{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreife3nppllybi2zpvqt3ntgr6ihl7gzomkfc4igtr7fwemy47sfkda",
    "uri": "at://did:plc:lk3jfj3zq4k4wxnk474axylu/app.bsky.feed.post/3mmcite7c4on2"
  },
  "path": "/t/codex-cli-on-windows-update-fails/1381341#post_9",
  "publishedAt": "2026-05-20T17:36:13.000Z",
  "site": "https://community.openai.com",
  "tags": [
    "github.com/openai/codex",
    "windows-sandbox: add resolved permissions helper (#22896)",
    "bolinfest",
    "+194\n-65",
    "…"
  ],
  "textContent": "They may be working on this and may have fixed it.\n\ngithub.com/openai/codex\n\n####  windows-sandbox: add resolved permissions helper (#22896)\n\ncommitted 05:30PM - 20 May 26 UTC\n\n\n\n          bolinfest\n        \n\n\n+194\n-65\n\n\n## Why The Windows sandbox migration away from the legacy `SandboxPolicy` abstr…action needs a small local bridge before IPC and core wiring can move to `PermissionProfile`. Leaf helpers currently branch directly on `WorkspaceWrite`, which spreads legacy assumptions through path planning and token setup code. This PR introduces a Windows-local resolved permissions view so those helpers can ask Windows-specific questions about runtime filesystem/network permissions without matching on the legacy policy enum everywhere. ## What changed - Added `ResolvedWindowsSandboxPermissions` in `windows-sandbox-rs/src/resolved_permissions.rs`, with legacy `SandboxPolicy` constructors for the current call sites. - Moved `allow.rs` writable-root and read-only-subpath planning onto the resolved permissions type. - Preserved Windows `TEMP`/`TMP` writable-root behavior when the effective policy includes writable tmpdir access. - Avoided resolving Unix `:slash_tmp` or parent-process `TMPDIR` while computing Windows writable roots. - Reused the shared allow-path result for setup write-root gathering and routed network-block selection through the resolved abstraction. ## Verification - `cargo test -p codex-windows-sandbox` - `just fix -p codex-windows-sandbox` - GitHub CI restarted on the amended commit; Windows Bazel is the required signal for the Windows-only code paths. --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/openai/codex/pull/22896). * #23715 * #23714 * #23167 * #22923 * #22918 * __->__ #22896",
  "title": "Codex CLI on Windows update fails"
}