3.9 KiB
Autonomous Codex
Use the project launcher to run Codex with the azi4a2-autonomous permission
profile:
./codex-auto
Start a fresh session with this command. Running plain codex, opening Codex
through an editor integration, or continuing an already-running session does
not automatically activate this profile.
For a non-interactive task:
./codex-auto exec "Continue the Astro migration, verify the build and audits, and document unresolved issues."
The launcher automatically permits non-interactive runs in this mounted workspace even when Codex cannot discover its Git metadata.
The profile:
- never pauses for approval
- automatically permits configured Playwright and OpenAI documentation MCP tools
- limits filesystem access to minimal runtime files plus this project
- allows writes in this project
- keeps
.codexandwww.azinstitute4autism.comread-only - permits read-only Git inspection
- enables live web search and outbound network retrievals
Outbound network access is domain-unrestricted because package installation and retrieval sources vary. The sandbox cannot distinguish a retrieval from another outbound request, so do not place secrets in project files or task prompts.
The profile is stored outside the workspace at:
~/.codex/azi4a2-autonomous.config.toml
Do not add --sandbox; legacy sandbox flags override the custom permission
profile. Do not use --dangerously-bypass-approvals-and-sandbox.
The launcher also applies these session overrides:
approval_policy="never"
mcp_servers.playwright.default_tools_approval_mode="approve"
mcp_servers.playwright.tool_timeout_sec=300
mcp_servers.openaiDeveloperDocs.default_tools_approval_mode="approve"
mcp_servers.openaiDeveloperDocs.tool_timeout_sec=300
The server-level approve settings pre-approve MCP tools without writing
incompatible per-tool approval tables into the profile. These settings allow
MCP tools to run without approval prompts and give
long-running browser operations up to five minutes. An MCP server may still
fail or time out. MCP elicitations that inherently require user input are
rejected rather than shown as unattended prompts.
Do not persist an individual MCP tool approval when prompted by an older or misconfigured session. Codex CLI 0.133.0 may write a per-tool table that the profile-v2 parser rejects on the next launch.
Verification
The nested setup smoke test confirmed that the project is readable and
~/.codex/auth.json is not readable. In the current host session, sandboxed
shell retrievals resolved domains but were reset by the beta network proxy.
After launching ./codex-auto directly, verify shell retrievals with:
curl -fsS https://registry.npmjs.org/astro >/dev/null
Live web search is separate from shell network access and remains enabled.
In the current environment, the beta network proxy permits retrievals but sandboxed command-line tools may fail HTTPS certificate verification. Do not disable certificate verification for package installation or sensitive retrievals; use live web search or review the retrieval from the host instead.
Git limitation
Codex always protects .git recursively in its workspace-write sandbox.
Agents can inspect Git state and diffs, but cannot stage or commit. This cannot
be overridden by a permissions profile.
For autonomous commits, use an outer container or VM as the security boundary, mount only this project into it, and run Codex with full access inside that isolated environment. Otherwise, review and commit agent changes from the host.
Writes that appear to succeed directly under /home/alice are made to the
sandbox's temporary in-memory root. They do not modify the host home directory.
Check the startup banner before assigning work. It should report:
approval: never
sandbox: workspace-write ... (network access enabled)
Then check the MCP configuration:
/mcp verbose