diff --git a/skills/autonomous-ai-agents/codex/SKILL.md b/skills/autonomous-ai-agents/codex/SKILL.md index a796852b754..87b5666fcda 100644 --- a/skills/autonomous-ai-agents/codex/SKILL.md +++ b/skills/autonomous-ai-agents/codex/SKILL.md @@ -74,6 +74,25 @@ process(action="kill", session_id="") | `exec "prompt"` | One-shot execution, exits when done | | `--full-auto` | Sandboxed but auto-approves file changes in workspace | | `--yolo` | No sandbox, no approvals (fastest, most dangerous) | +| `--sandbox danger-full-access` | No Codex sandbox; useful when the host service context breaks bubblewrap | + +## Hermes Gateway Caveat + +When invoking the Codex CLI from a Hermes gateway/service context (for example, +Telegram-driven agent sessions), Codex `workspace-write` sandboxing may fail even +when the same command works in the user's interactive shell. A typical symptom is +bubblewrap/user-namespace errors such as `setting up uid map: Permission denied` +or `loopback: Failed RTM_NEWADDR: Operation not permitted`. + +In that context, prefer: + +``` +codex exec --sandbox danger-full-access "" +``` + +Use process boundaries as the safety layer instead: explicit `workdir`, clean git +status before launch, narrow task prompts, `git diff` review, targeted tests, and +human/agent confirmation before committing broad changes. ## PR Reviews diff --git a/website/docs/user-guide/skills/bundled/autonomous-ai-agents/autonomous-ai-agents-codex.md b/website/docs/user-guide/skills/bundled/autonomous-ai-agents/autonomous-ai-agents-codex.md index 3482f2303c1..eb84c50d1e7 100644 --- a/website/docs/user-guide/skills/bundled/autonomous-ai-agents/autonomous-ai-agents-codex.md +++ b/website/docs/user-guide/skills/bundled/autonomous-ai-agents/autonomous-ai-agents-codex.md @@ -92,6 +92,25 @@ process(action="kill", session_id="") | `exec "prompt"` | One-shot execution, exits when done | | `--full-auto` | Sandboxed but auto-approves file changes in workspace | | `--yolo` | No sandbox, no approvals (fastest, most dangerous) | +| `--sandbox danger-full-access` | No Codex sandbox; useful when the host service context breaks bubblewrap | + +## Hermes Gateway Caveat + +When invoking the Codex CLI from a Hermes gateway/service context (for example, +Telegram-driven agent sessions), Codex `workspace-write` sandboxing may fail even +when the same command works in the user's interactive shell. A typical symptom is +bubblewrap/user-namespace errors such as `setting up uid map: Permission denied` +or `loopback: Failed RTM_NEWADDR: Operation not permitted`. + +In that context, prefer: + +``` +codex exec --sandbox danger-full-access "" +``` + +Use process boundaries as the safety layer instead: explicit `workdir`, clean git +status before launch, narrow task prompts, `git diff` review, targeted tests, and +human/agent confirmation before committing broad changes. ## PR Reviews