Outer sandbox blocks /run-codex-review: need per-command bypass or broader default allowWrite for bundled codex plugin

Resolved 💬 1 comment Opened Apr 22, 2026 by sugiyama34 Closed May 28, 2026

When sandbox.enabled: true is set in .claude/settings.json, invoking the bundled openai-codex plugin via its run-codex-review skill (or directly calling node .../codex-companion.mjs review) fails because the outer Claude Code sandbox prevents Codex from doing normal bookkeeping inside $HOME.

Repro

  • Platform: Linux (GCE e2-standard-2, Ubuntu)
  • Plugin: codex@openai-codex v1.0.2 (bundled)
  • Settings: default sandbox on, Bash(node:*) allowed, no custom allowWrite

Run /run-codex-review review --base main. Observed errors in the plugin output:

failed to write models cache: Read-only file system (os error 30)   # ~/.codex/models_cache.json
failed to renew cache TTL: Read-only file system (os error 30)
bwrap: execvp codex-linux-sandbox: No such file or directory         # codex stages its helper into ~/.codex/tmp/arg0/… — blocked

Every internal codex tool call (git diff, ls, etc.) then fails with Sandbox(Denied), so the review produces no findings — only a failure report. The plugin path (~/.claude/plugins/data/codex-openai-codex/…) also isn’t writable, breaking job state logging.

Root cause

The default sandbox has only denyWrite entries. The bundled codex plugin writes to:

  • ~/.codex/ — models cache, SQLite logs, and the temp dir where it stages its nested codex-linux-sandbox binary before calling bwrap.
  • ~/.claude/plugins/data/codex-openai-codex/ — per-project job state.

Neither path is in the default sandbox allowlist, and there is no documented per-command bypass (e.g. in permissions.allow) that would let users opt a specific command out of the outer sandbox.

What would make this work out of the box

One of:

  1. Add a sensible default sandbox.filesystem.allowWrite for bundled plugins — at minimum ~/.codex/** and ~/.claude/plugins/data/<plugin-slug>/** when that plugin is enabled.
  2. Support a per-command sandbox-bypass marker in permissions.allow (e.g. Bash(node:*, sandbox=off)), so a user can allow a single known-safe command to escape the sandbox without flipping the whole project to dangerouslyDisableSandbox.
  3. Document the required allowWrite additions in the /run-codex-review (or codex plugin) docs, and point the plugin’s error handling at the right config key.

Currently users have to discover the paths empirically and hand-edit sandbox.filesystem.allowWrite (undocumented in the codex plugin docs I can find) just to get a bundled feature working.

Workaround we applied

Filed a project-local config change in AIcia-Solid-Project/youtube_discord_bot#142:

"sandbox": {
  "filesystem": {
    "allowWrite": [
      "~/.codex/**",
      "~/.claude/plugins/data/codex-openai-codex/**"
    ]
  }
}

That unblocks the review. But this really should be either the default or a one-line toggle.

Related

  • Feedback: the failure surface is noisy — plugin emits raw codex_core:: Rust tracing output instead of a clear "sandbox is blocking me, add X to allowWrite" message. Better error mapping would save users the debugging trip.

Happy to provide more logs if useful.

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗