Sync AI agent sandbox docs to dev-add.sh AGENTS.md
New users will get the Codex sandbox workaround in their home AGENTS.md. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Dan
parent
026f82e697
commit
ff34cee51e
|
|
@ -177,6 +177,23 @@ Heavy processes may be killed automatically.
|
||||||
- **Shell**: bash
|
- **Shell**: bash
|
||||||
- **Home**: ~/ (private, 700)
|
- **Home**: ~/ (private, 700)
|
||||||
- **Temp**: /tmp (fast, cleared on reboot)
|
- **Temp**: /tmp (fast, cleared on reboot)
|
||||||
|
|
||||||
|
## AI Agent Sandbox Conflicts
|
||||||
|
|
||||||
|
Some AI agents (Codex, etc.) sandbox commands with seccomp filters, blocking nix daemon access.
|
||||||
|
|
||||||
|
**Symptom**: `nix store ping` fails with "Operation not permitted" inside the agent but works in your shell.
|
||||||
|
|
||||||
|
**Fix for Codex CLI**:
|
||||||
|
```bash
|
||||||
|
# One-off
|
||||||
|
codex -s danger-full-access
|
||||||
|
|
||||||
|
# Permanent (~/.codex/config.toml)
|
||||||
|
sandbox_mode = "danger-full-access"
|
||||||
|
```
|
||||||
|
|
||||||
|
Server already provides isolation - agent sandbox is redundant here.
|
||||||
AGENTS_EOF
|
AGENTS_EOF
|
||||||
chown "$username:users" "/home/$username/AGENTS.md"
|
chown "$username:users" "/home/$username/AGENTS.md"
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue