fix(codex): grant write access to main repo so decision files land in canonical path

[jacsamell]

Codex judges run with --sandbox workspace-write and --cd <pr-N worktree> (PR #182). Sandbox blocks writes outside cwd — including the main repo's .prompts/decisions/. gpt-5.5 judges (Backend, Frontend & UX) silently failed to persist decisions; claude judges (different sandbox) worked.

Fix: pass --add-dir <project_root> when worktree ≠ PROJECT_ROOT. Sandbox stays in place; just adds the main repo to writeable allowlist. find_decision_file worktree-scan still acts as a safety net.

Test plan

• cube prv against a PR with mixed claude+codex judges — all 5 decision files land in main repo's .prompts/decisions/
• Codex writer in writer worktree (worktree == PROJECT_ROOT case) — --add-dir not added (no behaviour change)
• 237 tests pass (verified locally)

CodexAdapter now grants write access to main repository for decision files

Problem: When Codex judges run in per-PR worktrees with --sandbox workspace-write, the sandbox blocks writes outside the worktree, preventing decision JSON files from landing in the main repo's .prompts/decisions/ directory.

Solution: CodexAdapter._run_once now detects when the worktree differs from the project root and extends the Codex command with --add-dir <project_root>. This whitelists the main repository directory for writes while maintaining sandbox security. The implementation includes error handling to suppress any issues during project-root resolution.

Testing: Tests updated to verify the --add-dir flag is added when needed and command structure remains correct before and after the new argument.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f57f0607-ff8d-43c6-a35e-e85699c847f4

📥 Commits

Reviewing files that changed from the base of the PR and between 065bac0 and a1a49de.

📒 Files selected for processing (2)

• python/cube/core/adapters/codex.py
• tests/cli/test_adapters.py

---

Walkthrough

CodexAdapter now detects when Codex executes within a per-PR worktree that differs from the main project root. When detected, it extends the Codex command with --add-dir <project_root> to permit sandbox writes to the repo root's decision JSON directory. Test assertions validate the new argument insertion in both run and resume command scenarios.

Changes

Codex worktree sandbox directory support

Layer / File(s)	Summary
Worktree detection and sandbox directory extension python/cube/core/adapters/codex.py	_run_once resolves the main project root; when the worktree differs from that root, it appends --add-dir <project_root> to the Codex command to extend workspace-write sandbox permissions whilst maintaining containment. Resolution errors are silently ignored.
Test assertions for --add-dir arguments tests/cli/test_adapters.py	Both test_codex_adapter_run_command and test_codex_adapter_resume_command locate the --add-dir argument in captured subprocess args, then assert pre-insertion command structure and validate trailing arguments after the insertion point.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• aetheronhq/agent-cube#171: Both PRs modify the CodexAdapter's Codex command-line invocation, with this PR adding --add-dir <project_root> sandbox support and the other adjusting resume/fresh-run argument construction for stale-rollout recovery.

Poem

A rabbit hops through worktrees deep,
Where sandboxes their vigils keep.
With --add-dir flags held tight,
The project root now sees the light! 🐰✨

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}