Expose sandbox mode as env var / config knob for review and adversarial-review

[HeeSJung]

Summary

On Linux hosts where Codex CLI's internal Linux-namespace sandbox can't initialize (e.g. VPS kernels that restrict unprivileged RTM_NEWADDR for loopback), /codex:review and /codex:adversarial-review fail silently — Codex returns "I could not inspect the diff because the sandbox blocked all shell commands" and no review is produced. There is currently no way to override the hardcoded sandbox: "read-only" without patching plugin source.

Environment

• Plugin: codex-plugin-cc v1.0.2
• Codex CLI: codex-cli 0.116.0
• Host: Ubuntu 24.04 VPS, kernel 6.8.0-90-generic, x86_64
• bwrap --version → not installed (Codex uses its bundled sandbox in @openai/codex-linux-x64/vendor/)
• /proc/sys/kernel/unprivileged_userns_clone = 1
• /proc/sys/user/max_user_namespaces = 15126

Reproduction

1. Install codex-plugin-cc on a host where Codex CLI's internal sandbox cannot set up a loopback interface in an unprivileged network namespace.
2. Run /codex:review --wait (or /codex:adversarial-review) against any git branch.
3. Observe in the companion script log:

   [codex] Running command: /bin/bash -lc "git diff ..."
   [codex] ... fails with bwrap: loopback: Failed RTM_NEWADDR: Operation not permitted
   

4. Final output from Codex:

   I was unable to inspect the diff because every local command invocation failed in this environment with a sandbox error (bwrap: loopback: Failed RTM_NEWADDR: Operation not permitted). Without access to git diff <sha>, I cannot produce a reliable code review; please re-run with a working shell or paste the diff.

Root cause

scripts/lib/codex.mjs line ~783 (review thread startup) hardcodes:

sandbox: "read-only",
ephemeral: true,

This value is passed to the Codex app-server when starting the review thread. Codex CLI tries to initialize its sandbox regardless, and on this kernel the loopback setup fails inside the unprivileged network namespace. Setting sandbox_mode = "danger-full-access" globally in ~/.codex/config.toml has no effect because the plugin explicitly overrides it per-thread.

-c overrides passed to the companion script don't reach this call site either — the review subcommand's arg parser rejects unrecognized flags as stray focus text.

Workaround (current)

Local patch at scripts/lib/codex.mjs:783:

-      sandbox: "read-only",
+      sandbox: "danger-full-access",

With this patch, reviews run end-to-end and Codex executes shell commands directly on the host. This is only acceptable on a trusted environment.

Problem: the patch is clobbered on every plugin update, and we're running it in a cron-driven dev environment where an undetected clobber silently breaks all reviews.

Proposed fix

Accept a sandbox mode override through one of:

1. Env var (preferred) — CODEX_PLUGIN_SANDBOX_MODE=danger-full-access read in scripts/lib/codex.mjs and passed through to startThread + runAppServerReview + runAppServerTurn. Zero-friction for operators.

2. Config knob in ~/.codex/config.toml — e.g.:

   [plugin.codex-claude-code]
   review_sandbox = "danger-full-access"

3. Slash command flag — /codex:review --sandbox danger-full-access. Explicit per-call opt-in, highest discoverability but most typing.

Option 1 + 3 is ideal: env var for persistent hosts, flag for one-off overrides.

Whichever path: please fail loudly rather than silently producing an empty review when the sandbox init fails. A clear error like "Codex internal sandbox failed to initialize (Failed RTM_NEWADDR). Set CODEX_PLUGIN_SANDBOX_MODE=danger-full-access if your host is already externally trusted." would have saved hours of debugging.

Related

• --dangerously-bypass-approvals-and-sandbox exists on the codex exec CLI path but not on the app-server review path the plugin uses.
• Schema files (schemas/review-output.schema.json) look good and adversarial-review output shape is excellent once the sandbox issue is worked around — the rest of the plugin is solid.

Happy to test a fix branch against the same kernel.