diff --git a/extensions/codex/src/app-server/approval-bridge.test.ts b/extensions/codex/src/app-server/approval-bridge.test.ts
index fe0a41d3050..00f07f32063 100644
--- a/extensions/codex/src/app-server/approval-bridge.test.ts
+++ b/extensions/codex/src/app-server/approval-bridge.test.ts
@@ -641,7 +641,7 @@ describe("Codex app-server approval bridge", () => {
 
     const [, , requestPayload] = mockCallGatewayTool.mock.calls[0] ?? [];
     const description = (requestPayload as { description: string }).description;
-    expect(description).toContain("File system roots: ~; readPaths: ~\\.ssh\\id_rsa, ~/project");
+    expect(description).toContain("File system roots: ~; readPaths: ~/.ssh/id_rsa, ~/project");
     expect(description).not.toContain("High-risk targets");
   });
 
diff --git a/extensions/codex/src/app-server/approval-bridge.ts b/extensions/codex/src/app-server/approval-bridge.ts
index dfb31166e80..dc1d771f51a 100644
--- a/extensions/codex/src/app-server/approval-bridge.ts
+++ b/extensions/codex/src/app-server/approval-bridge.ts
@@ -436,7 +436,10 @@ function sanitizePermissionPathValue(value: string): string {
     .replace(/^\/home\/(?!\.{1,2}(?=\/|$))[^/]+(?=\/|$)/, "~")
     .replace(/^\/Users\/(?!\.{1,2}(?=\/|$))[^/]+(?=\/|$)/, "~")
     .replace(/^[A-Za-z]:[\\/]Users[\\/](?!\.{1,2}(?=[\\/]|$))[^\\/]+(?=[\\/]|$)/i, "~");
-  return truncate(homeCompacted, PERMISSION_VALUE_MAX_LENGTH);
+  const displayPath = homeCompacted.startsWith("~")
+    ? homeCompacted.replace(/\\/g, "/")
+    : homeCompacted;
+  return truncate(displayPath, PERMISSION_VALUE_MAX_LENGTH);
 }
 
 function sanitizePermissionScalar(value: string): string {