Outer sandbox blocks /run-codex-review: need per-command bypass or broader default allowWrite for bundled codex plugin
When sandbox.enabled: true is set in .claude/settings.json, invoking the bundled openai-codex plugin via its run-codex-review skill (or directly calling node .../codex-companion.mjs review) fails because the outer Claude Code sandbox prevents Codex from doing normal bookkeeping inside $HOME.
Repro
- Platform: Linux (GCE e2-standard-2, Ubuntu)
- Plugin:
codex@openai-codexv1.0.2 (bundled) - Settings: default sandbox on,
Bash(node:*)allowed, no customallowWrite
Run /run-codex-review review --base main. Observed errors in the plugin output:
failed to write models cache: Read-only file system (os error 30) # ~/.codex/models_cache.json
failed to renew cache TTL: Read-only file system (os error 30)
bwrap: execvp codex-linux-sandbox: No such file or directory # codex stages its helper into ~/.codex/tmp/arg0/… — blocked
Every internal codex tool call (git diff, ls, etc.) then fails with Sandbox(Denied), so the review produces no findings — only a failure report. The plugin path (~/.claude/plugins/data/codex-openai-codex/…) also isn’t writable, breaking job state logging.
Root cause
The default sandbox has only denyWrite entries. The bundled codex plugin writes to:
~/.codex/— models cache, SQLite logs, and the temp dir where it stages its nestedcodex-linux-sandboxbinary before callingbwrap.~/.claude/plugins/data/codex-openai-codex/— per-project job state.
Neither path is in the default sandbox allowlist, and there is no documented per-command bypass (e.g. in permissions.allow) that would let users opt a specific command out of the outer sandbox.
What would make this work out of the box
One of:
- Add a sensible default
sandbox.filesystem.allowWritefor bundled plugins — at minimum~/.codex/**and~/.claude/plugins/data/<plugin-slug>/**when that plugin is enabled. - Support a per-command sandbox-bypass marker in
permissions.allow(e.g.Bash(node:*, sandbox=off)), so a user can allow a single known-safe command to escape the sandbox without flipping the whole project todangerouslyDisableSandbox. - Document the required
allowWriteadditions in the/run-codex-review(or codex plugin) docs, and point the plugin’s error handling at the right config key.
Currently users have to discover the paths empirically and hand-edit sandbox.filesystem.allowWrite (undocumented in the codex plugin docs I can find) just to get a bundled feature working.
Workaround we applied
Filed a project-local config change in AIcia-Solid-Project/youtube_discord_bot#142:
"sandbox": {
"filesystem": {
"allowWrite": [
"~/.codex/**",
"~/.claude/plugins/data/codex-openai-codex/**"
]
}
}
That unblocks the review. But this really should be either the default or a one-line toggle.
Related
- Feedback: the failure surface is noisy — plugin emits raw
codex_core::Rust tracing output instead of a clear "sandbox is blocking me, add X to allowWrite" message. Better error mapping would save users the debugging trip.
Happy to provide more logs if useful.
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗