initial implementation of sandboxing using AppContainer.

codex-rs/exec/tests/windows_sandbox.rs

@@ -0,0 +1,74 @@
+#![cfg(windows)]
+
+use std::collections::HashMap;
+use std::path::PathBuf;
+
+use codex_core::exec::ExecParams;
+use codex_core::exec::SandboxType;
+use codex_core::exec::process_exec_tool_call;
+use codex_core::protocol::SandboxPolicy;
+use codex_core::safety::set_windows_sandbox_enabled;
+
+struct WindowsSandboxGuard;
+
+impl WindowsSandboxGuard {
+    fn enable() -> Self {
+        set_windows_sandbox_enabled(true);
+        Self
+    }
+}
+
+impl Drop for WindowsSandboxGuard {
+    fn drop(&mut self) {
+        set_windows_sandbox_enabled(false);
+    }
+}
+
+fn windows_workspace_policy(root: &PathBuf) -> SandboxPolicy {
+    SandboxPolicy::WorkspaceWrite {
+        writable_roots: vec![root.clone()],
+        network_access: false,
+        exclude_tmpdir_env_var: true,
+        exclude_slash_tmp: true,
+    }
+}
+
+#[tokio::test]
+async fn exec_tool_uses_windows_sandbox() {
+    let _guard = WindowsSandboxGuard::enable();
+    let temp = tempfile::tempdir().expect("tempdir");
+    let cwd = temp.path().to_path_buf();
+    let policy = windows_workspace_policy(&cwd);
+    let params = ExecParams {
+        command: vec![
+            "cmd.exe".to_string(),
+            "/C".to_string(),
+            "set CODEX_SANDBOX".to_string(),
+        ],
+        cwd: cwd.clone(),
+        timeout_ms: None,
+        env: HashMap::new(),
+        with_escalated_permissions: None,
+        justification: None,
+    };
+
+    let output = process_exec_tool_call(
+        params,
+        SandboxType::WindowsAppContainer,
+        &policy,
+        temp.path(),
+        &None,
+        None,
+    )
+    .await
+    .expect("exec output");
+
+    assert_eq!(output.exit_code, 0);
+    assert!(
+        output
+            .aggregated_output
+            .text
+            .to_lowercase()
+            .contains("codex_sandbox=windows_appcontainer")
+    );
+}