Codex app-server Kanban workers cannot complete tasks under sandbox without board DB writable root

[hehehe0803]

Bug description

When Hermes workers use model.openai_runtime: codex_app_server, Kanban-dispatched tasks can complete their actual work but fail the board handoff because Codex's workspace sandbox cannot write the Kanban SQLite DB outside the task workspace.

Observed result: the worker prints a successful final answer in its task log, but kanban_complete / kanban_block cannot update the board DB, so the dispatcher later marks the task crashed / blocked.

This is a sandbox integration issue, not a domain-task failure.

Environment

• OS: Ubuntu 24.04 / Linux
• Codex CLI: codex-cli 0.130.0
• Hermes runtime: model.openai_runtime: codex_app_server
• Worker profiles tested: backend-worker, frontend-worker, fullstack-worker
• Sandbox: Bubblewrap/AppArmor working; profile configs use default_permissions = ":workspace"

Reproduction shape

1. Configure worker profiles to use Codex app-server runtime.
2. Ensure direct profile smoke passes:

   hermes -p backend-worker chat -q 'Run a harmless shell command and reply ok' --yolo -Q

3. Create a disposable Kanban board and a scratch task assigned to a Codex-runtime worker:

   BOARD=codex-runtime-orchestration-smoke
   hermes kanban boards create "$BOARD" --switch || hermes kanban boards switch "$BOARD"
   hermes kanban --board "$BOARD" create "Smoke backend-worker Codex app-server runtime via Kanban" \
     --assignee backend-worker \
     --workspace scratch \
     --priority 100 \
     --max-runtime 5m \
     --max-retries 1 \
     --body "Smoke only. Print CODEX_HOME and pwd, then call kanban_complete with summary 'backend-worker codex runtime smoke ok'. If that fails, call kanban_block with exact reason."
   hermes kanban --board "$BOARD" dispatch --max 1

4. Poll / inspect:

   hermes kanban --board "$BOARD" list
   hermes kanban --board "$BOARD" show <task_id>
   hermes kanban --board "$BOARD" runs <task_id>
   hermes kanban --board "$BOARD" log <task_id>

Actual behavior

Worker logs show the underlying smoke succeeded, e.g. CODEX_HOME and pwd printed correctly. But the handoff fails because the sandbox cannot write the board DB:

Blocked: sqlite3 could not open the kanban database for writing from this sandbox
...
unable to open database file

or:

The smoke check passed ...
I could not mark the Kanban task complete because writing to the board database failed under the sandbox

Dispatcher then records the run as crashed / blocked, even though the task itself completed.

Expected behavior

A Kanban worker running on Codex app-server should be able to:

• keep Codex sandboxing enabled,
• execute inside its assigned scratch/worktree workspace,
• call Hermes MCP callback tools like kanban_complete / kanban_block, and
• write only the current board DB/handoff path needed for task lifecycle updates.

It should not require danger-full-access or :danger-no-sandbox.

Proposed fix

When spawning codex app-server for a dispatcher-spawned worker (HERMES_KANBAN_TASK present), pass narrow Codex config overrides:

if HERMES_KANBAN_TASK:
    board_dir = dirname(HERMES_KANBAN_DB)
    codex app-server \
      -c 'sandbox_mode="workspace-write"' \
      -c 'sandbox_workspace_write.writable_roots=["<board_dir>"]' \
      -c 'sandbox_workspace_write.network_access=false'

Why board dir rather than all of ~/.hermes/kanban:

• HERMES_KANBAN_DB is already pinned by the dispatcher to the current board.
• Per-board directory is the minimal writable root needed for SQLite kanban.db, journals/WAL files, logs/events if needed.
• It preserves board isolation and avoids giving workers write access to unrelated boards or the whole Hermes home.

Security posture:

• sandbox remains enabled (workspace-write),
• no danger-full-access,
• no :danger-no-sandbox,
• no network by default,
• only the current board directory becomes an extra writable root.

Validation performed locally

After applying the narrow writable-root bridge locally:

• Direct worker runtime smoke passed for all workers.
• MCP callback smoke passed (web_extract via Codex runtime).
• Real Kanban dispatcher smoke passed on a disposable board:
  • backend-worker: task reached done
  • frontend-worker: task reached done
  • fullstack-worker: task reached done
• Targeted tests passed:

  80 passed in 4.76s
  

  for:

  python -m pytest tests/agent/transports/test_codex_app_server_runtime.py tests/agent/transports/test_codex_app_server_session.py -q

Local patch touched:

• agent/transports/codex_app_server.py
• tests/agent/transports/test_codex_app_server_runtime.py
• website/docs/user-guide/features/codex-app-server-runtime.md

Happy to open a PR with this patch if maintainers agree with the writable-root approach.

[donovan-yohan]

Additional datapoint from a local pilot on 2026-05-14:

• OS: macOS
• Codex CLI: 0.130.0
• Runtime: model.openai_runtime: codex_app_server
• Setup: profile-local CODEX_HOME, Codex auth copied in, Hermes hermes-tools MCP callback configured

Results:

• Direct profile smokes returned OK.
• Kanban smoke was unreliable:
  • one worker completed only after an initial crash/retry;
  • another worker stayed running after reporting that kanban_complete was unavailable in the session;
  • fallback hermes kanban block required escalation and timed out / was denied;
  • workspace was clean and no repository work was done.
• Dispatcher evidence showed one run crash, then a second run remaining active until operator reclaim; the process tree was Hermes worker -> codex app-server.

So there may be two closely related failure surfaces to validate before calling this fixed:

1. The board DB writable-root problem described above: kanban_complete / kanban_block exists but cannot write SQLite from the Codex sandbox.
2. A callback/tool-surfacing failure mode: the Codex turn believes kanban_complete is unavailable, then its CLI fallback is blocked by sandbox approval.

The writable-root PR direction still looks right to me: keep workspace-write, add only the active board directory derived from HERMES_KANBAN_DB, and keep network disabled. I would just make sure regression coverage exercises an actual Codex-runtime Kanban worker handoff path where the model can see/call kanban_complete, not only the app-server argv construction.

[teknium1]

This looks implemented on main now by the salvaged fix from #26212.

Automated hermes-sweeper review evidence:

• PR fix(codex): scope kanban worker writable root in app-server sandbox (salvage #26212) #27557 merged commit 4a7cd2e16dfacbbed4762f7625ab6eb6e0332447 and explicitly salvaged the Codex app-server Kanban workers cannot complete tasks under sandbox without board DB writable root #26203 fix.
• agent/transports/codex_app_server.py:89 detects dispatcher-spawned Kanban workers via HERMES_KANBAN_TASK.
• agent/transports/codex_app_server.py:90 derives the writable root from HERMES_KANBAN_DB's parent directory.
• agent/transports/codex_app_server.py:102 passes Codex app-server overrides for sandbox_mode="workspace-write", sandbox_workspace_write.writable_roots=["<board root>"], and sandbox_workspace_write.network_access=false.
• tests/agent/transports/test_codex_app_server_runtime.py:245 covers the regression and asserts the board root is added, network is disabled, and no danger-* mode is used.

The adjacent callback/tool-surfacing concern raised in the discussion is not being dismissed here; it remains tracked separately by the still-open Codex app-server Kanban callback reports such as #29821, and artifact/workspace writable-root coverage is tracked by #27941.