diff --git a/Dockerfile b/Dockerfile
index 8e8410a..815e303 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -28,6 +28,7 @@ RUN set -eux; \
         ca-certificates curl git gnupg jq less vim sudo tini \
         bash-completion locales tmux unzip zip openssh-client \
         build-essential python3 python3-pip \
+        bubblewrap \
         passwd; \
     # Node.js from NodeSource (pinned major version). The previous
     # node:*-bookworm-slim base shipped a phantom uid/gid 1000 user that
diff --git a/bin/entrypoint.sh b/bin/entrypoint.sh
index b3c11d2..2b9d99f 100644
--- a/bin/entrypoint.sh
+++ b/bin/entrypoint.sh
@@ -62,11 +62,14 @@ EOF
 #   -p 7681      : listen port
 #   -t titleFixed: avoids leaking shell pid/host into the title
 #   -T xterm-256color : sane terminal
-#   bash -l      : login shell so .bashrc runs
+#
+# The shell command auto-launches codex on connect so the user lands
+# straight in the agent UI. If codex exits or crashes, we drop to an
+# interactive bash login so the pod isn't bricked.
 exec ttyd \
     --writable \
     --port 7681 \
     --terminal-type xterm-256color \
     --client-option titleFixed='codex-cli' \
     --client-option fontSize=14 \
-    bash -l
+    bash -lc 'codex; exec bash -l'