fix: only allow running without sandbox if explicitly marked in safe container (#699)

Signed-off-by: Thibault Sottiaux <tibo@openai.com>

codex-cli/src/utils/config.ts

@@ -65,6 +65,8 @@ export let OPENAI_API_KEY = process.env["OPENAI_API_KEY"] || "";
 export const OPENAI_ORGANIZATION = process.env["OPENAI_ORGANIZATION"] || "";
 export const OPENAI_PROJECT = process.env["OPENAI_PROJECT"] || "";
 
+// Can be set `true` when Codex is running in an environment that is marked as already
+// considered sufficiently locked-down so that we allow running wihtout an explicit sandbox.
 export const CODEX_UNSAFE_ALLOW_NO_SANDBOX = Boolean(
   process.env["CODEX_UNSAFE_ALLOW_NO_SANDBOX"] || "",
 );