{
"id": "sandbox:codex-read-only",
"_kind": "Sandbox",
"_file": "lifecycle/sandboxes/codex-sandboxes.yaml",
"_cluster": "lifecycle",
"attributes": {
"displayName": "Codex read-only sandbox",
"filesystemPolicy": "read-only",
"networkPolicy": "none",
"description": "Codex CLI sandbox mode `read-only`: shell commands run with filesystem writes blocked. This is the most restrictive documented Codex sandbox mode.\n",
"fsAllowList": [
"<workspace>/**"
],
"fsDenyList": [
"<workspace>/**:write"
],
"netAllowList": [],
"netDenyList": [
"*"
],
"execAllowedBinaries": [],
"execDeniedBinaries": [],
"envVarScope": "inherit-allowlist",
"secretAccessScope": "none",
"auditLogPolicy": "structured-jsonl",
"policyEvaluationPoint": "continuous"
},
"outgoingEdges": [
{
"from": "sandbox:codex-read-only",
"to": "layer:9-sandbox",
"kind": "realizes",
"attributes": {}
}
],
"incomingEdges": [
{
"from": "claim:codex-research-sandbox-modes",
"to": "sandbox:codex-read-only",
"kind": "about_subject"
}
]
}