move cap_sid file into ~/.codex so the sandbox cannot overwrite it (#6798)

The `cap_sid` file contains the IDs of the two custom SIDs that the Windows sandbox creates/manages to implement read-only and workspace-write sandbox policies. It previously lived in `<cwd>/.codex` which means that the sandbox could write to it, which could degrade the efficacy of the sandbox. This change moves it to `~/.codex/` (or wherever `CODEX_HOME` points to) so that it is outside the workspace.
2026-04-28 00:25:56 +00:00 · 2025-11-17 15:49:41 -08:00
parent 8bebe86a47
commit e032d338f2
5 changed files with 34 additions and 22 deletions
--- a/codex-rs/cli/src/debug_sandbox.rs
+++ b/codex-rs/cli/src/debug_sandbox.rs
@@ -155,11 +155,11 @@ async fn run_command_under_sandbox(
                run_windows_sandbox_capture(
                    policy_str,
                    &sandbox_cwd,
+                    base_dir.as_path(),
                    command_vec,
                    &cwd_clone,
                    env_map,
                    None,
-                    Some(base_dir.as_path()),
                )
            })
            .await;