never let sandbox write to .codex/ or .codex/.sandbox/

[iceweasel-oai]

Never treat .codex or .codex/.sandbox as a workspace root.
Handle write permissions to .codex/.sandbox in a single method so that the sandbox setup/runner can write logs and other setup files to that directory.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 75b36be64c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Ensure upgrade removes old .sandbox write ACEs

Because filter_sensitive_write_roots now strips CODEX_HOME/.sandbox from every payload, the common refresh-only path won’t touch that directory. On machines that already ran setup before this change (where .sandbox was granted capability write via write_roots), those ACEs will persist indefinitely since refresh-only does not call lock_sandbox_dir to reset the DACL. That means upgrading doesn’t actually revoke sandbox write access to .sandbox unless a full setup is forced. Consider explicitly re-locking/removing ACLs during refresh or bumping the setup version to guarantee a full setup run.

Useful? React with 👍 / 👎.

[dylan-hurd-oai]

I think this edge case is probably okay. However, what's the expected behavior if a user runs codex in ~/.codex?

[iceweasel-oai]

with this PR, we never make ~/.codex/ or ~/.codex/.sandbox/ a writable root for the sandbox. If the user runs codex in one of those directories, writes in the cwd will fail in the sandbox.

[dylan-hurd-oai]

Let's update docs accordingly, since this differs from behavior on other platforms.