Allow writing to zig global cache

[joshka]

What version of Codex is running?

OpenAI Codex (v0.72.0)

What subscription do you have?

codex-cli 0.72.0

Which model were you using?

gpt-5.1-codex-max

What platform is your computer?

Darwin 24.6.0 arm64 arm

What issue are you seeing?

Summary

Codex seatbelt blocks Zig builds because it denies writes to the global cache folder outside the
workspace.

Environment

• macOS 15.7.3
• Zig 0.15.2 installed via Homebrew (/opt/homebrew/Cellar/zig/0.15.2/bin/zig)
• zig env shows .global_cache_dir = "/Users/joshka/.cache/zig"
• No ZIG_GLOBAL_CACHE_DIR or ZIG_LOCAL_CACHE_DIR env set

Workaround

ZIG_GLOBAL_CACHE_DIR="$PWD/.zig-global-cache" zig build

Proposed fix direction

• On startup, detect Zig and read zig env to learn the global cache dir (respect
  ZIG_GLOBAL_CACHE_DIR, ZIG_LOCAL_CACHE_DIR, XDG_CACHE_HOME, HOME).
• Add the resolved Zig cache path(s) to seatbelt exceptions so writes are permitted.
• Consider handling the local cache dir similarly if Zig uses it for builds.

What steps can reproduce the bug?

zig init
zig build

What is the expected behavior?

Zig build should succeed without manual cache configuration when running inside Codex.

Additional information

error: sub-compilation of compiler_rt failed
    note: failed to check cache: manifest_create PermissionDenied
/opt/homebrew/Cellar/zig/0.15.2/lib/zig/std/std.zig:1:1: error: unable to load 'std.zig': PermissionDenied
/opt/homebrew/Cellar/zig/0.15.2/lib/zig/ubsan_rt.zig:1:1: error: unable to load 'ubsan_rt.zig': PermissionDenied