[codex] Fix Windows sandbox runtime ACL refresh

[iceweasel-oai]

Why

Codex Desktop repairs sandbox-user read/execute access for binaries copied to %LOCALAPPDATA%\OpenAI\Codex\bin, but Computer Use launches its bundled Node runtime from %LOCALAPPDATA%\OpenAI\Codex\runtimes.

On fresh Windows installations, CodexSandboxUsers may therefore be unable to execute the bundled Node binary. The command runner starts, but CreateProcessAsUserW fails with error 5 (ACCESS_DENIED), causing the Node REPL to exit before Computer Use can discover applications.

This is a follow-up to #21564, which added the original runtime bin ACL repair.

What changed

• Expand the Codex Desktop runtime ACL roots from only bin to both bin and runtimes.
• Apply the existing inherited read/execute ACL repair to each runtime directory when it exists.
• Rename the setup helper to reflect that it now handles multiple runtime paths.

Validation

• cargo fmt -- --check
• just test -p codex-windows-sandbox was run: 113 tests passed and five environment-dependent legacy execution tests failed because CreateRestrictedToken returned error 87.

[zm-oai]

Yay!

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 11fc8e1dfd

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".