Skip to content

docs: clarify Codex args and AGENTS.md configuration #350

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
chihkang wants to merge 2 commits into
base: main
Choose a base branch
from
+51 −0
Open

docs: clarify Codex args and AGENTS.md configuration #350

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6446f01
docs: clarify Codex sandbox, approval, network, and AGENTS.md configu…
chihkang Apr 13, 2026
c1470ac
docs: trim Codex guide to installation essentials
chihkang Apr 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 51 additions & 0 deletions docs/codex.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,17 +24,68 @@ helm install openab openab/openab \

> Set `agents.kiro.enabled=false` to disable the default Kiro agent.

## Recommended Helm configuration

For real deployments, it is often useful to configure Codex runtime behavior explicitly instead of relying on the default `args = []`.

```yaml
agents:
codex:
image: ghcr.io/openabdev/openab-codex:latest
command: codex-acp
workingDir: /home/node
args:
- -c
- approval_policy="never"
- -c
- sandbox_mode="workspace-write"
- -c
- sandbox_workspace_write.network_access=true
agentsMd: |
Always reply in Traditional Chinese.
Always provide a clear completion message when a task finishes.
```

- `agents.codex.args` is passed through to Codex and becomes the `args` array in the generated `config.toml`.
- `agents.codex.agentsMd` is mounted into the container as `AGENTS.md`, which is the supported way to persist project- or agent-specific instructions across pod restarts.

If your agent needs to run networked shell commands such as `gh issue view`, `git fetch`, or API calls, make sure the selected Codex sandbox/approval settings actually allow that in your runtime.

The safest working configuration depends on your container runtime. `workspace-write` is usually a good starting point, but you should verify that your environment supports it correctly before assuming Codex itself is misconfigured.

For the underlying Codex settings, see the official documentation:

- [Codex config.toml reference](https://developers.openai.com/codex/config-reference#configtoml)
- [Codex sandbox and approvals](https://developers.openai.com/codex/agent-approvals-security#sandbox-and-approvals)

## Manual config.toml

A minimal configuration looks like this:

```toml
[agent]
command = "codex-acp"
args = []
working_dir = "/home/node"
```

A more explicit configuration for networked shell usage looks like this:

```toml
[agent]
command = "codex-acp"
args = [
"-c", "approval_policy=\"never\"",
"-c", "sandbox_mode=\"workspace-write\"",
"-c", "sandbox_workspace_write.network_access=true",
]
working_dir = "/home/node"
```

## Authentication

Authenticate Codex itself with:

```bash
kubectl exec -it deployment/openab-codex -- codex login --device-auth
```
Loading