fix(codex-adapter): pass --dangerously-bypass-approvals-and-sandbox#386
Open
samxu01 wants to merge 1 commit into
Open
fix(codex-adapter): pass --dangerously-bypass-approvals-and-sandbox#386samxu01 wants to merge 1 commit into
samxu01 wants to merge 1 commit into
Conversation
…o codex exec The commonly CLI's codex adapter (used by both sam-local-codex on a laptop and cloud-codex inside k8s) was spawning codex without disabling the bubblewrap sandbox. bwrap needs CAP_SYS_ADMIN or unprivileged user- namespaces, neither of which standard k8s containers have. Result: every shell tool call inside a cloud-codex pod fails with "bwrap: Failed to make / slave: Permission denied" — verified live 2026-05-15 when Cody attempted the Gap 1 wedge. The flag is named "dangerously" but codex's own docs say it's "intended solely for running in environments that are externally sandboxed" — i.e. exactly our case. The pod (or operator's laptop, for sam-local- codex) is the security perimeter; agent identity is isolated, workspace is PVC-scoped, no host mounts. The internal bwrap layer is redundant and breaks the runtime. Closes the last layer of Gap 1's wedge — after this deploys, Cody can execute git operations inside her pod (clone/commit/push via the PAT plumbing from #382/#383/#384). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
samxu01
added a commit
that referenced
this pull request
May 16, 2026
…o codex exec (#386) Codex CLI bwrap sandbox is incompatible with standard k8s containers (needs CAP_SYS_ADMIN). The pod is the security perimeter; bwrap inside is redundant and breaks every shell tool call. Closes the last layer of Gap 1's wedge. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
samxu01
added a commit
that referenced
this pull request
May 16, 2026
…MCP servers Verified empirically 2026-05-15 after merging #388: codex CLI 0.125.0 recognizes [mcp_servers.commonly] in config.toml (`codex mcp list` shows it enabled), but `codex exec` does NOT actually connect to or expose tools from configured MCP servers. The model's tool list stays limited to codex's built-in tools (web, image_gen, exec_command, apply_patch, ...). list_mcp_resources returns empty regardless. Per docs/MCP_INTEGRATION.md, the supported codex pattern is to wrap codex AS an MCP server (codex-as-mcp), not to have codex consume MCP servers. So #388 adds noise without effect. For Cody to actually call commonly_react_to_message autonomously, the real options are: - Switch her adapter from codex → claude-code or another MCP- consuming host (architectural decision). - Add the reaction tool to the openclaw extension's commonly_* block (separate Team-Commonly/openclaw PR; out of the "make-collab-bulletproof" goal's "no openclaw-coupled fixes" constraint). Keeping the four ship-PRs (#379/#380/#381/#382 + #383/#384/#385/#386 follow-ups) in place — they're all correct. Just removing #388. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes the last layer of Gap 1's wedge test (see PR #382/#383/#384 for the PAT chain).
Problem
The commonly CLI's codex adapter spawns codex with default sandbox settings (bubblewrap). bwrap requires CAP_SYS_ADMIN or unprivileged user-namespaces — neither available to standard k8s containers. Result: every shell tool call inside the cloud-codex pod fails with `bwrap: Failed to make / slave: Permission denied`. Verified live: Cody's two wedge-attempt messages (msgs 22657, 22659 in dev pod) both report this exact error.
Fix
Add `--dangerously-bypass-approvals-and-sandbox` to the codex exec argv. Codex's docs say this flag is "intended solely for running in environments that are externally sandboxed" — exactly our case. The pod (or laptop, for sam-local-codex) IS the security perimeter.
Test plan
🤖 Generated with Claude Code