windows-sandbox: preserve user SID for bash workspace-write tokens

codex-rs/windows-sandbox-rs/src/lib.rs

@@ -269,7 +269,7 @@ mod windows_impl {
     use super::sandbox_utils::ensure_codex_home_exists;
     use super::spawn_prep::prepare_legacy_spawn_context;
     use super::token::convert_string_sid_to_sid;
-    use super::token::create_workspace_write_token_with_caps_from;
+    use super::token::create_workspace_write_token_with_caps_and_user_from;
     use super::workspace_acl::is_command_cwd_root;
     use anyhow::Result;
     use std::collections::HashMap;
@@ -398,7 +398,7 @@ mod windows_impl {
                     let psid_workspace =
                         convert_string_sid_to_sid(&ws_sid).expect("valid workspace SID");
                     let base = super::token::get_current_token_for_restriction()?;
-                    let h_res = create_workspace_write_token_with_caps_from(
+                    let h_res = create_workspace_write_token_with_caps_and_user_from(
                         base,
                         &[psid_generic, psid_workspace],
                     );

codex-rs/windows-sandbox-rs/src/spawn_prep.rs

@@ -19,7 +19,7 @@ use crate::sandbox_utils::ensure_codex_home_exists;
 use crate::sandbox_utils::inject_git_safe_directory;
 use crate::token::convert_string_sid_to_sid;
 use crate::token::create_readonly_token_with_cap;
-use crate::token::create_workspace_write_token_with_caps_from;
+use crate::token::create_workspace_write_token_with_caps_and_user_from;
 use crate::token::get_current_token_for_restriction;
 use crate::token::get_logon_sid_bytes;
 use crate::workspace_acl::is_command_cwd_root;
@@ -172,7 +172,7 @@ pub(crate) fn prepare_legacy_session_security(
                 let workspace_sid = workspace_cap_sid_for_cwd(codex_home, cwd)?;
                 let psid_workspace = LocalSid::from_string(&workspace_sid)?;
                 let base = get_current_token_for_restriction()?;
-                let h_token = create_workspace_write_token_with_caps_from(
+                let h_token = create_workspace_write_token_with_caps_and_user_from(
                     base,
                     &[psid_generic.as_ptr(), psid_workspace.as_ptr()],
                 );