How to use workflow in danger-full-access in sandbox-mode?

[rocxteady]

I edited .codex/config.toml as:
sandbox_mode = "danger-full-access"
approval_policy = "never"

and when i go into codex in cli i can see its in yolo mode. But when i run a workflow. The cli says in read only mode. Check the log please:

ulas.sancak@Ulass-MacBook-Pro speckit9 % specify workflow run ./spec/bootstrap-spec.workflow.yaml -i integration=codex

Running workflow: Autonomous bootstrap foundation (no gates) (bootstrap-implement)
Version: 1.0.0

  ▸  speckit.specify …
2026-06-16T19:10:44.359143Z ERROR rmcp::transport::worker: worker quit with fatal: Transport channel closed, when Client(HttpRequest(HttpRequest("http/request failed: error sending request for url (http://127.0.0.1:3845/mcp)")))
OpenAI Codex v0.140.0
--------
workdir: /Users/ulas.sancak/Desktop/Projects/speckit9
model: gpt-5.5
provider: openai
approval: never
sandbox: read-only
reasoning effort: medium
reasoning summaries: none
session id: 019ed1d7-d822-7212-a0da-da2289c91dbf

So lots of things is not working because it cant write to file system.

How can i fix this?
Thanks

[mnriem]

Thanks for the detailed log — this is a real gap in the Codex integration, not a config mistake on your end.

Why it happens

When you run a workflow, Spec Kit starts Codex non-interactively via codex exec. The command CodexIntegration.build_exec_args builds is essentially:

codex exec "<prompt>" [--model …] [--json]

No sandbox or approval flags are passed. codex exec defaults to sandbox: read-only and does not inherit the permissions from your interactive "yolo" session, so the workflow always runs read-only — exactly what your log shows (approval: never, sandbox: read-only).

The root problem: the CodexIntegration doesn't model Codex's own flags (--sandbox, --full-auto, --ask-for-approval / --dangerously-bypass-approvals-and-sandbox). It builds a bare codex exec invocation that ignores them.

Side note: Codex reads ~/.codex/config.toml ($CODEX_HOME), so a project-local .codex/config.toml may be ignored entirely — but even with the global config, codex exec would still default to read-only here.

How to unblock yourself today

There's a generic escape hatch that injects extra flags into the spawned process:

export SPECKIT_INTEGRATION_CODEX_EXTRA_ARGS="--dangerously-bypass-approvals-and-sandbox"
# then
specify workflow run ./spec/bootstrap-spec.workflow.yaml -i integration=codex

[rocxteady]

Thank you for the advice. What about claude? Does claude have this problem also? What should i do with Claude?