53 lines
1.6 KiB
Markdown
53 lines
1.6 KiB
Markdown
# Autonomous Codex
|
|
|
|
Use the project launcher to run Codex with the `azi4a2-autonomous` permission
|
|
profile:
|
|
|
|
```sh
|
|
./codex-auto
|
|
```
|
|
|
|
For a non-interactive task:
|
|
|
|
```sh
|
|
./codex-auto exec "Continue the Astro migration, verify the build and audits, and document unresolved issues."
|
|
```
|
|
|
|
The launcher automatically permits non-interactive runs in this mounted
|
|
workspace even when Codex cannot discover its Git metadata.
|
|
|
|
The profile:
|
|
|
|
- never pauses for approval
|
|
- limits filesystem access to minimal runtime files plus this project
|
|
- allows writes in this project
|
|
- keeps `.codex` and `www.azinstitute4autism.com` read-only
|
|
- permits normal Git operations, including staging and committing
|
|
- enables live web search and outbound network retrievals
|
|
|
|
Outbound network access is domain-unrestricted because package installation and
|
|
retrieval sources vary. The sandbox cannot distinguish a retrieval from another
|
|
outbound request, so do not place secrets in project files or task prompts.
|
|
|
|
The profile is stored outside the workspace at:
|
|
|
|
```txt
|
|
~/.codex/azi4a2-autonomous.config.toml
|
|
```
|
|
|
|
Do not add `--sandbox`; legacy sandbox flags override the custom permission
|
|
profile. Do not use `--dangerously-bypass-approvals-and-sandbox`.
|
|
|
|
## Verification
|
|
|
|
The nested setup smoke test confirmed that the project is readable and
|
|
`~/.codex/auth.json` is not readable. In the current host session, sandboxed
|
|
shell retrievals resolved domains but were reset by the beta network proxy.
|
|
After launching `./codex-auto` directly, verify shell retrievals with:
|
|
|
|
```sh
|
|
curl -fsS https://registry.npmjs.org/astro >/dev/null
|
|
```
|
|
|
|
Live web search is separate from shell network access and remains enabled.
|