Summary
A headless codex session (created with an initial prompt) runs codex exec in a read-only sandbox and cannot write files. It hard-blocks with "Blocked: the workspace is read-only, so index.html could not be [written]" and then goes silently to awaiting_input — no approval request, no error event the user can act on.
Why it happens
In crates/adapter-codex/src/main.rs the headless exec path:
- adds no
--sandbox / -a (--ask-for-approval) flag, so codex uses its default read-only policy; and
- ignores
AdapterInboxMsg::SetApprovalMode (the match arm just continues).
So changing the session approval mode (Manual / Auto-review / Unsafe-auto) in the TUI or webui has no effect on a headless codex session, and there is no agent new flag for sandbox/approval. The only workaround was reconfiguring the adapter command and restarting the daemon:
[adapters.codex.env]
AGENTD_CODEX_CMD = "codex --sandbox workspace-write --ask-for-approval never"
Repro
- Isolated daemon, default config.
agent new codex "edit index.html to add X" --cwd <repo>
- Session reports read-only block and stops; the file is never written.
Suggested fix
- Map the session approval mode to codex flags in the
exec path, e.g. UnsafeAuto → --dangerously-bypass-approvals-and-sandbox, AutoReview → --sandbox workspace-write -a on-failure, Manual → read-only.
- Surface the read-only block as an error/approval event with a hint, not a silent
awaiting_input.
- Document the codex sandbox default in
docs/harnesses.md.
Related: #271 (auto-approve policy for codex/antigravity).
Found during an isolated dogfood run building a browser game with claude/codex/zarvis.
Summary
A headless codex session (created with an initial prompt) runs
codex execin a read-only sandbox and cannot write files. It hard-blocks with "Blocked: the workspace is read-only, soindex.htmlcould not be [written]" and then goes silently toawaiting_input— no approval request, no error event the user can act on.Why it happens
In
crates/adapter-codex/src/main.rsthe headlessexecpath:--sandbox/-a(--ask-for-approval) flag, so codex uses its default read-only policy; andAdapterInboxMsg::SetApprovalMode(the match arm justcontinues).So changing the session approval mode (Manual / Auto-review / Unsafe-auto) in the TUI or webui has no effect on a headless codex session, and there is no
agent newflag for sandbox/approval. The only workaround was reconfiguring the adapter command and restarting the daemon:Repro
agent new codex "edit index.html to add X" --cwd <repo>Suggested fix
execpath, e.g.UnsafeAuto → --dangerously-bypass-approvals-and-sandbox,AutoReview → --sandbox workspace-write -a on-failure,Manual → read-only.awaiting_input.docs/harnesses.md.Related: #271 (auto-approve policy for codex/antigravity).