Run Codex in a network-locked container. All outbound traffic is routed through an enforcing proxy that applies the project's network policy.
See the main README for installation, architecture overview, and configuration options.
After running agentbox init (selecting "codex") and starting the sandbox, authenticate Codex on first run.
Two authentication methods are supported:
API key (simplest): Set the OPENAI_API_KEY environment variable before starting the container, or export it inside the container shell.
Device code OAuth: Run codex login inside the container. This displays a URL and a code to enter in your browser. No localhost callback is needed, so it works from inside the sandbox.
Device code OAuth requires enabling "Enable device code authorization for Codex" in your ChatGPT workspace settings. The login flow will tell you if this is not yet enabled.
Credentials persist in a Docker volume. You only need to do this once per project.
Inside the container:
codex
# or auto-approve mode:
codex --full-autoThe image includes system bubblewrap so Codex's Linux startup check finds /usr/bin/bwrap and does not warn at launch. Codex still defaults to danger-full-access via the baked-in config, with isolation handled by the surrounding container, proxy, and firewall.
Afterward, for CLI mode, stop the container:
agentbox compose down