URL: https://mkdocs.justinsforge.com/memory/general/reference_codex_workspace_write_git_readonly/
Codex workspace-write mounts .git read-only¶
Codex CLI (verified on 0.144.4) in sandbox_mode = "workspace-write" makes the
workspace cwd writable BUT mounts the repo's .git/ read-only by default.
With approval_policy = "never" a session fails silently on branch/commit:
So "network is on + cwd is writable" is NOT enough for branch -> commit -> push.
The blocker is .git, not the workspace files. Proven empirically via codex exec
(the earlier Codex session that claimed this was correct; my first read that "the
config already does branch/push/PR" was wrong).
Fix (keeps approval_policy = "never", no prompts, prod stays protected)¶
Add git metadata + worktree bases to writable_roots in ~/.codex/config.toml:
[sandbox_workspace_write]
network_access = true
writable_roots = [
"/home/justinwieb/creatortrack/.git",
"/home/justinwieb/creatortrack-wt",
"/home/justinwieb/forge-suite-wt",
]
Tested live: branch + commit -> COMMIT_OK with no override flags. Prod paths and
~/.forge-secrets are outside these roots, so they stay read-only. This config is
SHARED with the codex.justinsforge.com web surface (forge-codex-chat.service).
Two-layer gate (important)¶
Codex enforces TWO separate gates, not one:
1. Filesystem sandbox (writable_roots): denials look like Read-only file system.
2. Command-approval classifier: denials look like rejected: blocked by policy.
Under approval_policy = "never", any command it thinks needs approval is
AUTO-REJECTED (not queued). This is why writable_roots alone can't reliably
enable cross-root writes (e.g. ~/forge/data registry, ~/forge edge repo) from
a ~/creatortrack session: the FS may allow it but the policy layer blocks it.
Full self-service slots: use danger-full-access via a profile¶
For hands-off VS Code work where Codex builds its OWN branch + worktree + Forge dev
slot (registry write, DB clone over TCP with creds from readable ~/.forge-secrets,
detached next dev — NO sudo/systemctl needed), sandboxed base is not enough.
Solution (tested, all ops REG/WT/EDGE = OK, zero prompts):
- ~/.codex/devfull.config.toml = sandbox_mode="danger-full-access" + approval_policy="never".
- 0.144.4 requires profiles as a SEPARATE FILE ~/.codex/<name>.config.toml, NOT a
legacy [profiles.<name>] table (that errors on --profile).
- Launch: codex --profile devfull. ~/.bashrc aliases codex to this; \codex = sandboxed.
- Base ~/.codex/config.toml stays sandboxed so codex.justinsforge.com web surface
is NOT full-access. See [[reference_codex_chat_surface]].
Security reality¶
The sandbox only fences the LOCAL FILESYSTEM. Prod Postgres / Cloudflare / Stripe are
reachable via network + creds Codex can READ from ~/.forge-secrets (SECRETS_READABLE
even under workspace-write). So the sandbox never protected prod; only AGENTS.md rules
+ test-mode discipline do. danger-full-access additionally drops local-FS protection.
Subagents ARE real (do not claim otherwise)¶
Codex 0.144.4 has parallel subagents: codex features list shows multi_agent =
stable, true (on by default); binary carries spawn_agents_on_csv,
x-openai-subagent, SubagentStartHook. Lead + concurrent subagents work in the
terminal CLI, unaffected by the devfull profile (which only sets sandbox/approval).
So multi-agent audit/review orchestration in a prompt DOES execute. (multi_agent_v2,
enable_fanout, use_agent_identity are still under-development flags = off, so
formal agent "identities"/personas are not a shipped feature, but base fan-out is.)
Notes¶
codex sandboxsubcommand in 0.144.4 hard-requires--permission-profile <NAME>; to test the real policy usecodex exec(runs under config sandbox) instead.approval_policy = "never"was pre-existing (the codex.justinsforge.com surface config); it means "don't prompt, fail silently on denial", NOT "allowed to do anything".- Codex's cited
learn.chatgpt.com/docs/...URLs were fabricated; the .git-readonly behavior is real but its doc citations were not. Verify Codex doc links. ~/creatortrack/AGENTS.mdquick-fix-modeblock steers SMALL fixes to branch-in-place; large overhauls get a full slot (now buildable by Codex itself under devfull).
[Claude Code]