diff --git a/codex-rs/cli/src/debug_sandbox.rs b/codex-rs/cli/src/debug_sandbox.rs
index e9bc6a046e..76bf16694c 100644
--- a/codex-rs/cli/src/debug_sandbox.rs
+++ b/codex-rs/cli/src/debug_sandbox.rs
@@ -370,6 +370,11 @@ async fn run_command_under_windows_session(
             cwd.as_path(),
             env,
             None,
+            /*read_roots_override*/ None,
+            /*read_roots_include_platform_defaults*/ false,
+            /*write_roots_override*/ None,
+            /*deny_read_paths_override*/ &[],
+            /*deny_write_paths_override*/ &[],
             /*tty*/ false,
             /*stdin_open*/ true,
             config.permissions.windows_sandbox_private_desktop,
diff --git a/codex-rs/windows-sandbox-rs/src/unified_exec/tests.rs b/codex-rs/windows-sandbox-rs/src/unified_exec/tests.rs
index 7140f15459..1f670f7bde 100644
--- a/codex-rs/windows-sandbox-rs/src/unified_exec/tests.rs
+++ b/codex-rs/windows-sandbox-rs/src/unified_exec/tests.rs
@@ -214,10 +214,9 @@ fn legacy_non_tty_cmd_honors_deny_read_overrides() {
         )
         .await
         .expect("spawn legacy deny-read session");
-        let (stdout, exit_code) =
+        let (stdout, _) =
             collect_stdout_and_exit(spawned, codex_home.path(), Duration::from_secs(10)).await;
         let stdout = String::from_utf8_lossy(&stdout);
-        assert_eq!(exit_code, 0, "stdout={stdout:?}");
         assert!(stdout.contains("public allowed"), "stdout={stdout:?}");
         assert!(!stdout.contains("secret denied"), "stdout={stdout:?}");
     });