Skip to content

URL: https://mkdocs.justinsforge.com/memory/general/reference_codex_workspace_write_git_readonly/

Codex workspace-write mounts .git read-only

Codex CLI (verified on 0.144.4) in sandbox_mode = "workspace-write" makes the workspace cwd writable BUT mounts the repo's .git/ read-only by default. With approval_policy = "never" a session fails silently on branch/commit:

fatal: Unable to create '.../.git/index.lock': Read-only file system

So "network is on + cwd is writable" is NOT enough for branch -> commit -> push. The blocker is .git, not the workspace files. Proven empirically via codex exec (the earlier Codex session that claimed this was correct; my first read that "the config already does branch/push/PR" was wrong).

Fix (keeps approval_policy = "never", no prompts, prod stays protected)

Add git metadata + worktree bases to writable_roots in ~/.codex/config.toml:

[sandbox_workspace_write]
network_access = true
writable_roots = [
  "/home/justinwieb/creatortrack/.git",
  "/home/justinwieb/creatortrack-wt",
  "/home/justinwieb/forge-suite-wt",
]

Tested live: branch + commit -> COMMIT_OK with no override flags. Prod paths and ~/.forge-secrets are outside these roots, so they stay read-only. This config is SHARED with the codex.justinsforge.com web surface (forge-codex-chat.service).

Two-layer gate (important)

Codex enforces TWO separate gates, not one: 1. Filesystem sandbox (writable_roots): denials look like Read-only file system. 2. Command-approval classifier: denials look like rejected: blocked by policy. Under approval_policy = "never", any command it thinks needs approval is AUTO-REJECTED (not queued). This is why writable_roots alone can't reliably enable cross-root writes (e.g. ~/forge/data registry, ~/forge edge repo) from a ~/creatortrack session: the FS may allow it but the policy layer blocks it.

Full self-service slots: use danger-full-access via a profile

For hands-off VS Code work where Codex builds its OWN branch + worktree + Forge dev slot (registry write, DB clone over TCP with creds from readable ~/.forge-secrets, detached next dev — NO sudo/systemctl needed), sandboxed base is not enough. Solution (tested, all ops REG/WT/EDGE = OK, zero prompts): - ~/.codex/devfull.config.toml = sandbox_mode="danger-full-access" + approval_policy="never". - 0.144.4 requires profiles as a SEPARATE FILE ~/.codex/<name>.config.toml, NOT a legacy [profiles.<name>] table (that errors on --profile). - Launch: codex --profile devfull. ~/.bashrc aliases codex to this; \codex = sandboxed. - Base ~/.codex/config.toml stays sandboxed so codex.justinsforge.com web surface is NOT full-access. See [[reference_codex_chat_surface]].

Security reality

The sandbox only fences the LOCAL FILESYSTEM. Prod Postgres / Cloudflare / Stripe are reachable via network + creds Codex can READ from ~/.forge-secrets (SECRETS_READABLE even under workspace-write). So the sandbox never protected prod; only AGENTS.md rules + test-mode discipline do. danger-full-access additionally drops local-FS protection.

Subagents ARE real (do not claim otherwise)

Codex 0.144.4 has parallel subagents: codex features list shows multi_agent = stable, true (on by default); binary carries spawn_agents_on_csv, x-openai-subagent, SubagentStartHook. Lead + concurrent subagents work in the terminal CLI, unaffected by the devfull profile (which only sets sandbox/approval). So multi-agent audit/review orchestration in a prompt DOES execute. (multi_agent_v2, enable_fanout, use_agent_identity are still under-development flags = off, so formal agent "identities"/personas are not a shipped feature, but base fan-out is.)

Notes

  • codex sandbox subcommand in 0.144.4 hard-requires --permission-profile <NAME>; to test the real policy use codex exec (runs under config sandbox) instead.
  • approval_policy = "never" was pre-existing (the codex.justinsforge.com surface config); it means "don't prompt, fail silently on denial", NOT "allowed to do anything".
  • Codex's cited learn.chatgpt.com/docs/... URLs were fabricated; the .git-readonly behavior is real but its doc citations were not. Verify Codex doc links.
  • ~/creatortrack/AGENTS.md quick-fix-mode block steers SMALL fixes to branch-in-place; large overhauls get a full slot (now buildable by Codex itself under devfull).

[Claude Code]