docs: clarify autonomous Codex sandbox limitations

AUTONOMOUS-CODEX.md

@@ -7,6 +7,10 @@ profile:
 ./codex-auto
 ```
 
+Start a fresh session with this command. Running plain `codex`, opening Codex
+through an editor integration, or continuing an already-running session does
+not automatically activate this profile.
+
 For a non-interactive task:
 
 ```sh
@@ -22,7 +26,7 @@ The profile:
 - limits filesystem access to minimal runtime files plus this project
 - allows writes in this project
 - keeps `.codex` and `www.azinstitute4autism.com` read-only
-- permits normal Git operations, including staging and committing
+- permits read-only Git inspection
 - enables live web search and outbound network retrievals
 
 Outbound network access is domain-unrestricted because package installation and
@@ -50,3 +54,28 @@ curl -fsS https://registry.npmjs.org/astro >/dev/null
 ```
 
 Live web search is separate from shell network access and remains enabled.
+
+In the current environment, the beta network proxy permits retrievals but
+sandboxed command-line tools may fail HTTPS certificate verification. Do not
+disable certificate verification for package installation or sensitive
+retrievals; use live web search or review the retrieval from the host instead.
+
+## Git limitation
+
+Codex always protects `.git` recursively in its `workspace-write` sandbox.
+Agents can inspect Git state and diffs, but cannot stage or commit. This cannot
+be overridden by a permissions profile.
+
+For autonomous commits, use an outer container or VM as the security boundary,
+mount only this project into it, and run Codex with full access inside that
+isolated environment. Otherwise, review and commit agent changes from the host.
+
+Writes that appear to succeed directly under `/home/alice` are made to the
+sandbox's temporary in-memory root. They do not modify the host home directory.
+
+Check the startup banner before assigning work. It should report:
+
+```txt
+approval: never
+sandbox: workspace-write ... (network access enabled)
+```