In Home directory Sandbox is set to 'workspace-write' instead of 'read-only'

[kingtistel]

What version of Codex is running?

codex-cli 0.93.0

What subscription do you have?

Business

Which model were you using?

gpt-5.2-codex

What platform is your computer?

Darwin 25.2.0 arm64 arm

What terminal emulator and version are you using (if applicable)?

iTerm2

What issue are you seeing?

When starting codex-cli in the Home directory -- or any directory not under version control -- after the first time, codex is started with Sandbox: workspace-write and Approval: untrusted instead of read-only / on-request.

What steps can reproduce the bug?

1. Start codex in Home directory -- or any directory not under version control -- for the first time,
2. You're presented with a question to select the approval policy -- defaulted to require approval,

3. Accept the default,
4. Check status with /status -- it shows Sandbox: read-only and Approval: on-request,
5. Exit and relaunch codex
6. Check status with /status -- it now shows Sandbox: workspace-write and Approval: untrusted.

What is the expected behavior?

Expected is that each time starting codex from Home directory or any directory not under version control:

1. Be asked our approval selection,
   -OR-
2. Start with the previously selected choice.
   (¿ How would we change our selection in this flow is chosen ?)

Additional information

No response

[github-actions]

Potential duplicates detected. Please review them and close your issue if it is a duplicate.

• ~/.codex/ treated as project config when running from home directory #9932
• Codex doesn't persist previous approval level #8193
• Show warning/hint if you have a project .codex/config.toml but project does not have a trust setting #10389

Powered by Codex Action

[kingtistel]

Hi,
I don't think this issue is a duplicate of any of the other ones mentioned by Github-actions,
and I was asked to split this issue from #9932 .

[kingtistel]

A W/A I found -- not sure how convenient -- is to ctrl-c the approval selection request.

[etraut-openai]

Thanks for the bug report. There is a bug here, but it's a little different than what you reported. The trust level informs the approval mode (whether tool calls need to be approved by the user) but not the sandbox mode (whether the agent can write to files). In both cases, the sandbox mode should be workspace-write after the trust level has been established.

The bug occurs only the first time the trust level is established. On subsequent invocations, the sandbox mode is correctly reported as workspace-write.