From b00fdc84843a299e78e0a6f9ef687fe61ac8ff12 Mon Sep 17 00:00:00 2001
From: David Wiesen <iceweasel@openai.com>
Date: Thu, 14 May 2026 09:53:35 -0700
Subject: [PATCH] windows sandbox: tolerate refresh write acl warnings

---
 codex-rs/windows-sandbox-rs/src/setup_main_win.rs | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/codex-rs/windows-sandbox-rs/src/setup_main_win.rs b/codex-rs/windows-sandbox-rs/src/setup_main_win.rs
index ca3fc1e444..d2bd16fcaf 100644
--- a/codex-rs/windows-sandbox-rs/src/setup_main_win.rs
+++ b/codex-rs/windows-sandbox-rs/src/setup_main_win.rs
@@ -579,6 +579,7 @@ fn run_setup_full(payload: &Payload, log: &mut File, sbx_dir: &Path) -> Result<(
             .ok_or_else(|| anyhow::anyhow!("convert workspace capability SID failed"))?
     };
     let mut refresh_errors: Vec<String> = Vec::new();
+    let mut refresh_warnings: Vec<String> = Vec::new();
     if !refresh_only {
         let proxy_allowlist_result = firewall::ensure_offline_proxy_allowlist(
             &offline_sid_str,
@@ -689,7 +690,7 @@ fn run_setup_full(payload: &Payload, log: &mut File, sbx_dir: &Path) -> Result<(
                 match path_mask_allows(root, &[psid], write_mask, /*require_all_bits*/ true) {
                     Ok(h) => h,
                     Err(e) => {
-                        refresh_errors.push(format!(
+                        refresh_warnings.push(format!(
                             "write mask check failed on {} for {label}: {}",
                             root.display(),
                             e
@@ -758,7 +759,7 @@ fn run_setup_full(payload: &Payload, log: &mut File, sbx_dir: &Path) -> Result<(
             match res {
                 Ok(_) => {}
                 Err(e) => {
-                    refresh_errors.push(format!("write ACE failed on {}: {}", root.display(), e));
+                    refresh_warnings.push(format!("write ACE failed on {}: {}", root.display(), e));
                     if log_line(
                         log,
                         &format!("write ACE grant failed on {}: {}", root.display(), e),
@@ -839,8 +840,9 @@ fn run_setup_full(payload: &Payload, log: &mut File, sbx_dir: &Path) -> Result<(
         log_line(
             log,
             &format!(
-                "setup refresh: processed {} write roots (read roots delegated); errors={:?}",
+                "setup refresh: processed {} write roots (read roots delegated); warnings={:?}; errors={:?}",
                 payload.write_roots.len(),
+                refresh_warnings,
                 refresh_errors
             ),
         )?;