codex - 💡(How to fix) Fix 0.131.0 Linux sandbox fails creating .codex/tmp, forcing approvals for routine workspace commands [1 comments, 1 participants]

What version of Codex is running?

0.131.0

OS / environment

Linux, repo-local workspace-write session.

What happened?

After upgrading from 0.130.0 to 0.131.0, the sandbox appears to be unusable in this repository/session. Routine commands that should run inside the workspace-write sandbox now fail sandbox setup and require explicit approval to run outside the sandbox.

The recurring failure reason shown by Codex is:

bwrap: Can't create file at /home/maizaavaro/pickMarket/.codex/tmp: Read-only file system

This happens even though the same user can write to that directory from a normal shell. I manually created .codex/tmp/ and verified shell write access with a write test, but Codex still required escalation for normal developer commands afterward.

Examples of affected commands

During a normal docs-only implementation slice, Codex requested manual approval to run the following outside the sandbox:

rg -n "Closeout|closeout|RALPH_SESSION_RELOAD|RALPH_PLANNING|human commit gate|recommended commit|non-authoritative|subordinate" .codex/AGENTS_RALPH_CONSTRAINTS.md .codex/ralph/RALPH.md .codex/ralph/RALPH_SESSION_RELOAD.md .codex/ralph/RALPH_PLANNING.md

Reason shown:

Do you want to allow this contracted read-only rg check to run outside the sandbox after the sandbox failed creating its temp directory?

A scoped write inside the approved workspace also had to be approved outside the sandbox after the patch tool failed:

ruby -0pi -e '...single scoped text replacement...' .codex/AGENTS_RALPH_CONSTRAINTS.md

Reason shown:

Do you want to allow a single scoped text replacement in the approved Ralph constraints file after the patch tool failed due the sandbox temp-directory issue?

Then the contracted checks also required approval outside the sandbox:

git diff -- .codex/AGENTS_RALPH_CONSTRAINTS.md

rg -n "Closeout ordering|RALPH_SESSION_RELOAD|RALPH_PLANNING|human commit gate|recommended commit|non-authoritative|subordinate" .codex/AGENTS_RALPH_CONSTRAINTS.md .codex/ralph/RALPH.md .codex/ralph/RALPH_SESSION_RELOAD.md .codex/ralph/RALPH_PLANNING.md

git status --short -- .codex/AGENTS_RALPH_CONSTRAINTS.md .codex/ralph/RALPH.md .codex/ralph/RALPH_SESSION_RELOAD.md .codex/ralph/RALPH_PLANNING.md

Each was escalated because the sandbox had failed or previously failed creating its temp directory.

Expected behavior

In a normal workspace-write session:

• read-only commands such as rg, git diff, and path-scoped git status should run inside the sandbox without requiring outside-sandbox approval;
• edits to files inside the writable workspace root should be possible through the normal sandboxed edit path;
• Codex should not require elevated execution for routine repo-local developer checks when the target paths are inside the workspace.

This is how the same workflow behaved for me on 0.130.0.

Actual behavior

The sandbox setup fails around .codex/tmp, and Codex falls back to asking for outside-sandbox approval for routine commands. This makes the sandbox effectively unusable and turns normal development workflow into repeated escalation prompts.

Why this seems like a regression

This started after updating from 0.130.0 to 0.131.0. The 0.131.0 release includes several nearby changes that may be relevant, including:

• #22207 “Tighten unified exec sandbox setup”
• #22683 workspace-root permission profile resolution cleanup
• #15977 preserving managed read restrictions during escalation
• TUI display of effective workspace roots / permissions / approval mode

This may be a regression in sandbox setup or workspace-root/temp-dir permission resolution.

Reproduction details

1. Run Codex CLI 0.131.0 in a Linux repo-local workspace-write session.
2. Use a repository where .codex/tmp/ is configured/listed as a writable root.
3. From the normal shell, verify .codex/tmp/ is writable:

cd /home/maizaavaro/pickMarket
mkdir -p .codex/tmp
touch .codex/tmp/.write-test
rm .codex/tmp/.write-test

1. In Codex, ask it to run routine repo-local commands such as:

rg -n "some-pattern" .codex/AGENTS_RALPH_CONSTRAINTS.md

or:

git diff -- .codex/AGENTS_RALPH_CONSTRAINTS.md

1. Observe sandbox setup failure and approval prompts to run outside the sandbox.

Additional context

I already filed a separate 0.131.0 issue about subagent completion notifications showing UUID agent_path instead of friendly nicknames: #23588. This sandbox issue is separate and more severe because it affects command execution safety and normal workspace-write operation.