codex - 💡(How to fix) Fix 0.133.0 Windows sandbox regression: read-only mode rejects basic git/PowerShell inspection that 0.130.0 allowed

Environment

• OS: Windows 11 Pro 10.0.26200 (win32)
• Codex CLI: 0.133.0 (regression) vs 0.130.0 (works)
• Shell: Git Bash 4.x (also reproducible from PowerShell 5.1)
• Invocation: cat prompt.md | codex exec --sandbox=read-only --output-schema schema.json -

Steps to reproduce

1. Author a small prompt that instructs the model to inspect git rev-parse HEAD / git status --short --branch before producing a JSON verdict conforming to a supplied schema.
2. Pipe the prompt to codex exec --sandbox=read-only --output-schema schema.json -.
3. Inspect stderr.

Expected (0.130.0 behavior)

Some read-only PowerShell-form commands are rejected by sandbox policy (counted ~22 rejections in a 4KB-prompt review run), but the model successfully retries through alternative command shapes (direct git invocation, file-reads without PowerShell wrapper, etc.) — producing 16 succeeded in Nms tool calls in the same run. The cumulative inspection coverage is sufficient for the model to produce a substantive verdict (e.g. READY_AFTER_FIXES) with concrete findings.

Actual (0.133.0)

The same prompt against the same workspace under the same --sandbox=read-only results in 0 successful tool calls out of multiple attempts. PowerShell-form commands are rejected with rejected: blocked by policy (as before), but the alternative command shapes that 0.130.0 used as retries now also fail — with exited -1 in 0ms (sandbox-spawn failure) on basic read commands like git rev-parse HEAD and git status --short --branch. Model produces a BLOCKED verdict citing inability to inspect repository contents in 29–37s.

Sample stderr (0.133.0 vs 0.130.0)

0.133.0 (regression — every shape fails):

`"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -Command 'git rev-parse HEAD; git status --short --branch'` rejected: blocked by policy
2026-05-22T00:17:30.532305Z ERROR codex_core::tools::router: error=`"...` rejected: blocked by policy
 exited -1 in 0ms:
 exited -1 in 0ms:

0.130.0 (baseline — PowerShell-form rejected, alternatives succeed):

`"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -Command 'git rev-parse HEAD; git show --no-patch --oneline c2a5d80a4'` rejected: blocked by policy
2026-05-21T23:58:32.772670Z ERROR codex_core::tools::router: error=`"...` rejected: blocked by policy
...
 succeeded in 337ms:
 succeeded in 413ms:
 succeeded in 399ms:
... (16 successful tool runs total interleaved with 22 rejections)

In other words: the 0.130.0 sandbox is already partly restrictive on Windows PowerShell shapes, but the model finds working alternatives. 0.133.0 closes off the alternatives too.

Hypothesis

Windows sandbox policy in 0.133.0 was tightened to exclude PowerShell-invoked read commands that 0.130.0 allowed, but the platform-agnostic "read-only sandbox permits read commands" contract was not updated. On Linux/macOS this likely manifests differently because the model invokes /bin/sh rather than powershell.exe.

Workaround

Stay on 0.130.0, or use --sandbox=workspace-write (which has its own model-side BLOCKED rate but does allow PowerShell invocations).

Reproducer artifacts (controlled experiment)

We ran a 34-attempt controlled experiment characterizing the regression vs the previously-reported hang. Tabulated results, prompts, schemas, and runner scripts available on request. Headlines:

• 0.130.0 read-only realistic prompt (N=5): 0 hangs, mean 141s, range 114-196s, READY_AFTER_FIXES verdict
• 0.130.0 read-only minimal prompt (N=10): 0 hangs, mean 4.2s, READY verdict
• 0.130.0 workspace-write realistic prompt (N=3): 0 hangs, 2/3 READY_AFTER_FIXES + 1/3 BLOCKED (model self-deception)
• 0.133.0 read-only realistic prompt (N=3): 0 hangs, mean 32s, 3/3 BLOCKED (regression — model cannot complete inspection)

Cross-reference

Filed during an investigation of a previously-reported "Codex-on-Windows hang" pattern. The investigation found the original "hang" reports were actually a mix of (a) long-latency reviews under read-only sandbox + realistic prompts (~140s, looks like hang if expecting <30s) and (b) BLOCKED verdicts from sandbox-rejected tool calls. The 0.133.0 sandbox-policy regression amplifies (b) into 100% reproducibility on the same workload.