codex sandbox linux --full-auto reports successful writes that do not persist to host filesystem

[aquiles-ai123]

codex sandbox linux --full-auto reports successful writes that do not persist to the host filesystem

Summary

The codex sandbox linux --full-auto subcommand appears to run commands successfully and allows them to observe files they just created inside the sandbox, but those writes do not appear on the host filesystem afterward.

This happens for both:

• a file in the current working directory
• a file in /tmp

The command exits with status 0 and produces no error.

Environment

• Codex CLI: codex-cli 0.116.0
• Host OS: Pop!_OS 22.04 LTS
• bubblewrap: bubblewrap 0.6.1
• Repo used for repro: /home/cryptotrading74/AQUILES_GRID_CORE_TEST_REPO

Repro

Start from a clean state:

rm -f /tmp/helper_inside_tmp.txt       /home/cryptotrading74/AQUILES_GRID_CORE_TEST_REPO/helper_inside_cwd.txt

Run:

cd /home/cryptotrading74/AQUILES_GRID_CORE_TEST_REPO
codex sandbox linux --full-auto /bin/bash -lc   "touch helper_inside_cwd.txt /tmp/helper_inside_tmp.txt &&    test -f helper_inside_cwd.txt && echo INSIDE_CWD_PRESENT &&    test -f /tmp/helper_inside_tmp.txt && echo INSIDE_TMP_PRESENT"

Observed output:

INSIDE_CWD_PRESENT
INSIDE_TMP_PRESENT

Now check from the host after the command exits:

test -f /home/cryptotrading74/AQUILES_GRID_CORE_TEST_REPO/helper_inside_cwd.txt && echo OUTSIDE_CWD_PRESENT || echo OUTSIDE_CWD_ABSENT

test -f /tmp/helper_inside_tmp.txt && echo OUTSIDE_TMP_PRESENT || echo OUTSIDE_TMP_ABSENT

Observed output:

OUTSIDE_CWD_ABSENT
OUTSIDE_TMP_ABSENT

Additional minimal repro

This also exits 0 with visible stdout, but does not leave the file on the host:

cd /home/cryptotrading74/AQUILES_GRID_CORE_TEST_REPO
codex sandbox linux --full-auto /bin/bash -lc "pwd; touch helper_cwd_probe; echo helper_done"

Observed output:

/home/cryptotrading74/AQUILES_GRID_CORE_TEST_REPO
helper_done

But helper_cwd_probe is absent afterward on the host.

Expected behavior

If codex sandbox linux --full-auto is advertised as running commands in a sandbox with writable cwd and /tmp, successful writes should persist to the host filesystem in those locations.

If the subcommand is intentionally using an ephemeral overlay, that should be clearly documented and the CLI should not imply that writes are affecting the host workspace.

Actual behavior

Writes appear successful inside the sandbox but are discarded from the host view, with no error and exit status 0.

Why this matters

This makes the codex sandbox linux subcommand misleading for debugging or validating real filesystem behavior. A command can appear to succeed and verify its own writes, while leaving no change outside the sandbox.

Suggested title

codex sandbox linux --full-auto reports successful writes that do not persist to host filesystem

[raye-deng]

This is a subtle but dangerous failure mode for CI integration. The sandbox reports success, the agent observes the file it created, and the exit code is clean — but the artifact never reaches the host. Anyone building automation that depends on codex generating files (config, migrations, test fixtures) will hit this silently.

We have been cataloging this category of failure — "agent reports completion, verification inside the agent context passes, but the actual state on the host diverges" — and it shows up in several forms beyond sandbox isolation:

1. Sandbox write isolation (this issue): file exists inside the sandbox but not on the host filesystem.
2. Import hallucination: AI generates an import for a package that the type checker accepts (because it infers or stubs the type), the agent confirms "code compiles," but the package does not exist on the registry. Host build eventually fails.
3. Stale reference completion: agent operates on a cached or outdated view of the repo (worktree collision, stale index) and reports changes that were applied to the wrong branch or version.

The common failure pattern is that the agent's self-verification cannot be trusted as the sole signal. Each of these requires an independent verification step that runs outside the agent's sandbox or context — host-side file checks, registry lookups, git status diffing.

For cases 2 and 3 we have been building deterministic CI-level checks: npx @opencodereview/cli scan . --sla L1 validates imports against actual registries and checks cross-file reference consistency.