Fix Windows danger-full-access exec dispatch

2026-05-05 03:47:01 +00:00 · 2026-05-04 09:40:02 -07:00
2 changed files with 28 additions and 2 deletions
--- a/codex-rs/core/src/exec.rs
+++ b/codex-rs/core/src/exec.rs
@@ -482,9 +482,20 @@ async fn get_raw_output_result(
    >,
 ) -> Result<RawExecToolCallOutput> {
    #[cfg(target_os = "windows")]
-    if sandbox == SandboxType::WindowsRestrictedToken {
-        return exec_windows_sandbox(params, sandbox_policy, windows_sandbox_filesystem_overrides)
+    {
+        let file_system_sandbox_policy = FileSystemSandboxPolicy::from(sandbox_policy);
+        if should_use_windows_restricted_token_sandbox(
+            sandbox,
+            sandbox_policy,
+            &file_system_sandbox_policy,
+        ) {
+            return exec_windows_sandbox(
+                params,
+                sandbox_policy,
+                windows_sandbox_filesystem_overrides,
+            )
            .await;
+        }
    }

    exec(params, network_sandbox_policy, stdout_stream, after_spawn).await
--- a/codex-rs/core/src/exec_tests.rs
+++ b/codex-rs/core/src/exec_tests.rs
@@ -377,6 +377,21 @@ async fn process_exec_tool_call_preserves_full_buffer_capture_policy() -> Result
    Ok(())
 }

+#[test]
+fn windows_restricted_token_skips_danger_full_access_policies() {
+    let policy = SandboxPolicy::DangerFullAccess;
+    let file_system_policy = FileSystemSandboxPolicy::from(&policy);
+
+    assert_eq!(
+        should_use_windows_restricted_token_sandbox(
+            SandboxType::WindowsRestrictedToken,
+            &policy,
+            &file_system_policy,
+        ),
+        false
+    );
+}
+
 #[test]
 fn windows_restricted_token_skips_external_sandbox_policies() {
    let policy = SandboxPolicy::ExternalSandbox {