fix: put read-only permission in review thread

codex-rs/core/src/codex.rs

@@ -1844,6 +1844,7 @@ async fn spawn_review_thread(
             per_turn_config.model_family.slug.as_str(),
         );
 
+    let review_sandbox_policy = SandboxPolicy::ReadOnly;
     let per_turn_config = Arc::new(per_turn_config);
     let client = ModelClient::new(
         per_turn_config.clone(),
@@ -1865,7 +1866,7 @@ async fn spawn_review_thread(
         base_instructions: Some(base_instructions.clone()),
         compact_prompt: parent_turn_context.compact_prompt.clone(),
         approval_policy: parent_turn_context.approval_policy,
-        sandbox_policy: parent_turn_context.sandbox_policy.clone(),
+        sandbox_policy: review_sandbox_policy,
         shell_environment_policy: parent_turn_context.shell_environment_policy.clone(),
         cwd: parent_turn_context.cwd.clone(),
         final_output_json_schema: None,

codex-rs/core/src/tasks/review.rs

@@ -16,6 +16,7 @@ use tokio_util::sync::CancellationToken;
 use crate::codex::Session;
 use crate::codex::TurnContext;
 use crate::codex_delegate::run_codex_conversation_one_shot;
+use crate::protocol::SandboxPolicy;
 use crate::review_format::format_review_findings_block;
 use crate::state::TaskKind;
 use codex_protocol::user_input::UserInput;
@@ -96,6 +97,8 @@ async fn start_review_conversation(
     sub_agent_config.user_instructions = None;
     // Avoid loading project docs; reviewer only needs findings
     sub_agent_config.project_doc_max_bytes = 0;
+    // Enforce read-only sandbox for the review child session.
+    sub_agent_config.sandbox_policy = SandboxPolicy::ReadOnly;
     // Carry over review-only feature restrictions so the delegate cannot
     // re-enable blocked tools (web search, view image).
     sub_agent_config