(format!(
                    "{description_text}\nRequires Windows Subsystem for Linux (WSL). Show installation instructions..."
                ))
@@ -1882,7 +1885,10 @@ impl ChatWidget {
                        preset: preset_clone.clone(),
                    });
                })]
-            } else if cfg!(target_os = "windows") && preset.id == "auto" {
+            } else if cfg!(target_os = "windows")
+                && preset.id == "auto"
+                && codex_core::get_platform_sandbox().is_none()
+            {
                vec![Box::new(|tx| {
                    tx.send(AppEvent::ShowWindowsAutoModeInstructions);
                })]
--- a/codex-rs/tui/src/history_cell.rs
+++ b/codex-rs/tui/src/history_cell.rs
@@ -1424,7 +1424,7 @@ fn format_mcp_invocation<'a>(invocation: McpInvocation) -> Line<'a> {
    let args_str = invocation
        .arguments
        .as_ref()
-        .map(|v| {
+        .map(|v: &serde_json::Value| {
            // Use compact form to keep things short but readable.
            serde_json::to_string(v).unwrap_or_else(|_| v.to_string())
        })
--- a/codex-rs/tui/src/status/helpers.rs
+++ b/codex-rs/tui/src/status/helpers.rs
@@ -89,7 +89,7 @@ pub(crate) fn compose_account_display(config: &Config) -> Option<StatusAccountDi
    if let Some(tokens) = auth.tokens.as_ref() {
        let info = &tokens.id_token;
        let email = info.email.clone();
-        let plan = info.get_chatgpt_plan_type().map(|plan| title_case(&plan));
+        let plan = info.get_chatgpt_plan_type().as_deref().map(title_case);
        return Some(StatusAccountDisplay::ChatGpt { email, plan });
    }