From ff34cee51e466ebc6a7f3f5e64ee3fc3153191ce Mon Sep 17 00:00:00 2001 From: Dan Date: Sat, 10 Jan 2026 08:09:25 -0800 Subject: [PATCH] Sync AI agent sandbox docs to dev-add.sh AGENTS.md New users will get the Codex sandbox workaround in their home AGENTS.md. Co-Authored-By: Claude Opus 4.5 --- scripts/dev-add.sh | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/scripts/dev-add.sh b/scripts/dev-add.sh index 1ed1953..d7f83e1 100755 --- a/scripts/dev-add.sh +++ b/scripts/dev-add.sh @@ -177,6 +177,23 @@ Heavy processes may be killed automatically. - **Shell**: bash - **Home**: ~/ (private, 700) - **Temp**: /tmp (fast, cleared on reboot) + +## AI Agent Sandbox Conflicts + +Some AI agents (Codex, etc.) sandbox commands with seccomp filters, blocking nix daemon access. + +**Symptom**: `nix store ping` fails with "Operation not permitted" inside the agent but works in your shell. + +**Fix for Codex CLI**: +```bash +# One-off +codex -s danger-full-access + +# Permanent (~/.codex/config.toml) +sandbox_mode = "danger-full-access" +``` + +Server already provides isolation - agent sandbox is redundant here. AGENTS_EOF chown "$username:users" "/home/$username/AGENTS.md"