Bug description
When running /codex:review on Windows, the Codex review produces no useful output because every shell command is rejected by the sandbox policy in the app-server path.
Observed behavior
All commands are declined with blocked by policy:
ERROR codex_core::tools::router: "powershell.exe" -Command 'git status --short' rejected: blocked by policy
ERROR codex_core::tools::router: "powershell.exe" -Command 'Write-Output hi' rejected: blocked by policy
The review output:
Shell access to inspect the working tree was blocked in this session, so I could not review the staged/unstaged/untracked changes directly.
Key detail: Git Bash environment
Our Claude Code session uses Git Bash as its shell, but Codex CLI ignores this and defaults to PowerShell for all command execution on Windows.
Investigation & root cause
We tested three approaches:
| Approach |
Result |
codex review -c 'sandbox_permissions=["disk-full-read-access"]' (CLI direct) |
Works — review completes successfully |
config.toml with sandbox_permissions = ["disk-full-read-access"] + plugin app-server path |
Fails — config not respected by app-server |
Plugin app-server path (default sandbox: "read-only") |
Fails — all commands blocked |
Root cause: The app-server's thread/start RPC accepts a sandbox parameter (read-only / workspace-write / danger-full-access) but does not accept sandboxPermissions. The read-only sandbox mode on Windows blocks all PowerShell commands, including purely read-only ones like git status --short and Write-Output hi. The config.toml sandbox_permissions setting is only respected by the direct CLI path, not the app-server.
This means:
- The plugin cannot work around this issue — it has no way to pass sandbox permissions through the app-server protocol
- The fix must be in codex-cli core: either the
read-only sandbox mode needs to properly handle Windows/PowerShell, or the app-server thread/start protocol needs to support sandboxPermissions
Steps to reproduce
- Windows 11, with Git Bash as the shell in Claude Code
- Node.js v22.17.0, codex-cli 0.117.0, codex-plugin-cc v1.0.1
- Have a repo with uncommitted changes
- Run
/codex:review in Claude Code
- All commands are "blocked by policy" and review returns empty
Suggested fix (codex-cli core)
Either:
- Option A: Make
read-only sandbox mode on Windows allow read-only shell commands via PowerShell (consistent with bash behavior on macOS/Linux)
- Option B: Add
sandboxPermissions support to the app-server thread/start protocol, so the plugin can pass ["disk-full-read-access"]
- Option C: Have the app-server respect
config.toml sandbox_permissions when creating threads
Workaround (CLI only)
Users can bypass the issue by using codex review directly from the terminal:
codex review --uncommitted -c 'sandbox_permissions=["disk-full-read-access"]'
This does not help when using the plugin via /codex:review.
Environment
- OS: Windows 11 Pro (10.0.22631)
- Shell (Claude Code): Git Bash
- Shell (Codex): PowerShell (hardcoded)
- Node.js: v22.17.0
- codex-cli: 0.117.0
- codex-plugin-cc: v1.0.1
Related
Bug description
When running
/codex:reviewon Windows, the Codex review produces no useful output because every shell command is rejected by the sandbox policy in the app-server path.Observed behavior
All commands are declined with
blocked by policy:The review output:
Key detail: Git Bash environment
Our Claude Code session uses Git Bash as its shell, but Codex CLI ignores this and defaults to PowerShell for all command execution on Windows.
Investigation & root cause
We tested three approaches:
codex review -c 'sandbox_permissions=["disk-full-read-access"]'(CLI direct)config.tomlwithsandbox_permissions = ["disk-full-read-access"]+ plugin app-server pathsandbox: "read-only")Root cause: The app-server's
thread/startRPC accepts asandboxparameter (read-only/workspace-write/danger-full-access) but does not acceptsandboxPermissions. Theread-onlysandbox mode on Windows blocks all PowerShell commands, including purely read-only ones likegit status --shortandWrite-Output hi. Theconfig.tomlsandbox_permissionssetting is only respected by the direct CLI path, not the app-server.This means:
read-onlysandbox mode needs to properly handle Windows/PowerShell, or the app-serverthread/startprotocol needs to supportsandboxPermissionsSteps to reproduce
/codex:reviewin Claude CodeSuggested fix (codex-cli core)
Either:
read-onlysandbox mode on Windows allow read-only shell commands via PowerShell (consistent with bash behavior on macOS/Linux)sandboxPermissionssupport to the app-serverthread/startprotocol, so the plugin can pass["disk-full-read-access"]config.tomlsandbox_permissionswhen creating threadsWorkaround (CLI only)
Users can bypass the issue by using
codex reviewdirectly from the terminal:This does not help when using the plugin via
/codex:review.Environment
Related
spawnENOENT)codex_core::tools::routerpolicy + app-server protocol), filed here for visibility since the plugin is the entry point.