app-server: require absolute cwd for windowsSandbox/setupStart (#13833)

## Summary - require windowsSandbox/setupStart.cwd to be an AbsolutePathBuf - reject relative cwd values at request parsing instead of normalizing them later in the setup flow - add RPC-layer coverage for relative cwd rejection and update the checked-in protocol schemas/docs ## Why windowsSandbox/setupStart was carrying the client-provided cwd as a raw PathBuf for command_cwd while config derivation normalized the same value into an absolute policy_cwd. That left room for relative-path ambiguity in the setup path, especially for inputs like cwd: "repo". Making the RPC accept only absolute paths removes that split entirely: the handler now receives one already-validated absolute path and uses it for both config derivation and setup. This keeps the trust model unchanged. Trusted clients could already choose the session cwd; this change is only about making the setup RPC reject relative paths so command_cwd and policy_cwd cannot diverge. ## Testing - cargo test -p codex-app-server windows_sandbox_setup (run locally by user) - cargo test -p codex-app-server-protocol windows_sandbox (run locally by user)
2026-04-26 15:45:02 +00:00 · 2026-03-06 22:47:08 -08:00
parent b0ce16c47a
commit 4b4f61d379
9 changed files with 71 additions and 20 deletions
--- a/codex-rs/app-server/tests/suite/v2/windows_sandbox_setup.rs
+++ b/codex-rs/app-server/tests/suite/v2/windows_sandbox_setup.rs
@@ -62,3 +62,30 @@ async fn windows_sandbox_setup_start_emits_completion_notification() -> Result<(
    assert_eq!(payload.mode, WindowsSandboxSetupMode::Unelevated);
    Ok(())
 }
+
+#[tokio::test]
+async fn windows_sandbox_setup_start_rejects_relative_cwd() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    let request_id = mcp
+        .send_raw_request(
+            "windowsSandbox/setupStart",
+            Some(serde_json::json!({
+                "mode": "unelevated",
+                "cwd": "relative-root",
+            })),
+        )
+        .await?;
+
+    let err = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_error_message(RequestId::Integer(request_id)),
+    )
+    .await??;
+
+    assert_eq!(err.error.code, -32600);
+    assert!(err.error.message.contains("Invalid request"));
+    Ok(())
+}