Add Codex example for non-interactive runs

[megaconfidence]

Mirror the claude-code example so users have a comparable starting point for running OpenAI's coding agent in a Cloudflare Sandbox. The worker accepts a repo URL and task description, clones the repo into a sandbox, runs codex exec in non-interactive mode, and returns the agent's logs alongside the resulting git diff.

Two auth routes match the claude-code structure: POST / uses CODEX_API_KEY for pay-per-token API access, while POST /sub seeds ~/.codex/auth.json from a secret produced by codex login on a trusted machine for ChatGPT subscription auth. Both follow the patterns laid out in OpenAI's non-interactive and CI/CD auth guides.

---

[changeset-bot]

⚠️ No Changeset found

Latest commit: 6661e33

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[whoiskatrin]

/bonk review this PR

[ask-bonk]

Review submitted successfully. Here's a summary of my feedback:

Requested changes on PR #656:

1. Shell injection (security) — name (from user-supplied repo URL) and task are interpolated unsafely into shell commands. Suggested using the SDK's cwd option on exec() and single-quote escaping for the prompt to eliminate both injection vectors.

2. Missing 404 status codes — The "not found" responses on lines 65 and 80 return HTTP 200 instead of 404.

3. Overly broad error handling — The bare catch on line 58 swallows all errors as 400 invalid body, including sandbox failures and network errors. Suggested narrowing to SyntaxError or re-throwing.

4. Minor: duplicate type — CmdOutput redeclares what the SDK already exports as ExecResult.

5. Informational: instance_type — basic may be intentional for heavier codex workloads (vs lite in codex-app-server), but the reasoning should be documented.

github run

[sandy-bonk]

New commits pushed -- ok-to-test label removed. A maintainer must re-review and re-apply the label to run the full CI pipeline.

[sandy-bonk]

New commits pushed -- ok-to-test label removed. A maintainer must re-review and re-apply the label to run the full CI pipeline.

[sandy-bonk]

New commits pushed -- ok-to-test label removed. A maintainer must re-review and re-apply the label to run the full CI pipeline.

[whoiskatrin]

/bonk what's the difference between this and our our existing codex example?

[ask-bonk]

Here's the breakdown of how this new examples/codex/ compares to the existing examples:

vs examples/claude-code/ (the direct mirror)

This PR is essentially a 1:1 port of the claude-code example with Codex-specific adaptations. The structure, flow, and even line-for-line patterns are nearly identical:

Aspect	claude-code	codex (this PR)
Agent CLI	claude	codex exec
Auth route /	ANTHROPIC_API_KEY env var	CODEX_API_KEY env var (mapped from OPENAI_API_KEY)
Auth route /sub	CLAUDE_CODE_OAUTH_TOKEN env var	Seeds ~/.codex/auth.json file from CODEX_AUTH_JSON secret
System prompt	--append-system-prompt flag	Prepended to task string (codex has no append flag)
Dockerfile	npm install -g @anthropic-ai/claude-code	npm install -g @openai/codex
Instance type	basic	basic

The meaningful differences are:

1. Auth mechanism for /sub: claude-code passes a token as an env var; codex writes a JSON file to ~/.codex/auth.json (lines 43-45), since that's how codex CI/CD auth works per OpenAI's docs.
2. System prompt injection: claude-code uses --append-system-prompt CLI flag; codex prepends the system instructions to the user task string since codex CLI doesn't have an equivalent flag.
3. Bug fixes over claude-code: The PR author already addressed the previous review feedback — using cwd option instead of cd ${name} && shell interpolation, narrowing the catch to SyntaxError, adding { status: 404 } to not-found responses. These are improvements the claude-code example itself still doesn't have.

vs examples/codex-app-server/ (the other codex example)

Completely different use case:

Aspect	codex-app-server	codex (this PR)
Mode	Interactive (WebSocket app-server)	Non-interactive (codex exec, one-shot)
Architecture	Full WebSocket bridge with JSON-RPC pipeline, middleware, egress control	Simple HTTP POST handler
API key handling	Injected via egress proxy (key never enters container)	Set directly as env var inside the container
Instance type	lite	basic
Complexity	~323 lines + separate rpc.ts	~83 lines, single file
Internet access	enableInternet = false, explicit egress allowlist	Default (internet enabled)

The codex-app-server is a production-grade interactive setup with security controls (egress policies, model enforcement, auto-approval). This new codex example is a minimal "fire and forget" non-interactive pattern — the codex equivalent of the claude-code example.

In short: this PR gives users a simple starting point for running Codex non-interactively, directly mirroring the claude-code example. The codex-app-server is the more sophisticated interactive counterpart.

github run

[aron-cf]

Hi @megaconfidence thanks so much for contributing this example. As it's just a copy of the claude-code example I'm okay with the issues that the Bonk bot raised (but if you'd like to fix them in both places that'd be very welcome).

Have you tried running this code? I'm running into various sandbox errors which means that the example doesn't yet work.

Firstly it's attempting to use bubblewrap to isolate changes that it's making on the host.

warning: Codex could not find bubblewrap on PATH. Install bubblewrap with your OS package manager. See the sandbox prerequisites: https://developers.openai.com/codex/concepts/sandboxing#prerequisites. Codex will use the vendored bubblewrap in the meantime.

Secondly it doesn't then have the relevant permissions to use bubblewrap. So all shell commands are failing.

/bin/bash -lc 'pwd && rg --files' in /workspace/hashline
 exited 1 in 2ms:
bwrap: No permissions to create a new namespace, likely because the kernel does not allow non-privileged user namespaces. On e.g. debian this can be enabled with 'sysctl kernel.unprivileged_userns_clone=1'.

Thirdly if the tool is used outside of a git directory it will error.

Not inside a trusted directory and --skip-git-repo-check was not specified.

For this example to be useful, it needs to work with shell commands. Perhaps disabling bubblewrap is an option because we're in an isolated sandbox.

The other limitations should be documented in the README.