From caa586ef20d7ca5fb390bc465e17d544a321a922 Mon Sep 17 00:00:00 2001
From: nprodromou <73134621+nprodromou@users.noreply.github.com>
Date: Thu, 7 May 2026 19:19:48 -0700
Subject: [PATCH] codex entrypoint: pin -C workspace + bypass sandbox/approvals
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Per Nate (2026-05-07), the codex pod's startup command going forward
should be exactly:

  codex resume --last -C /home/codex/workspace --dangerously-bypass-approvals-and-sandbox

Two changes vs. the previous launch command:

  1. -C "$HOME/workspace"  — explicit workspace dir, even though WORKDIR
     already lands there. Belt + suspenders, and survives any
     entrypoint-level cd before this point.
  2. --dangerously-bypass-approvals-and-sandbox — skips codex's internal
     bwrap sandbox + approval prompts. The apk8s pod boundary is the
     real security boundary (non-root user, RBAC, PVC isolation), and
     the inner sandbox fails on hardened k8s anyway (see OPS-405).
     Skipping it removes the routine approval-prompt noise.

Fallback chain stays the same: resume → fresh codex → bash on exit.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 bin/entrypoint.sh | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/bin/entrypoint.sh b/bin/entrypoint.sh
index 8b1d5c7..29007ba 100644
--- a/bin/entrypoint.sh
+++ b/bin/entrypoint.sh
@@ -71,9 +71,13 @@ codex)
     AGENT_AUTH_FILE="${AGENT_CONFIG_DIR}/auth.json"
     # Codex looks for AGENTS.md as the global instructions file.
     INSTRUCTIONS_LINK="${AGENT_CONFIG_DIR}/AGENTS.md"
-    # Resume the last session; fall back to a fresh codex if there is
-    # none, then drop to bash if codex exits.
-    AGENT_LAUNCH_CMD='codex resume --last 2>/dev/null || codex; exec bash -l'
+    # Resume the last session, pinned to the persistent workspace dir,
+    # with codex's internal sandbox + approvals bypassed (the apk8s pod
+    # boundary is the real security boundary; the inner bwrap sandbox
+    # fails on hardened k8s and just produces approval-prompt noise).
+    # Fall back to a fresh codex if no last session, then drop to bash
+    # if codex exits.
+    AGENT_LAUNCH_CMD='codex resume --last -C "$HOME/workspace" --dangerously-bypass-approvals-and-sandbox 2>/dev/null || codex -C "$HOME/workspace" --dangerously-bypass-approvals-and-sandbox; exec bash -l'
 
     mkdir -p "${AGENT_CONFIG_DIR}"