feat(cli): Windows filesystem support — preopen each drive as /{letter}

GamePad64 · GamePad64 · commit 969d0438efa1 · 2026-04-20T00:49:13.000+03:00
On Windows, FsConfig::preopens() now enumerates accessible drives
(A–Z, skipping any whose std::fs::metadata call fails) and returns one
preopen per drive: guest /{lowercase letter} → host {uppercase letter}:\.
Unix keeps the single virtual-root preopen at /. A no_std-ish fallback
remains for other platforms.

Matcher also normalises backslashes to forward slashes in the compiled
patterns on Windows so globset can match against Path separators that
end up as / after globset's own normalisation. User-written Windows
patterns should already use forward slashes (globset convention):

  --fs-allow 'C:/Users/alex/project/**'
  --fs-deny  '/c/Windows/System32/**'

Known caveats:
- cross-drive rename/link is not handled specially; both sides must be
  in an allowed path.
- Windows long-path / UNC forms (\\?\C:\...) are not automatically
  translated; cap-std handles the low-level conversion, users write
  regular drive-letter paths.
diff --git a/act-cli/src/config.rs b/act-cli/src/config.rs
@@ -55,26 +55,60 @@ impl FsConfig {
         }
     }
 
-    /// Preopens for this policy. Layer 1 uses a single virtual-root preopen
-    /// at host `/` for every non-`Deny` mode — the `FsMatcher` is the only
-    /// enforcement point. The guest sees the whole host filesystem in its
-    /// namespace but can't actually open anything the matcher denies.
+    /// Preopens for this policy.
     ///
-    /// Deny mode: no preopens at all (guest can't name anything).
+    /// For every non-`Deny` mode, the `FsMatcher` is the only enforcement
+    /// point — the guest sees the whole (platform-native) host filesystem in
+    /// its namespace but can't actually open anything the matcher denies.
+    ///
+    /// - Unix: a single virtual-root preopen `{guest: "/", host: "/"}`.
+    /// - Windows: one preopen per accessible drive, guest `/{lowercase letter}`
+    ///   → host `{uppercase letter}:\`. Drives are enumerated by attempting
+    ///   `std::fs::metadata` on each letter A–Z; inaccessible drives are
+    ///   silently skipped.
     ///
-    /// This is Unix-first: preopening `/` assumes a POSIX root. Windows
-    /// support requires preopening each drive separately and is deferred.
+    /// Deny mode: no preopens at all (guest can't name anything).
     pub fn preopens(&self) -> Result<Vec<DirMount>> {
         match self.mode {
             PolicyMode::Deny => Ok(vec![]),
-            PolicyMode::Open | PolicyMode::Allowlist => Ok(vec![DirMount {
-                guest: "/".to_string(),
-                host: PathBuf::from("/"),
-            }]),
+            PolicyMode::Open | PolicyMode::Allowlist => Ok(platform_root_preopens()),
         }
     }
 }
 
+#[cfg(unix)]
+fn platform_root_preopens() -> Vec<DirMount> {
+    vec![DirMount {
+        guest: "/".to_string(),
+        host: PathBuf::from("/"),
+    }]
+}
+
+#[cfg(windows)]
+fn platform_root_preopens() -> Vec<DirMount> {
+    let mut mounts = Vec::new();
+    for letter in b'A'..=b'Z' {
+        let c = letter as char;
+        let host = PathBuf::from(format!("{}:\\", c));
+        // `metadata` trips DriveNotReady / access errors for absent drives;
+        // treat any failure as "skip this letter".
+        if std::fs::metadata(&host).is_ok() {
+            let guest = format!("/{}", c.to_ascii_lowercase());
+            mounts.push(DirMount { guest, host });
+        }
+    }
+    mounts
+}
+
+#[cfg(not(any(unix, windows)))]
+fn platform_root_preopens() -> Vec<DirMount> {
+    // Fall back to a POSIX-ish root on esoteric platforms.
+    vec![DirMount {
+        guest: "/".to_string(),
+        host: PathBuf::from("/"),
+    }]
+}
+
 /// Derived directory mount for wasmtime's `preopened_dir`.
 #[derive(Debug, Clone, PartialEq)]
 pub struct DirMount {
diff --git a/act-cli/src/fs_matcher.rs b/act-cli/src/fs_matcher.rs
@@ -98,14 +98,28 @@ fn compile_set(label: &str, patterns: &[String]) -> Result<GlobSet> {
 /// Expand `~` and make patterns absolute. Relative patterns are resolved
 /// against the current directory; patterns beginning with `~` expand against
 /// the home directory. `**` and other globset metacharacters are left intact.
+///
+/// On Windows, backslashes are normalised to forward slashes so the pattern
+/// matches the `/`-separated paths globset operates on. User-written Windows
+/// patterns should already use forward slashes (e.g. `C:/Users/alex/**`);
+/// this normalisation only catches strays introduced by path joining.
 fn expand_pattern(pattern: &str) -> String {
     let expanded = shellexpand::tilde(pattern).into_owned();
-    if Path::new(&expanded).is_absolute() {
-        return expanded;
+    let absolute = if Path::new(&expanded).is_absolute() {
+        expanded
+    } else {
+        match std::env::current_dir() {
+            Ok(cwd) => cwd.join(&expanded).to_string_lossy().into_owned(),
+            Err(_) => expanded,
+        }
+    };
+    #[cfg(windows)]
+    {
+        absolute.replace('\\', "/")
     }
-    match std::env::current_dir() {
-        Ok(cwd) => cwd.join(&expanded).to_string_lossy().into_owned(),
-        Err(_) => expanded,
+    #[cfg(not(windows))]
+    {
+        absolute
     }
 }
 
