What version of Codex CLI is running?
0.121
What subscription do you have?
Plus
Which model were you using?
gpt-5.4
What platform is your computer?
macOS Darwin 25.3.0 arm64 arm
What terminal emulator and version are you using (if applicable)?
Terminal.app
What issue are you seeing?
codex exec ignores explicit sandbox override flags.
I run:
env -i HOME="$HOME" USER="$USER" SHELL=/bin/zsh PATH="/opt/homebrew/bin:/usr/bin:/bin"
/opt/homebrew/bin/codex -p unsandboxed --sandbox danger-full-access -m gpt-5.4 exec "echo ok"
The command returns ok, but session logs show the resolved sandbox policy is still read-only.
What steps can reproduce the bug?
- Run the command above in a normal terminal.
- Inspect the session log generated for that run.
- In my case:
~/.codex/sessions/2026/04/16/rollout-2026-04-16T11-01-34-019d9586-36be-7d22-90cd-94cb0289e8c3.jsonl
turn_context shows:
"sandbox_policy":{"type":"read-only"}
What is the expected behavior?
With -p unsandboxed --sandbox danger-full-access, resolved sandbox policy should be danger-full-access (or at minimum not read-only).
Additional information
This blocks workflows that require git writes/xcodebuild/network during automated loops, because the process behaves as sandboxed even when launched with unsandboxed/danger-full-access settings.
Project is marked as trusted and I have this in config.toml for unsandboxed profile: ```
[profiles.unsandboxed]
sandbox_mode = "danger-full-access"
approval_policy = "never"
What version of Codex CLI is running?
0.121
What subscription do you have?
Plus
Which model were you using?
gpt-5.4
What platform is your computer?
macOS Darwin 25.3.0 arm64 arm
What terminal emulator and version are you using (if applicable)?
Terminal.app
What issue are you seeing?
codex execignores explicit sandbox override flags.I run:
env -i HOME="$HOME" USER="$USER" SHELL=/bin/zsh PATH="/opt/homebrew/bin:/usr/bin:/bin"
/opt/homebrew/bin/codex -p unsandboxed --sandbox danger-full-access -m gpt-5.4 exec "echo ok"
The command returns
ok, but session logs show the resolved sandbox policy is still read-only.What steps can reproduce the bug?
~/.codex/sessions/2026/04/16/rollout-2026-04-16T11-01-34-019d9586-36be-7d22-90cd-94cb0289e8c3.jsonl
turn_contextshows:"sandbox_policy":{"type":"read-only"}What is the expected behavior?
With
-p unsandboxed --sandbox danger-full-access, resolved sandbox policy should be danger-full-access (or at minimum not read-only).Additional information
This blocks workflows that require git writes/xcodebuild/network during automated loops, because the process behaves as sandboxed even when launched with unsandboxed/danger-full-access settings.
Project is marked as trusted and I have this in config.toml for unsandboxed profile: ```
[profiles.unsandboxed]
sandbox_mode = "danger-full-access"
approval_policy = "never"