agentic-dev: codex exec resume inherits stale sandbox mode, bypasses fallback
Bug
codex-re-review.sh resumes sessions with codex exec resume, which inherits the sandbox mode from the original session. If the original session was created with -s read-only (bwrap worked) but the re-review runs in an environment where bwrap doesn't work (e.g. containers without user namespaces), the resume inherits the broken sandbox and every exec call fails with:
bwrap: No permissions to create a new namespace, likely because the kernel does not allow non-privileged user namespaces.
The agentic_dev_codex_sandbox_args() probe in config.sh correctly detects the broken sandbox and returns --dangerously-bypass-approvals-and-sandbox, but this is only used for fresh execs (line 167-168 of codex-re-review.sh). The resume path (line 154) never consults it.
Location
scripts/codex-re-review.sh lines 149-154:
# codex exec resume accepts -o but not -s/--sandbox (sandbox inherited from original session).
if [ "$CODEX_SESSION_ID" != "none" ] && [ -n "$CODEX_SESSION_ID" ]; then
$CODEX_CMD exec resume "$CODEX_SESSION_ID" -o "$REVIEW_OUTPUT" "$(cat "$PROMPT_FILE")" 2>&1 | tee "$CODEX_LOG" || CODEX_FAILED=$?
Expected behavior
If codex exec resume fails with a sandbox/bwrap error, the script should fall back to a fresh exec with CODEX_SESSION_ID=none, which triggers the sandbox probe and uses --dangerously-bypass-approvals-and-sandbox.
Workaround
Pass CODEX_SESSION_ID=none to force a fresh exec, which triggers the sandbox fallback correctly.
Impact
Re-review rounds silently fail when the environment changes between review rounds (e.g. round 0 ran where bwrap works, round 1+ ran in a container). Codex reports "STILL OPEN" for all findings because it can't read the diff, producing false negatives.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗