fix(cli): correct verify --paths sandbox probe semantics

Install-test surfaced that sandbox-accept-home and sandbox-accept-tmp
probes always fail with 'Access denied' when run outside a project
context (e.g. from the filesystem root). The probe input paths did
match resolvePath's documented sandbox definition; the real defect
was in resolvePath's lookalike-sibling guard.

When no project root is detected, resolvePath falls back to
process.cwd() as the sandbox projectRoot. If cwd is a filesystem
root such as 'C:\' or '/', the root already ends in a separator.
isLookalikeSibling compared the target against the root character
by character and inspected the character at base.length, which for
any descendant of the root is path content (e.g. 'U' of 'Users'),
not a separator. Every legitimate descendant was therefore
mis-classified as a lookalike sibling and rejected, including
paths under homedir() and tmpdir().

Fix strips the trailing separator from the normalized base before
the sibling comparison and short-circuits to false when the
stripped base is empty (POSIX root) or just a drive letter
(Windows root), since a filesystem root cannot have lookalike
siblings by construction. Non-root bases retain identical
behavior.

Regression coverage added:
- test/paths.test.ts: resolvePath accepts home/tmp descendants
  when process.cwd() is the filesystem root.
- test/codex-manager-verify-command.test.ts: verify --paths
  sandbox-accept-home and sandbox-accept-tmp probes succeed when
  cwd is the filesystem root and no project root is detected.

Caught by: npm pack + npm install codex-multi-auth-1.3.0.tgz
followed by manual CLI run in a non-project directory whose
cwd walked up to a filesystem root.

Author: ndycode

lib/storage/paths.ts

@@ -377,13 +377,26 @@ function isWithinDirectory(baseDir: string, targetPath: string): boolean {
  * (not a descendant). A trailing separator after the base prefix must be present
  * to be considered a proper descendant; anything else (e.g. `home-evil/...`) is a
  * lookalike sibling and must be rejected to prevent path-guard bypass.
+ *
+ * Filesystem roots (POSIX `/`, Windows `C:\`) are stripped of their trailing
+ * separator before comparison so that legitimate descendants such as
+ * `C:\Users\neil\.codex\...` are not misclassified as siblings. A root has no
+ * siblings by construction, so after the strip we return false early when the
+ * base is empty (POSIX root) or just a drive letter (Windows root).
  */
 function isLookalikeSibling(baseDir: string, targetPath: string): boolean {
 	const normalizedBase = normalizePathForComparison(baseDir);
 	const normalizedTarget = normalizePathForComparison(targetPath);
-	if (normalizedTarget.length <= normalizedBase.length) return false;
-	if (!normalizedTarget.startsWith(normalizedBase)) return false;
-	const boundary = normalizedTarget.charAt(normalizedBase.length);
+	const baseWithoutTrailingSep = normalizedBase.replace(/[\\/]+$/, "");
+	if (
+		baseWithoutTrailingSep === "" ||
+		/^[a-z]:$/.test(baseWithoutTrailingSep)
+	) {
+		return false;
+	}
+	if (normalizedTarget.length <= baseWithoutTrailingSep.length) return false;
+	if (!normalizedTarget.startsWith(baseWithoutTrailingSep)) return false;
+	const boundary = normalizedTarget.charAt(baseWithoutTrailingSep.length);
 	return boundary !== sep && boundary !== "/" && boundary !== "\\";
 }
 

test/codex-manager-verify-command.test.ts

@@ -315,4 +315,44 @@ describe("sandbox-reject-escape probe with pathological cwd", () => {
 
 		cwdSpy.mockRestore();
 	});
+
+	it("accepts sandbox-accept-home and sandbox-accept-tmp when cwd is the filesystem root", () => {
+		// Regression for install-test: running `verify --paths` from a
+		// directory with no detectable project root (where resolvePath falls
+		// back to process.cwd() for the sandbox projectRoot) must still
+		// accept paths under homedir() and tmpdir(). The prior lookalike
+		// sibling check falsely rejected them when cwd was the filesystem
+		// root because the trailing separator of the root made every
+		// descendant appear to be a sibling.
+		setStoragePath(null);
+
+		const rootCwd = process.platform === "win32" ? "C:\\" : "/";
+		const cwdSpy = vi.spyOn(process, "cwd").mockReturnValue(rootCwd);
+
+		const deps: VerifyPathsDeps = {
+			getCwd: () => rootCwd,
+			findProjectRoot: () => null,
+			resolveProjectStorageIdentityRoot: () => rootCwd,
+			getProjectStorageKey: () => "project-rootcwd-probe",
+			getProjectConfigDir: () => rootCwd,
+			getProjectGlobalConfigDir: () =>
+				join(homedir(), ".codex", "multi-auth", "projects", "root-probe"),
+			resolvePath,
+		};
+
+		const report = runVerifyPathsCheck(deps);
+
+		const homeAccept = report.sandboxTests.find(
+			(test) => test.name === "sandbox-accept-home",
+		);
+		const tmpAccept = report.sandboxTests.find(
+			(test) => test.name === "sandbox-accept-tmp",
+		);
+		expect(homeAccept?.rejected).toBe(false);
+		expect(homeAccept?.ok).toBe(true);
+		expect(tmpAccept?.rejected).toBe(false);
+		expect(tmpAccept?.ok).toBe(true);
+
+		cwdSpy.mockRestore();
+	});
 });

test/paths.test.ts

@@ -862,6 +862,32 @@ describe("Storage Paths Module", () => {
 			expect(() => resolvePath(outsideLookalike)).toThrow("Access denied");
 		});
 
+		it("accepts paths within home/tmp when cwd is the filesystem root", () => {
+			// Regression: when process.cwd() is `C:\\` (or POSIX `/`) and no
+			// project root is set, resolvePath used to wrongly classify any
+			// path starting with the root drive/separator as a "lookalike
+			// sibling" of the root. That falsely rejected legitimate
+			// descendants such as `C:\\Users\\neil\\.codex\\...`.
+			setStoragePathState({
+				currentStoragePath: null,
+				currentLegacyProjectStoragePath: null,
+				currentLegacyWorktreeStoragePath: null,
+				currentProjectRoot: null,
+			});
+
+			const rootCwd = process.platform === "win32" ? "C:\\" : "/";
+			const cwdSpy = vi.spyOn(process, "cwd").mockReturnValue(rootCwd);
+
+			try {
+				const homePath = path.join(homedir(), ".codex", "verify-probe");
+				const tmpPath = path.join(tmpdir(), "verify-probe.tmp");
+				expect(() => resolvePath(homePath)).not.toThrow();
+				expect(() => resolvePath(tmpPath)).not.toThrow();
+			} finally {
+				cwdSpy.mockRestore();
+			}
+		});
+
 		it("should handle tilde-only path", () => {
 			const result = resolvePath("~");
 			expect(result).toBe(homedir());