[sandbox] Enforce protected workspace metadata paths

[evawong-oai]

Summary

Make FileSystemSandboxPolicy the semantic source of truth for project root metadata protection. Under writable roots, .git, .codex, and .agents stay protected unless user policy grants an explicit write rule for that metadata path.

Scope

1. Add protected_metadata_names to WritableRoot.
2. Teach FileSystemSandboxPolicy::can_write_path_with_cwd to reject protected metadata writes under writable roots unless explicitly allowed.
3. Default workspace write profiles to protect .git, .codex, and .agents.
4. Add the Linux fallback setup needed before Linux enforcement lands later in the stack.

Reviewer Focus

1. The policy decision belongs in FileSystemSandboxPolicy, not shell command parsing.
2. Legacy SandboxPolicy remains a compatibility projection, not the source of the new rule.
3. Explicit user write rules can still opt into these metadata paths.

Stack

1. Policy primitive: this PR
2. macOS Seatbelt adapter: Enforce workspace metadata protections in Seatbelt #19847
3. Shell preflight UX: Add workspace metadata shell preflight #19848
4. Runtime profile propagation: Propagate runtime permission profiles #19849
5. Linux bubblewrap adapter: Enforce workspace metadata protections in Linux sandbox #19852

Validation

1. codex protocol permissions tests
2. formatting for codex protocol and codex linux sandbox
3. diff whitespace check

[chatgpt-codex-connector]

💡 Codex Review

https://github.com/openai/codex/blob/ab4b378d678768326e770272994017d56c3b7c31/codex-rs/protocol/src/permissions.rs#L726-L728
Include preserved-write semantics in enforcement bridging check

needs_direct_runtime_enforcement decides compatibility by comparing semantic signatures, but preserved-name write denials are enforced in can_write_path_with_cwd and are not represented in the bridged legacy model. This can return false and skip direct enforcement even when .git/.agents/.codex writes should be blocked.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Restrict preserved-name blocking to root-level metadata

can_write_path_with_cwd calls first_preserved_component, which scans all path components and denies writes whenever any component is .git, .agents, or .codex unless there is a deeper explicit rule. This blocks legitimate nested repo writes (e.g. /tmp/repo/.git/...) under otherwise writable roots, so common flows like cloning in /tmp regress.

Useful? React with 👍 / 👎.

[evawong-oai]

Fixed in 3ed97f5.

The active contract is now represented on WritableRoot.protected_metadata_names. get_writable_roots_with_cwd() fills that field for .git, .agents, and .codex, and explicit writable rules for those paths remove the matching name from the parent root.

needs_direct_runtime_enforcement() now checks that field before the legacy semantic comparison. If legacy SandboxPolicy cannot express the metadata protection contract, we keep the direct enforcement path. That removes the hidden dependency on can_write_path_with_cwd() for the bridge decision.

The stale inline nested repo concern is also covered by the current contract. This only protects the first component under each writable root, so normal nested work below a regular directory is not blocked by this field.

Validation passed locally, and the devbox 46 case suite passed with just c sandbox linux at 8cf759200dd2355df3a76fbfcb0dc9f8619f33f5.

[viyatb-oai]

can you preserve comments from the old code?