Read-only mode fails to run git diff - likely Regression #6688
Description
What version of Codex is running?
codex-cli 0.58.0
What subscription do you have?
Plus
Which model were you using?
gpt-5.1-codex medium
What platform is your computer?
Darwin 25.1.0 arm64 arm
What issue are you seeing?
Uploaded thread: 019a8407-c0e3-75c2-a686-66c5ea3545d2
Running in read-only sandbox fails to run git diff. Pretty sure it used to work. Not sure if this is by design. Was out of credits until today and just reformatted my device so mostly a fresh install. All else works as expected as far as I can tell.
codex -s read-only
╭──────────────────────────────────────────────────────╮
│ >_ OpenAI Codex (v0.58.0) │
│ │
│ model: gpt-5.1-codex medium /model to change │
│ directory: /Users/Shared/…/shortpoet-dots/typescript │
╰──────────────────────────────────────────────────────╯
To get started, describe a task or try one of these commands:
/init - create an AGENTS.md file with instructions for Codex
/status - show current session configuration
/approvals - choose what Codex can do without approval
/model - choose what model and reasoning effort to use
/review - review any changes and find issues
› try and run git diff on some files in app/pr-tools to debug an issue i'm having with your system
• Ran cd apps/pr-tools && git status -sb
└ git: warning: confstr() failed with code 5: couldn't get path of DARWIN_USER_TEMP_DIR; using /tmp instead
git: error: couldn't create cache file '/tmp/xcrun_db-wLQabxRq' (errno=Operation not permitted)
… +21 lines
?? src/config/
?? src/index.ts
■ Conversation interrupted - tell the model what to do differently. Something went wrong? Hit `/feedback` to report the issue.
Token usage: total=5,716 input=5,665 (+ 3,072 cached) output=51
To continue this session, run codex resume 019a8407-095a-78b3-be3d-4f54cef40606
codex
╭──────────────────────────────────────────────────────╮
│ >_ OpenAI Codex (v0.58.0) │
│ │
│ model: gpt-5.1-codex medium /model to change │
│ directory: /Users/Shared/…/shortpoet-dots/typescript │
╰──────────────────────────────────────────────────────╯
To get started, describe a task or try one of these commands:
/init - create an AGENTS.md file with instructions for Codex
/status - show current session configuration
/approvals - choose what Codex can do without approval
/model - choose what model and reasoning effort to use
/review - review any changes and find issues
› try and run git diff on some files in app/pr-tools to debug an issue i'm having with your system
• Ran cd /Users/Shared/source/repos/shortpoet-dots/typescript && git status -sb
└ ## feature/cli-advance...origin/feature/cli-advance [ahead 1]
M apps/pr-tools/README.md
… +17 lines
?? apps/pr-tools/src/config/
?? apps/pr-tools/src/index.ts
■ Conversation interrupted - tell the model what to do differently. Something went wrong? Hit `/feedback` to report the issue.
What steps can reproduce the bug?
codex -s read-only 'try and run git diff on some files in app/pr-tools to debug an issue im having with your system'
What is the expected behavior?
git diff is a read operation, i would think it safe in this context
Additional information
you should offer credits for helpful bug reports as an incentive for your paying customers to contribute more effectively 🧑💻