Skip to content

fix: Codex sandbox compatibility and command line accuracy#633

Merged
wesm merged 3 commits intomainfrom
fix/codex-large-diffs
Apr 7, 2026
Merged

fix: Codex sandbox compatibility and command line accuracy#633
wesm merged 3 commits intomainfrom
fix/codex-large-diffs

Conversation

@wesm
Copy link
Copy Markdown
Collaborator

@wesm wesm commented Apr 7, 2026
edited
Loading

Summary

  • Inline snapshot diffs for sandboxed Codex: Codex --sandbox read-only blocks .git/ access, making large-diff snapshot files unreadable. The worker now reads the .git/ snapshot and inlines the diff content into the prompt sent via stdin. The DB keeps the truncated prompt; only the agent sees the full diff. Non-Codex agents continue using .git/ snapshots directly.
  • disable_codex_sandbox config option: On systems where bwrap fails (missing unprivileged user namespace support), add a global config toggle that switches Codex from --sandbox read-only to --dangerously-bypass-approvals-and-sandbox. Hot-reloadable via config watcher.
  • Store actual command line on jobs: The daemon worker now saves the real CommandLine() to the job record when starting each run. The TUI displays this stored value instead of reconstructing it client-side, which missed daemon-only config like disable_codex_sandbox.

🤖 Generated with Claude Code

@roborev-ci
Copy link
Copy Markdown

roborev-ci bot commented Apr 7, 2026

roborev: Combined Review (2486ae7)

Verdict: Changes introduce one high-severity prompt-size regression and two medium-severity correctness/security issues that should be addressed before merge.

High

  • internal/daemon/worker.go:507, internal/daemon/worker.go:1071

    Re-inlining the full snapshot content into the agent prompt bypasses the existing oversized-diff guard. That defeats the reason the snapshot file was created and can push Codex requests back over prompt/context limits, causing large reviews to fail or lose context.

    Suggested fix: preserve a hard size/token cap before inlining, or keep the file-reference flow for oversized diffs by making the snapshot available through a sandbox-readable path instead of always expanding it inline.

Medium

  • internal/daemon/worker.go:1063, internal/daemon/worker.go:1075

    expandSnapshotInline only replaces the first roborev-snapshot-*.diff reference in the prompt. If a prompt contains multiple oversized-diff sections, later snapshot references remain unresolved, so sandboxed Codex can still review incomplete input.

    Suggested fix: replace all matching snapshot-reference blocks and add a test covering multiple snapshot references in one prompt.

  • internal/daemon/worker.go:1069

    expandSnapshotInline recovers the snapshot path by regex-parsing the free-form reviewPrompt and passes the extracted backtick-quoted path directly to os.ReadFile. Because prompt content can include externally sourced repository text, a crafted prompt fragment could steer this toward a different local snapshot file than intended, creating an unintended local file-read primitive and potentially leaking local data into the model prompt.

    Suggested fix: carry the snapshot path as structured trusted state instead of extracting it from prompt text. If text parsing must remain, constrain extraction to the exact daemon-generated fallback block and verify the resolved path stays within the expected snapshot directory for the current job before reading it.

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

@wesm @claude
fix: Codex sandbox compatibility for large diffs and broken bwrap
f3d62af 
Two issues prevented Codex reviews from working:

1. Large diffs: Codex --sandbox read-only blocks .git/ access, so
   snapshot files are unreadable. The worker now reads the .git/
   snapshot and inlines the diff content into the prompt sent via
   stdin. The DB keeps the truncated prompt; only the agent sees
   the full diff.

2. Broken bwrap: On systems without unprivileged user namespace
   support, the bwrap sandbox fails entirely. Add global config
   option `disable_codex_sandbox` that switches Codex to --full-auto
   mode. Hot-reloadable via config watcher.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@wesm wesm force-pushed the fix/codex-large-diffs branch from 2486ae7 to f3d62af Compare April 7, 2026 12:09
@roborev-ci
Copy link
Copy Markdown

roborev-ci bot commented Apr 7, 2026

roborev: Combined Review (f3d62af)

Summary verdict: One medium-severity correctness issue should be addressed before merge.

Medium

  • internal/daemon/worker.go:1090: expandSnapshotInline finds the fallback block start with strings.Index(reviewPrompt, "(Diff too large") (or the alternate fallback text) from the beginning of the prompt. If that phrase appears earlier in repo-sourced text such as a PR description or commit message, the function can delete unrelated prompt content before the real snapshot reference. Anchor the replacement to the matched snapshot reference instead: locate the snapshot reference first, then use strings.LastIndex on the prefix before that reference to find the actual fallback block start. A regression test covering an earlier incidental (Diff too large...) string in the prompt would lock this down.

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

wesm and others added 2 commits April 7, 2026 07:18
@wesm @claude
fix: use full sandbox bypass when codex sandbox is disabled
3ba4586 
--full-auto still uses bwrap internally, so systems without
unprivileged user namespace support still fail. Use
--dangerously-bypass-approvals-and-sandbox instead, which
truly disables the sandbox.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@wesm @claude
fix: store actual command line on job, use full sandbox bypass
9139c70 
Two fixes:
- Worker saves the actual agent command line to the job DB on each
  run. TUI displays the stored value instead of reconstructing it
  client-side (which missed daemon-only config like
  disable_codex_sandbox). Reconstructed as fallback for old jobs.
- Use --dangerously-bypass-approvals-and-sandbox instead of
  --full-auto when sandbox is disabled, since --full-auto still
  uses bwrap internally.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@roborev-ci
Copy link
Copy Markdown

roborev-ci bot commented Apr 7, 2026

roborev: Combined Review (9139c70)

Verdict: No Medium, High, or Critical issues found.

All review outputs were clean after deduplication.

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

@wesm wesm changed the title fix: inline snapshot diffs for sandboxed Codex reviews fix: Codex sandbox compatibility and command line accuracy Apr 7, 2026
@wesm wesm merged commit ef9d858 into main Apr 7, 2026
8 checks passed
@wesm wesm deleted the fix/codex-large-diffs branch April 7, 2026 12:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wesm