What version of Codex is running?
0.131.0
OS / environment
Linux, repo-local workspace-write session.
What happened?
After upgrading from 0.130.0 to 0.131.0, the sandbox appears to be unusable in this repository/session. Routine commands that should run inside the workspace-write sandbox now fail sandbox setup and require explicit approval to run outside the sandbox.
The recurring failure reason shown by Codex is:
bwrap: Can't create file at /home/maizaavaro/pickMarket/.codex/tmp: Read-only file system
This happens even though the same user can write to that directory from a normal shell. I manually created .codex/tmp/ and verified shell write access with a write test, but Codex still required escalation for normal developer commands afterward.
Examples of affected commands
During a normal docs-only implementation slice, Codex requested manual approval to run the following outside the sandbox:
rg -n "Closeout|closeout|RALPH_SESSION_RELOAD|RALPH_PLANNING|human commit gate|recommended commit|non-authoritative|subordinate" .codex/AGENTS_RALPH_CONSTRAINTS.md .codex/ralph/RALPH.md .codex/ralph/RALPH_SESSION_RELOAD.md .codex/ralph/RALPH_PLANNING.md
Reason shown:
Do you want to allow this contracted read-only rg check to run outside the sandbox after the sandbox failed creating its temp directory?
A scoped write inside the approved workspace also had to be approved outside the sandbox after the patch tool failed:
ruby -0pi -e '...single scoped text replacement...' .codex/AGENTS_RALPH_CONSTRAINTS.md
Reason shown:
Do you want to allow a single scoped text replacement in the approved Ralph constraints file after the patch tool failed due the sandbox temp-directory issue?
Then the contracted checks also required approval outside the sandbox:
git diff -- .codex/AGENTS_RALPH_CONSTRAINTS.md
rg -n "Closeout ordering|RALPH_SESSION_RELOAD|RALPH_PLANNING|human commit gate|recommended commit|non-authoritative|subordinate" .codex/AGENTS_RALPH_CONSTRAINTS.md .codex/ralph/RALPH.md .codex/ralph/RALPH_SESSION_RELOAD.md .codex/ralph/RALPH_PLANNING.md
git status --short -- .codex/AGENTS_RALPH_CONSTRAINTS.md .codex/ralph/RALPH.md .codex/ralph/RALPH_SESSION_RELOAD.md .codex/ralph/RALPH_PLANNING.md
Each was escalated because the sandbox had failed or previously failed creating its temp directory.
Expected behavior
In a normal workspace-write session:
- read-only commands such as
rg, git diff, and path-scoped git status should run inside the sandbox without requiring outside-sandbox approval;
- edits to files inside the writable workspace root should be possible through the normal sandboxed edit path;
- Codex should not require elevated execution for routine repo-local developer checks when the target paths are inside the workspace.
This is how the same workflow behaved for me on 0.130.0.
Actual behavior
The sandbox setup fails around .codex/tmp, and Codex falls back to asking for outside-sandbox approval for routine commands. This makes the sandbox effectively unusable and turns normal development workflow into repeated escalation prompts.
Why this seems like a regression
This started after updating from 0.130.0 to 0.131.0. The 0.131.0 release includes several nearby changes that may be relevant, including:
This may be a regression in sandbox setup or workspace-root/temp-dir permission resolution.
Reproduction details
- Run Codex CLI 0.131.0 in a Linux repo-local workspace-write session.
- Use a repository where
.codex/tmp/ is configured/listed as a writable root.
- From the normal shell, verify
.codex/tmp/ is writable:
cd /home/maizaavaro/pickMarket
mkdir -p .codex/tmp
touch .codex/tmp/.write-test
rm .codex/tmp/.write-test
- In Codex, ask it to run routine repo-local commands such as:
rg -n "some-pattern" .codex/AGENTS_RALPH_CONSTRAINTS.md
or:
git diff -- .codex/AGENTS_RALPH_CONSTRAINTS.md
- Observe sandbox setup failure and approval prompts to run outside the sandbox.
Additional context
I already filed a separate 0.131.0 issue about subagent completion notifications showing UUID agent_path instead of friendly nicknames: #23588. This sandbox issue is separate and more severe because it affects command execution safety and normal workspace-write operation.
What version of Codex is running?
0.131.0
OS / environment
Linux, repo-local workspace-write session.
What happened?
After upgrading from 0.130.0 to 0.131.0, the sandbox appears to be unusable in this repository/session. Routine commands that should run inside the workspace-write sandbox now fail sandbox setup and require explicit approval to run outside the sandbox.
The recurring failure reason shown by Codex is:
This happens even though the same user can write to that directory from a normal shell. I manually created
.codex/tmp/and verified shell write access with a write test, but Codex still required escalation for normal developer commands afterward.Examples of affected commands
During a normal docs-only implementation slice, Codex requested manual approval to run the following outside the sandbox:
rg -n "Closeout|closeout|RALPH_SESSION_RELOAD|RALPH_PLANNING|human commit gate|recommended commit|non-authoritative|subordinate" .codex/AGENTS_RALPH_CONSTRAINTS.md .codex/ralph/RALPH.md .codex/ralph/RALPH_SESSION_RELOAD.md .codex/ralph/RALPH_PLANNING.mdReason shown:
A scoped write inside the approved workspace also had to be approved outside the sandbox after the patch tool failed:
ruby -0pi -e '...single scoped text replacement...' .codex/AGENTS_RALPH_CONSTRAINTS.mdReason shown:
Then the contracted checks also required approval outside the sandbox:
rg -n "Closeout ordering|RALPH_SESSION_RELOAD|RALPH_PLANNING|human commit gate|recommended commit|non-authoritative|subordinate" .codex/AGENTS_RALPH_CONSTRAINTS.md .codex/ralph/RALPH.md .codex/ralph/RALPH_SESSION_RELOAD.md .codex/ralph/RALPH_PLANNING.mdEach was escalated because the sandbox had failed or previously failed creating its temp directory.
Expected behavior
In a normal workspace-write session:
rg,git diff, and path-scopedgit statusshould run inside the sandbox without requiring outside-sandbox approval;This is how the same workflow behaved for me on 0.130.0.
Actual behavior
The sandbox setup fails around
.codex/tmp, and Codex falls back to asking for outside-sandbox approval for routine commands. This makes the sandbox effectively unusable and turns normal development workflow into repeated escalation prompts.Why this seems like a regression
This started after updating from 0.130.0 to 0.131.0. The 0.131.0 release includes several nearby changes that may be relevant, including:
This may be a regression in sandbox setup or workspace-root/temp-dir permission resolution.
Reproduction details
.codex/tmp/is configured/listed as a writable root..codex/tmp/is writable:cd /home/maizaavaro/pickMarket mkdir -p .codex/tmp touch .codex/tmp/.write-test rm .codex/tmp/.write-testrg -n "some-pattern" .codex/AGENTS_RALPH_CONSTRAINTS.mdor:
Additional context
I already filed a separate 0.131.0 issue about subagent completion notifications showing UUID
agent_pathinstead of friendly nicknames: #23588. This sandbox issue is separate and more severe because it affects command execution safety and normal workspace-write operation.