diff --git a/codex-rs/windows-sandbox-rs/src/lib.rs b/codex-rs/windows-sandbox-rs/src/lib.rs
index 522f8926d5..067617bbac 100644
--- a/codex-rs/windows-sandbox-rs/src/lib.rs
+++ b/codex-rs/windows-sandbox-rs/src/lib.rs
@@ -173,6 +173,10 @@ pub use session::spawn_windows_sandbox_session_elevated;
 #[cfg(target_os = "windows")]
 pub use session::spawn_windows_sandbox_session_legacy;
 #[cfg(target_os = "windows")]
+pub use setup::ProtectedMetadataMode;
+#[cfg(target_os = "windows")]
+pub use setup::ProtectedMetadataTarget;
+#[cfg(target_os = "windows")]
 pub use setup::SETUP_VERSION;
 #[cfg(target_os = "windows")]
 pub use setup::SandboxSetupRequest;
diff --git a/codex-rs/windows-sandbox-rs/src/setup_orchestrator.rs b/codex-rs/windows-sandbox-rs/src/setup_orchestrator.rs
index ef952a4e03..4ca80d12d3 100644
--- a/codex-rs/windows-sandbox-rs/src/setup_orchestrator.rs
+++ b/codex-rs/windows-sandbox-rs/src/setup_orchestrator.rs
@@ -99,6 +99,23 @@ pub struct SetupRootOverrides {
     pub deny_write_paths: Option<Vec<PathBuf>>,
 }
 
+/// Layer: Windows enforcement request boundary. These targets are projected by
+/// the adapter layer before they reach the setup helper.
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
+pub struct ProtectedMetadataTarget {
+    pub path: PathBuf,
+    pub mode: ProtectedMetadataMode,
+}
+
+/// Layer: Windows enforcement request boundary. The helper must distinguish
+/// existing metadata objects from missing names that need create monitoring.
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
+#[serde(rename_all = "kebab-case")]
+pub enum ProtectedMetadataMode {
+    ExistingDeny,
+    MissingCreationMonitor,
+}
+
 pub fn run_setup_refresh(
     policy: &SandboxPolicy,
     policy_cwd: &Path,