Codex Version
Summary
There is still a path-resolution mismatch around writable paths: the shell tool may deny writes for a path while apply_patch can edit that same path.
This appears related to #14694 and the partial fix where sandbox write access was expanded to resolved paths without consistently resolving paths for permission checks/tooling behavior.
Current behavior
In the same session:
~/bin/sudo resolves to a symlink target on another mount.- Shell write attempt fails with a sandbox/FS denial.
apply_patch successfully updates the same script path.
Concretely, I hit this when editing /home/rebroad/bin/cursor_safety_guard (with /home/rebroad/bin/sudo symlinked to it):
- Shell attempt (
install) failed with:
not_writable
install: cannot create regular file '/home/rebroad/bin/cursor_safety_guard.test': Read-only file system
- Immediately after,
apply_patch succeeded for /home/rebroad/bin/cursor_safety_guard.
This inconsistency caused the agent to incorrectly conclude write access was unavailable until switching to apply_patch.
Expected behavior
Path permission behavior should be consistent across tools:
- If shell writes are denied for a path,
apply_patch should also be denied (or both should be allowed if policy allows that path).
- Permission checks should use the same canonicalization rules (including symlink resolution policy).
Why this matters
Agents make decisions based on prior tool failures. Inconsistent writeability signals cause incorrect escalation requests and wasted attempts.
Screenshot
Codex Version
Summary
There is still a path-resolution mismatch around writable paths: the shell tool may deny writes for a path while
apply_patchcan edit that same path.This appears related to #14694 and the partial fix where sandbox write access was expanded to resolved paths without consistently resolving paths for permission checks/tooling behavior.
Current behavior
In the same session:
~/bin/sudoresolves to a symlink target on another mount.apply_patchsuccessfully updates the same script path.Concretely, I hit this when editing
/home/rebroad/bin/cursor_safety_guard(with/home/rebroad/bin/sudosymlinked to it):install) failed with:apply_patchsucceeded for/home/rebroad/bin/cursor_safety_guard.This inconsistency caused the agent to incorrectly conclude write access was unavailable until switching to
apply_patch.Expected behavior
Path permission behavior should be consistent across tools:
apply_patchshould also be denied (or both should be allowed if policy allows that path).Why this matters
Agents make decisions based on prior tool failures. Inconsistent writeability signals cause incorrect escalation requests and wasted attempts.
Screenshot