Make it so CONFIG_DIR is not in the list of writable roots by default (#419)

To play it safe, let's keep `CONFIG_DIR` out of the default list of writable roots. This also fixes an issue where `execWithSeatbelt()` was modifying `writableRoots` instead of creating a new array. --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/openai/codex/pull/419). * #423 * #420 * __->__ #419
2025-04-20 09:37:07 -07:00
parent 425430debb
commit e372e4667b
2 changed files with 8 additions and 9 deletions
--- a/codex-cli/src/utils/agent/sandbox/raw-exec.ts
+++ b/codex-cli/src/utils/agent/sandbox/raw-exec.ts
@@ -21,7 +21,7 @@ const MAX_BUFFER = 1024 * 100; // 100 KB
 export function exec(
  command: Array<string>,
  options: SpawnOptions,
-  _writableRoots: Array<string>,
+  _writableRoots: ReadonlyArray<string>,
  abortSignal?: AbortSignal,
 ): Promise<ExecResult> {
  // Adapt command for the current platform (e.g., convert 'ls' to 'dir' on Windows)