docs: disclose codex isolation limits

docs-site/content/docs/cli-reference/ktx-status.mdx

@@ -61,6 +61,12 @@ For `llm.provider.backend: codex`, `ktx status` runs a minimal non-interactive
 Codex request. If the probe fails, authenticate Codex locally with the Codex CLI
 and verify the Codex CLI installation.
 
+When `llm.provider.backend: codex` is configured, `ktx status` also prints a
+warning when the installed public Codex SDK and CLI surface cannot prove full
+Claude-Code-style isolation. The warning does not block authenticated Codex
+usage, but it marks the project status as partial so you can make an explicit
+runtime-isolation decision.
+
 A `Local data` section summarises what the project has accumulated locally:
 ingest run counts, last completed timestamp per connection, knowledge page
 counts by scope, semantic-layer source and dictionary value counts, and the

docs-site/content/docs/guides/llm-configuration.mdx

@@ -74,8 +74,15 @@ enrichment, memory, and other LLM-backed work through Codex.
 
 During runtime loops, **ktx** starts a temporary loopback MCP server for the
 current run, exposes only the tools passed to that run, asks Codex to use a
-read-only sandbox with approval disabled, auto-approves only those run-scoped
-MCP tools, and disables Codex web search.
+read-only sandbox, sets `approval_policy=never`, auto-approves only those
+run-scoped MCP tools, and disables Codex web search.
+
+Codex backend isolation is currently limited by the public Codex SDK and CLI
+surface. Codex may still load user Codex config and built-in command execution
+or read-only file capabilities. Use `llm.provider.backend: claude-code` when
+you need stricter Claude-Code-style runtime tool isolation, or remove host
+Codex MCP and tool config before running untrusted prompts through the `codex`
+backend.
 
 ## Prompt caching