Skip to content

fix: do not symlink .codex folders#23593

Merged
spalladino merged 1 commit into
merge-train/spartanfrom
spl/fix-codex-sandbox
May 27, 2026
Merged

fix: do not symlink .codex folders#23593
spalladino merged 1 commit into
merge-train/spartanfrom
spl/fix-codex-sandbox

Conversation

@spalladino

@spalladino spalladino commented May 27, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

This causes Codex sandbox to fail and the apply_patch command to fail. Fix is to remove the symlinks for all the .codex folders, and instead create actual folders with symlinks in their contents. A pre-commit hook checks that all contents are symlinked.

The issue is the tracked symlink:

yarn-project/.codex -> .claude

The sandbox is trying to enforce /home/santiago/Projects/aztec-4/yarn-project/.codex as a read-only
path, but yarn-project is also a writable root. Since .codex is a symlink inside that writable root,
bubblewrap refuses to set up the sandbox:

Fatal error: cannot enforce sandbox read-only path .../.codex
because it crosses writable symlink .../.codex

So apply_patch is not uniquely broken. I reproduced the same sandbox setup failure with simple
sandboxed commands like pwd and ls. Commands that are already approved or explicitly escalated can
still run because they bypass that sandbox path setup.

This issue had been introduced in #23400.

@spalladino
fix: do not symlink .codex folders
67f2c1e 
This causes Codex sandbox to fail and the apply_patch command to fail.

  The issue is the tracked symlink:

  yarn-project/.codex -> .claude

  The sandbox is trying to enforce /home/santiago/Projects/aztec-4/yarn-project/.codex as a read-only
  path, but yarn-project is also a writable root. Since .codex is a symlink inside that writable root,
  bubblewrap refuses to set up the sandbox:

  Fatal error: cannot enforce sandbox read-only path .../.codex
  because it crosses writable symlink .../.codex

  So apply_patch is not uniquely broken. I reproduced the same sandbox setup failure with simple
  sandboxed commands like pwd and ls. Commands that are already approved or explicitly escalated can
  still run because they bypass that sandbox path setup.
@AztecBot

AztecBot commented May 27, 2026

Copy link
Copy Markdown
Collaborator

Flakey Tests

🤖 says: This CI run detected 1 tests that failed, but were tolerated due to a .test_patterns.yml entry.

\033FLAKED\033 (8;;http://ci.aztec-labs.com/3e5b6e00b65f948b�3e5b6e00b65f948b8;;�):  yarn-project/end-to-end/scripts/run_test.sh simple src/e2e_epochs/epochs_invalidate_block.parallel.test.ts "archiver skips a descendant of an invalid-attestations checkpoint" (434s) (code: 0) group:e2e-p2p-epoch-flakes

@spalladino spalladino merged commit 129eb13 into merge-train/spartan May 27, 2026
17 checks passed
@spalladino spalladino deleted the spl/fix-codex-sandbox branch May 27, 2026 17:39
@AztecBot AztecBot mentioned this pull request May 27, 2026
Merged
@spalladino spalladino mentioned this pull request May 27, 2026
Merged
spalladino added a commit that referenced this pull request May 27, 2026
@spalladino
chore: fix claude and codex symlinking tests (#23599)
5fa487b 
Fixes issue introduced in #23593.

Also fixes the content hash so they run on any change to claude or codex
folders, which caused the test failure to go unnoticed in the PR where
it was introduced.
danielntmd pushed a commit to danielntmd/aztec-packages that referenced this pull request Jun 4, 2026
@spalladino
feat: merge-train/spartan (AztecProtocol#23580)
92da992 
BEGIN_COMMIT_OVERRIDE
fix(archiver): skip descendants of invalid-attestations checkpoints
(AztecProtocol#23502)
chore: scale network validators (AztecProtocol#23579)
fix(ci): nightly 10 TPS bench GCP auth and checkout (AztecProtocol#23586)
chore: set eth node resource profile (AztecProtocol#23583)
fix: wait for checkpoint before sentinel assertions (AztecProtocol#23573)
fix: slash attestations for invalid checkpoint proposals (AztecProtocol#23506)
test: fix web3signer pipelining
`e2e_multi_validator_node_key_store.test.ts` (AztecProtocol#23568)
fix: cap CI devbox hostname (AztecProtocol#23591)
test: stabilize invalid checkpoint descendant e2e (AztecProtocol#23582)
test(e2e): stabilize invalidation slots in `proposer invalidates
multiple checkpoints` (AztecProtocol#23590)
test(e2e): stabilize invalid proposal slashing target slot in
`attested_invalid_proposal` (AztecProtocol#23589)
chore(foundation): faster toBufferBE via zero fast-path (AztecProtocol#23592)
fix: honour BB_BINARY_PATH (AztecProtocol#23570)
chore: bump reth and lighthouse (AztecProtocol#23588)
chore: add web3signer and postgres node selectors (AztecProtocol#23598)
fix: do not symlink .codex folders (AztecProtocol#23593)
chore: fix claude and codex symlinking tests (AztecProtocol#23599)
test(e2e): narrow down sentinel check in `multiple_validators_sentinel`
(AztecProtocol#23604)
test(e2e): fix `proposer invalidates multiple checkpoints` timeout
(AztecProtocol#23608)
fix: record zero-amount slashing offenses (AztecProtocol#23556)
fix: log slashing offense names (AztecProtocol#23565)
feat(p2p): tx validation cache (AztecProtocol#23585)
chore: add KEDA deployment module (AztecProtocol#23553)
chore: add KEDA prover agent autoscaling (AztecProtocol#23554)
chore: update destroy_bootnode.sh (AztecProtocol#23626)
chore: skip failing chonk_pinned_inputs.test in CI (AztecProtocol#23643)
chore(ci): tolerate public authwit P2P receipt flake (AztecProtocol#23648)
END_COMMIT_OVERRIDE
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ludamad ludamad ludamad approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@spalladino @AztecBot @ludamad