Sync AI agent sandbox docs to dev-add.sh AGENTS.md

New users will get the Codex sandbox workaround in their home AGENTS.md. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-10 08:09:25 -08:00 · 2026-01-10 08:09:25 -08:00 · ff34cee51e
parent 026f82e697
commit ff34cee51e
1 changed files with 17 additions and 0 deletions
--- a/scripts/dev-add.sh
+++ b/scripts/dev-add.sh
@ -177,6 +177,23 @@ Heavy processes may be killed automatically.
 - **Shell**: bash
 - **Home**: ~/  (private, 700)
 - **Temp**: /tmp (fast, cleared on reboot)
+
+## AI Agent Sandbox Conflicts
+
+Some AI agents (Codex, etc.) sandbox commands with seccomp filters, blocking nix daemon access.
+
+**Symptom**: `nix store ping` fails with "Operation not permitted" inside the agent but works in your shell.
+
+**Fix for Codex CLI**:
+```bash
+# One-off
+codex -s danger-full-access
+
+# Permanent (~/.codex/config.toml)
+sandbox_mode = "danger-full-access"
+```
+
+Server already provides isolation - agent sandbox is redundant here.
 AGENTS_EOF
    chown "$username:users" "/home/$username/AGENTS.md"