From d3b670e63e1622560d665ff432193e4f2daf063b Mon Sep 17 00:00:00 2001 From: Teknium <127238744+teknium1@users.noreply.github.com> Date: Sun, 7 Jun 2026 18:36:18 -0700 Subject: [PATCH] docs(codex): document --sandbox danger-full-access for gateway bubblewrap failures (#40619) Salvaged from #40435; re-verified on main, tightened, tested. Co-authored-by: ziwon --- skills/autonomous-ai-agents/codex/SKILL.md | 19 +++++++++++++++++++ .../autonomous-ai-agents-codex.md | 19 +++++++++++++++++++ 2 files changed, 38 insertions(+) diff --git a/skills/autonomous-ai-agents/codex/SKILL.md b/skills/autonomous-ai-agents/codex/SKILL.md index a796852b754..87b5666fcda 100644 --- a/skills/autonomous-ai-agents/codex/SKILL.md +++ b/skills/autonomous-ai-agents/codex/SKILL.md @@ -74,6 +74,25 @@ process(action="kill", session_id="") | `exec "prompt"` | One-shot execution, exits when done | | `--full-auto` | Sandboxed but auto-approves file changes in workspace | | `--yolo` | No sandbox, no approvals (fastest, most dangerous) | +| `--sandbox danger-full-access` | No Codex sandbox; useful when the host service context breaks bubblewrap | + +## Hermes Gateway Caveat + +When invoking the Codex CLI from a Hermes gateway/service context (for example, +Telegram-driven agent sessions), Codex `workspace-write` sandboxing may fail even +when the same command works in the user's interactive shell. A typical symptom is +bubblewrap/user-namespace errors such as `setting up uid map: Permission denied` +or `loopback: Failed RTM_NEWADDR: Operation not permitted`. + +In that context, prefer: + +``` +codex exec --sandbox danger-full-access "" +``` + +Use process boundaries as the safety layer instead: explicit `workdir`, clean git +status before launch, narrow task prompts, `git diff` review, targeted tests, and +human/agent confirmation before committing broad changes. ## PR Reviews diff --git a/website/docs/user-guide/skills/bundled/autonomous-ai-agents/autonomous-ai-agents-codex.md b/website/docs/user-guide/skills/bundled/autonomous-ai-agents/autonomous-ai-agents-codex.md index 3482f2303c1..eb84c50d1e7 100644 --- a/website/docs/user-guide/skills/bundled/autonomous-ai-agents/autonomous-ai-agents-codex.md +++ b/website/docs/user-guide/skills/bundled/autonomous-ai-agents/autonomous-ai-agents-codex.md @@ -92,6 +92,25 @@ process(action="kill", session_id="") | `exec "prompt"` | One-shot execution, exits when done | | `--full-auto` | Sandboxed but auto-approves file changes in workspace | | `--yolo` | No sandbox, no approvals (fastest, most dangerous) | +| `--sandbox danger-full-access` | No Codex sandbox; useful when the host service context breaks bubblewrap | + +## Hermes Gateway Caveat + +When invoking the Codex CLI from a Hermes gateway/service context (for example, +Telegram-driven agent sessions), Codex `workspace-write` sandboxing may fail even +when the same command works in the user's interactive shell. A typical symptom is +bubblewrap/user-namespace errors such as `setting up uid map: Permission denied` +or `loopback: Failed RTM_NEWADDR: Operation not permitted`. + +In that context, prefer: + +``` +codex exec --sandbox danger-full-access "" +``` + +Use process boundaries as the safety layer instead: explicit `workdir`, clean git +status before launch, narrow task prompts, `git diff` review, targeted tests, and +human/agent confirmation before committing broad changes. ## PR Reviews