fix(core): remember Windows session approvals (#4212)

[cpjet64]

Fixes #4212

What

• Add remember_approved_command so both the displayed and executed command vectors are cached after an “Approve for this session” decision.

• Invoke the helper from the approval and sandbox-retry paths instead of add_approved_command.

• Add a regression test that previously failed on Windows because only the translated PowerShell vector was stored.

• Fold in “Align Windows command allowlist with Unix” so the Windows sandbox now treats the same commands as auto-approved as Unix does:

  • Bare commands: cat, cd, echo, false, grep, head, ls, nl, pwd, tail, true, wc, which
  • find provided none of {-exec, -execdir, -ok, -okdir, -delete, -fls, -fprint, -fprint0, -fprintf}
  • rg when omitting --pre, --hostname-bin, --search-zip, and -z (including equals forms)
  • git subcommands: {branch, status, log, diff, show}
  • cargo check
  • sed -n {N|M,N}p FILE with the same numeric validation as Unix

Why

• Windows wraps shell commands before execution; the original vector shown in the UI was never recorded. As a result, the next identical request prompted again despite the user’s choice.
• Without the mirrored allowlist, Windows sessions could not auto-approve many of the commands the rest of the change relies on, making the “remember” flow incomplete.

How

• Update codex-rs/core/src/codex.rs to translate the cached vectors.
• Extend the session-state helper to store both vectors when they differ.
• Exercise the Windows pathway in codex::tests::remember_approved_command_records_both_variants.
• Implement is_safe_command_windows so it mirrors the Unix logic and document its behavior with unit tests in codex-rs/core/src/command_safety/windows_safe_commands.rs.

Testing

• cargo fmt
• cargo clippy -p codex-core --fix --allow-dirty --tests --all-features
• cargo test -p codex-core (fails: unified_exec::tests::reusing_completed_session_returns_unknown_session, known upstream)
• cargo test --all-features (same known failure as above)

NOTE: I merged in the windows safe commands branch I made because the original changes in this branch were still useless if there was no windows safe commands to begin with. Since we wrap pwsh.exe i used commands that alias the correct powershell commands. Would need to build a command string parser to handle straight powershell commands directly.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.