mirror of
https://github.com/openai/codex.git
synced 2026-05-24 13:04:29 +00:00
c69f7f6f37
Add Windows deny-read enforcement for split filesystem policies by resolving exact and glob unreadable entries into ACL targets, threading those paths through the restricted-token and elevated Windows sandbox backends, and applying deny-read ACE overlays with stale cleanup records. Exact missing paths are materialized before ACE application so sandboxed subprocesses cannot create and read them during the same run. Existing paths are planned with both lexical and canonical targets to cover reparse-point aliases. Co-authored-by: Codex <noreply@openai.com>