From 6f7996ae938361b0ed8dacf3b3c116530222e43e Mon Sep 17 00:00:00 2001 From: AI Agent Bot Date: Tue, 3 Mar 2026 02:09:59 -0600 Subject: [PATCH 1/2] security: disable OpenAI Codex from pipeline and tooling OpenAI has entered partnerships with governments and defense organizations that enable mass surveillance of civilian populations and autonomous weapons kill-chain decision-making. This poses unacceptable security and ethical risks for anyone whose data transits OpenAI infrastructure. - PR validation: codex-review job set to `if: false` - docker-compose: mcp-codex moved to unreachable profile - .mcp.json: codex server disabled (no-op command) - .env.example: codex config commented out - README/AGENTS/CONTRIBUTING: all references updated, security policy blockquote added recommending Anthropic (Claude) models Co-Authored-By: Claude Opus 4.6 --- .env.example | 9 +++++---- .github/workflows/pr-validation.yml | 16 +++++++++------- .mcp.json | 20 ++++---------------- AGENTS.md | 12 ++++++------ CONTRIBUTING.md | 2 +- README.md | 16 +++++++++++----- docker-compose.yml | 6 ++++-- 7 files changed, 40 insertions(+), 41 deletions(-) diff --git a/.env.example b/.env.example index 1100c31..82f380a 100644 --- a/.env.example +++ b/.env.example @@ -9,10 +9,11 @@ GITHUB_REPOSITORY=AndrewAltimit/rust-psp GITHUB_PROJECTS_TOKEN=your_api_key_here GITHUB_TOKEN=your_api_key_here -# Codex Configuration -# WARNING: Only set to true if running in a controlled sandboxed VM environment -# Defaults to false for security - only bypass sandbox if you understand the risks -CODEX_BYPASS_SANDBOX=false +# Codex Configuration -- DISABLED +# OpenAI Codex has been removed from this project due to OpenAI's partnerships +# enabling mass surveillance and autonomous weapons decision-making. See README.md. +# These variables are retained for reference only. Do not enable. +# CODEX_BYPASS_SANDBOX=false # Optional: ElevenLabs Configuration ELEVENLABS_API_KEY=your_api_key_here diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml index 58205e0..a49c323 100644 --- a/.github/workflows/pr-validation.yml +++ b/.github/workflows/pr-validation.yml @@ -220,14 +220,16 @@ jobs: retention-days: 7 if-no-files-found: ignore - # ── Codex AI Code Review (secondary) ─────────────────────────── + # ── Codex AI Code Review (DISABLED) ──────────────────────────── + # DISABLED: OpenAI Codex has been removed from this pipeline due to + # OpenAI's partnerships with governments that enable mass surveillance + # and autonomous weapons decision-making. These partnerships pose + # unacceptable security and ethical risks. See README.md for details. + # The job skeleton is retained so dependent jobs don't break. codex-review: - name: Codex AI Code Review + name: Codex AI Code Review (disabled) needs: [fork-guard, gemini-review] - if: >- - github.event_name == 'pull_request' && - !github.event.pull_request.draft && - needs.gemini-review.result != 'skipped' + if: false # Permanently disabled -- do not re-enable runs-on: self-hosted timeout-minutes: 15 continue-on-error: true @@ -485,7 +487,7 @@ jobs: echo "|-------|--------|" >> $GITHUB_STEP_SUMMARY echo "| CI | ${{ needs.ci.result }} |" >> $GITHUB_STEP_SUMMARY echo "| Gemini Review | ${{ needs.gemini-review.result }} |" >> $GITHUB_STEP_SUMMARY - echo "| Codex Review | ${{ needs.codex-review.result }} |" >> $GITHUB_STEP_SUMMARY + echo "| Codex Review | disabled (security policy) |" >> $GITHUB_STEP_SUMMARY echo "| Review Response | ${{ needs.agent-review-response.result }} |" >> $GITHUB_STEP_SUMMARY echo "| Failure Handler | ${{ needs.agent-failure-handler.result }} |" >> $GITHUB_STEP_SUMMARY diff --git a/.mcp.json b/.mcp.json index 8e1e38e..10f651c 100644 --- a/.mcp.json +++ b/.mcp.json @@ -89,22 +89,10 @@ "stdio" ] }, - "codex": { - "command": "docker", - "args": [ - "compose", - "-f", - "./docker-compose.yml", - "--profile", - "services", - "run", - "--rm", - "-T", - "mcp-codex", - "mcp-codex", - "--mode", - "stdio" - ] + "codex-DISABLED": { + "_reason": "OpenAI Codex disabled due to mass surveillance and autonomous weapons partnerships. See README.md.", + "command": "echo", + "args": ["DISABLED: OpenAI Codex removed from this project (security policy)"] }, "github-board": { "command": "docker", diff --git a/AGENTS.md b/AGENTS.md index c6423a0..83c54b4 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -128,7 +128,7 @@ Enables privileged PSP APIs: kernel memory partitions, interrupt handlers, PRX m |----------|---------|---------| | `ci.yml` | Push to main | fmt, clippy, test, build, cargo-deny, PSP emulator test | | `main-ci.yml` | Push to main + `v*` tags | Full CI plus release binary creation | -| `pr-validation.yml` | Pull requests | Full CI + Gemini/Codex AI reviews + agent auto-fix | +| `pr-validation.yml` | Pull requests | Full CI + Gemini AI review + agent auto-fix (Codex disabled) | CI runs in Docker containers (`docker/rust-ci.Dockerfile` based on `rust:1.93-slim`). PSP tests run in PPSSPPHeadless emulator container. @@ -150,8 +150,8 @@ When an agent opens or pushes to a PR targeting `main`: 1. **Fork guard** blocks fork PRs from using self-hosted runners 2. **CI** runs all 6 stages above 3. **Gemini AI review** posts code review comments (via `github-agents pr-review`) -4. **Codex AI review** posts secondary code review (via `github-agents pr-review --agent codex`) -5. **Agent review response** reads Gemini/Codex feedback and auto-applies fixes (via `automation-cli review respond`, max 5 iterations) +4. ~~**Codex AI review**~~ -- **DISABLED** (OpenAI removed due to mass surveillance / autonomous weapons concerns) +5. **Agent review response** reads Gemini feedback and auto-applies fixes (via `automation-cli review respond`, max 5 iterations) 6. **Agent failure handler** auto-fixes CI failures if CI failed (via `automation-cli review failure`, max 5 iterations) 7. **PR status summary** aggregates all results @@ -180,7 +180,7 @@ The self-hosted runner provides these binaries from [template-repo](https://gith | Binary | Used By | Purpose | |--------|---------|---------| -| `github-agents` | `pr-validation.yml` | PR reviews (Gemini/Codex), iteration tracking | +| `github-agents` | `pr-validation.yml` | PR reviews (Gemini), iteration tracking | | `automation-cli` | `pr-validation.yml` | Agent review response, failure handler | ## Local Agent Tooling @@ -193,7 +193,7 @@ Scripts in `tools/cli/agents/` launch each agent: |--------|-------|-------| | `run_claude.sh` | Claude Code | Requires NVM + Node.js 22.16.0 | | `run_gemini.sh` | Gemini CLI | Requires `@google/gemini-cli` | -| `run_codex.sh` | Codex CLI | Requires `@openai/codex` + `codex login` | +| `run_codex.sh` | Codex CLI | **DISABLED** -- OpenAI removed (security policy) | | `run_opencode.sh` | OpenCode | Requires OpenRouter API key | | `run_crush.sh` | Crush | Requires OpenRouter API key | @@ -208,7 +208,7 @@ Container-based MCP services available via `docker compose --profile services`: | `mcp-gemini` | Gemini AI consultation | | `mcp-opencode` | OpenCode AI (Qwen model via OpenRouter) | | `mcp-crush` | Crush AI (via OpenRouter) | -| `mcp-codex` | Codex AI consultation | +| `mcp-codex` | ~~Codex AI consultation~~ **DISABLED** (security policy) | | `mcp-github-board` | GitHub Projects board management | | `mcp-agentcore-memory` | Agent memory (ChromaDB backend) | | `mcp-reaction-search` | Reaction image search | diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index d2f37d7..b892c47 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,6 +1,6 @@ # Contributing -This repository does not accept external contributions. All code changes are authored by AI agents (Claude, Gemini, Codex, OpenCode, Crush) operating under human direction. +This repository does not accept external contributions. All code changes are authored by AI agents (Claude, Gemini, OpenCode, Crush) operating under human direction. OpenAI Codex has been removed from this project's tooling due to OpenAI's partnerships enabling mass surveillance and autonomous weapons decision-making (see README.md). ## No External Contributions diff --git a/README.md b/README.md index d5fe98b..e64113b 100644 --- a/README.md +++ b/README.md @@ -529,7 +529,7 @@ All CI runs on a self-hosted GitHub Actions runner shared with [template-repo](h | Workflow | Trigger | Purpose | |----------|---------|---------| | `ci.yml` | push to main | Basic CI: fmt, clippy, test, build, cargo-deny, PSP emulator test | -| `pr-validation.yml` | pull request | Full PR pipeline: CI + Gemini/Codex AI reviews + agent auto-fix | +| `pr-validation.yml` | pull request | Full PR pipeline: CI + Gemini AI review + agent auto-fix | | `main-ci.yml` | push to main, `v*` tags | CI on main, build release binaries and create GitHub Release on tags | ### CI Stages @@ -545,7 +545,13 @@ All stages run inside the `rust-ci` Docker container (`docker compose --profile ### PR Review Pipeline -PRs receive automated AI code reviews from Gemini and Codex, followed by an agent that can automatically apply fixes from review feedback (with a 5-iteration safety limit per agent type). If CI stages fail, a separate failure-handler agent attempts automated fixes. +PRs receive automated AI code reviews from Gemini, followed by an agent that can automatically apply fixes from review feedback (with a 5-iteration safety limit per agent type). If CI stages fail, a separate failure-handler agent attempts automated fixes. + +> **OpenAI / Codex Disabled (Security Policy)** +> +> OpenAI Codex has been permanently disabled from this project's CI pipeline and tooling. OpenAI has entered into partnerships with governments and defense organizations that enable **mass surveillance** of civilian populations and **autonomous weapons kill-chain decision-making**. The mass surveillance capability alone -- where nation-state actors can process, correlate, and act on population-scale data -- represents an unacceptable security risk for anyone whose code, queries, or development patterns transit OpenAI infrastructure. +> +> **We strongly encourage the use of Anthropic (Claude) models** for AI-assisted development. If you choose to use OpenAI/GPT products, do so with extreme caution and a clear understanding of who has access to data processed by those systems. This is not a technical quality judgment -- it is a security and ethics decision. ### Runner Dependencies from template-repo @@ -553,7 +559,7 @@ The self-hosted runner provides the following binaries built from [template-repo | Binary | Source | Used By | Purpose | |--------|--------|---------|---------| -| `github-agents` | `tools/rust/github-agents-cli` | `pr-validation.yml` | PR reviews (Gemini/Codex), iteration tracking | +| `github-agents` | `tools/rust/github-agents-cli` | `pr-validation.yml` | PR reviews (Gemini), iteration tracking | | `automation-cli` | `tools/rust/automation-cli` | `pr-validation.yml` | Agent review response, failure handler | These binaries are also available from [template-repo releases](https://github.com/AndrewAltimit/template-repo/releases). @@ -602,7 +608,7 @@ The repo includes two locally-built Docker images for CI and nine pre-built MCP | `template-repo-mcp-gemini` | `docker/mcp-gemini.Dockerfile` | template-repo | | `template-repo-mcp-opencode` | `docker/mcp-opencode.Dockerfile` | template-repo | | `template-repo-mcp-crush` | `docker/mcp-crush.Dockerfile` | template-repo | -| `template-repo-mcp-codex` | `docker/codex.Dockerfile` | template-repo | +| `template-repo-mcp-codex` | `docker/codex.Dockerfile` | template-repo (DISABLED -- see security policy above) | | `template-repo-mcp-github-board` | `docker/mcp-github-board.Dockerfile` | template-repo | | `template-repo-mcp-agentcore-memory` | `docker/mcp-agentcore-memory.Dockerfile` | template-repo | | `template-repo-mcp-reaction-search` | `mcp_reaction_search/Dockerfile` | template-repo | @@ -614,7 +620,7 @@ cd /path/to/template-repo docker compose --profile services build ``` -The images will then be available locally for this repo's `docker compose --profile services` commands. CI workflows and PSP development work without the MCP images -- they are only needed for interactive AI agent sessions (Claude Code, Codex, etc.). +The images will then be available locally for this repo's `docker compose --profile services` commands. CI workflows and PSP development work without the MCP images -- they are only needed for interactive AI agent sessions (Claude Code, Gemini, etc.). Note: the Codex MCP image is disabled per security policy. ## Pre-built Binaries diff --git a/docker-compose.yml b/docker-compose.yml index 24a02b9..449e22d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -106,6 +106,8 @@ services: profiles: - services + # DISABLED: OpenAI Codex removed due to mass surveillance and autonomous weapons + # partnerships. See README.md for details. Moved to unreachable profile. mcp-codex: image: template-repo-mcp-codex:latest user: "${USER_ID:-1000}:${GROUP_ID:-1000}" @@ -115,10 +117,10 @@ services: environment: - MODE=mcp - PORT=8021 - - CODEX_ENABLED=${CODEX_ENABLED:-true} + - CODEX_ENABLED=false - CODEX_AUTH_PATH=/home/user/.codex/auth.json profiles: - - services + - disabled-codex # was: services -- disabled per security policy mcp-github-board: image: template-repo-mcp-github-board:latest From c15939e1e21b79f2d2f55f9351ed14aabffc9695 Mon Sep 17 00:00:00 2001 From: AI Review Agent Date: Tue, 3 Mar 2026 02:15:28 -0600 Subject: [PATCH 2/2] chore: remove remaining Codex references and scripts Remove stale Codex references missed in initial security disable: - Delete tools/cli/agents/run_codex.sh (contradicts security policy) - Delete tools/cli/containers/run_codex_container.sh (broken, references removed codex-agent service) - Remove CODEX_REVIEW_PATH env var from agent-review-response job - Update CLAUDE.md CI description to say "Gemini" not "Gemini/Codex" - Update pr-validation.yml comment to say "Gemini feedback" - Remove run_codex.sh entry from AGENTS.md agent table Co-Authored-By: Claude Opus 4.6 --- .github/workflows/pr-validation.yml | 3 +- AGENTS.md | 1 - CLAUDE.md | 2 +- tools/cli/agents/run_codex.sh | 215 -------------------- tools/cli/containers/run_codex_container.sh | 84 -------- 5 files changed, 2 insertions(+), 303 deletions(-) delete mode 100755 tools/cli/agents/run_codex.sh delete mode 100755 tools/cli/containers/run_codex_container.sh diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml index a49c323..599e0c2 100644 --- a/.github/workflows/pr-validation.yml +++ b/.github/workflows/pr-validation.yml @@ -304,7 +304,7 @@ jobs: retention-days: 7 if-no-files-found: ignore - # ── Agent Review Response (responds to Gemini/Codex feedback) ── + # ── Agent Review Response (responds to Gemini feedback) ── agent-review-response: name: Agent Review Response needs: [ci, gemini-review, codex-review] @@ -376,7 +376,6 @@ jobs: if: steps.iteration.outputs.should_skip != 'true' env: GEMINI_REVIEW_PATH: gemini-review.md - CODEX_REVIEW_PATH: codex-review.md BRANCH_NAME: ${{ github.head_ref }} ITERATION_COUNT: ${{ steps.iteration.outputs.iteration_count }} run: | diff --git a/AGENTS.md b/AGENTS.md index 83c54b4..42491f4 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -193,7 +193,6 @@ Scripts in `tools/cli/agents/` launch each agent: |--------|-------|-------| | `run_claude.sh` | Claude Code | Requires NVM + Node.js 22.16.0 | | `run_gemini.sh` | Gemini CLI | Requires `@google/gemini-cli` | -| `run_codex.sh` | Codex CLI | **DISABLED** -- OpenAI removed (security policy) | | `run_opencode.sh` | OpenCode | Requires OpenRouter API key | | `run_crush.sh` | Crush | Requires OpenRouter API key | diff --git a/CLAUDE.md b/CLAUDE.md index c355ed7..b283c34 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -120,7 +120,7 @@ Enables privileged PSP APIs: kernel memory partitions, interrupt handlers, PRX m Two GitHub Actions workflows: - **`main-ci.yml`**: Push to main + version tags — full CI (fmt, clippy, test, build, deny, emulator test) plus release binary creation and GitHub Release on tags/manual trigger -- **`pr-validation.yml`**: PRs — full CI plus AI code reviews (Gemini/Codex), agent auto-fix (max 5 iterations) +- **`pr-validation.yml`**: PRs — full CI plus AI code reviews (Gemini), agent auto-fix (max 5 iterations) CI runs in Docker containers (`docker/rust-ci.Dockerfile` based on `rust:1.93-slim`). PSP tests run in PPSSPPHeadless emulator container. diff --git a/tools/cli/agents/run_codex.sh b/tools/cli/agents/run_codex.sh deleted file mode 100755 index a2f1417..0000000 --- a/tools/cli/agents/run_codex.sh +++ /dev/null @@ -1,215 +0,0 @@ -#!/bin/bash -# run_codex.sh - Start Codex CLI for AI-powered code generation - -set -e - -echo "🚀 Starting Codex CLI" - -# Check if codex CLI is available -if ! command -v codex &> /dev/null; then - echo "❌ codex CLI not found. Installing..." - echo "" - echo "Please install Codex with:" - echo " npm install -g @openai/codex" - echo "" - echo "Or in the container version which has it pre-installed:" - echo " ./tools/cli/containers/run_codex_container.sh" - exit 1 -fi - -# Check for auth file -AUTH_FILE="$HOME/.codex/auth.json" -if [ ! -f "$AUTH_FILE" ]; then - echo "❌ Codex authentication not found at $AUTH_FILE" - echo "" - echo "Please authenticate with Codex first:" - echo " codex login" - echo "" - echo "Or run the container version with mounted auth:" - echo " ./tools/cli/containers/run_codex_container.sh" - exit 1 -fi - -echo "✅ Codex CLI found and authenticated" - -# Note: Security validation is handled by gh-validator binary at ~/.local/bin/gh -# via PATH shadowing. No explicit hook initialization needed. - -# Parse command line arguments -MODE="interactive" -QUERY="" -CONTEXT="" -USE_EXEC=false -BYPASS_SANDBOX=false -AUTO_MODE=false - -while [[ $# -gt 0 ]]; do - case $1 in - -q|--query) - QUERY="$2" - MODE="exec" - USE_EXEC=true - shift 2 - ;; - -c|--context) - CONTEXT="$2" - shift 2 - ;; - --auto) - AUTO_MODE=true - shift - ;; - --bypass-sandbox) - BYPASS_SANDBOX=true - shift - ;; - -h|--help) - echo "Usage: $0 [options]" - echo "" - echo "Options:" - echo " -q, --query Execute non-interactively with specified prompt" - echo " -c, --context Add context from file" - echo " --auto Auto-approve mode (uses --full-auto for safer execution)" - echo " --bypass-sandbox Use --dangerously-bypass-approvals-and-sandbox (DANGEROUS!)" - echo " -h, --help Show this help message" - echo "" - echo "Interactive Mode (default):" - echo " Start an interactive session with Codex" - echo "" - echo "Non-Interactive Execution Mode:" - echo " $0 -q 'Write a Python function to calculate fibonacci'" - echo " $0 -q 'Refactor this code' -c existing_code.py" - echo "" - echo "Safe Auto Mode (workspace-write sandbox):" - echo " $0 -q 'Build a web server' --auto" - echo "" - echo "Dangerous Mode (no sandbox - USE WITH CAUTION!):" - echo " $0 -q 'System task' --bypass-sandbox" - echo "" - echo "Note: Codex requires authentication via 'codex login' first." - exit 0 - ;; - *) - echo "Unknown option: $1" - echo "Use -h or --help for usage information" - exit 1 - ;; - esac -done - -# Execute based on mode -if [ "$USE_EXEC" = true ] && [ -n "$QUERY" ]; then - echo "📝 Running non-interactive execution..." - - # Build the prompt with context if provided - FULL_PROMPT="$QUERY" - if [ -n "$CONTEXT" ] && [ -f "$CONTEXT" ]; then - echo "📄 Including context from: $CONTEXT" - CONTEXT_CONTENT=$(cat "$CONTEXT") - FULL_PROMPT="Context from $CONTEXT: -\`\`\` -$CONTEXT_CONTENT -\`\`\` - -Task: $QUERY" - fi - - # Determine execution mode - if [ "$BYPASS_SANDBOX" = true ]; then - # Ask for confirmation unless explicitly bypassed - if [ "$AUTO_MODE" != true ]; then - echo "" - echo "⚠️ WARNING: --dangerously-bypass-approvals-and-sandbox mode" - echo "This will execute commands WITHOUT ANY SANDBOXING or approval!" - echo "Only use this in already-sandboxed environments." - echo "" - read -r -p "Are you ABSOLUTELY SURE you want to continue? (yes/no): " confirm - if [ "$confirm" != "yes" ]; then - echo "❌ Aborted for safety." - exit 1 - fi - fi - - echo "⚡ Executing with --dangerously-bypass-approvals-and-sandbox..." - echo "" - echo "$FULL_PROMPT" | codex exec --dangerously-bypass-approvals-and-sandbox - - - elif [ "$AUTO_MODE" = true ]; then - echo "🔐 Executing with --full-auto (sandboxed workspace-write)..." - echo "" - echo "$FULL_PROMPT" | codex exec --full-auto - - - else - # Default: interactive approval mode with workspace-write sandbox - echo "🔒 Executing with workspace-write sandbox (approval required)..." - echo "" - echo "$FULL_PROMPT" | codex exec --sandbox workspace-write - - fi - -elif [ "$MODE" = "interactive" ]; then - # Only show note if no arguments provided - if [ $# -eq 0 ]; then - echo "🤖 Codex Configuration" - echo "" - echo "ℹ️ Note: Codex is an AI-powered code generation tool by OpenAI." - echo "It can help with code completion, generation, and refactoring." - echo "" - - # Ask about sandbox preference for interactive mode - echo "Choose sandbox mode for this session:" - echo "1) Standard (with approvals and sandbox)" - echo "2) Auto mode (--full-auto: workspace-write sandbox, no approvals)" - echo "3) Dangerous (--dangerously-bypass-approvals-and-sandbox)" - echo "" - read -r -p "Enter choice (1-3) [default: 1]: " choice - - case "$choice" in - 2) - echo "🔐 Starting with --full-auto mode..." - codex --full-auto - ;; - 3) - echo "" - echo "⚠️ WARNING: This disables ALL safety features!" - read -r -p "Are you sure? (yes/no): " confirm - if [ "$confirm" = "yes" ]; then - echo "⚡ Starting with --dangerously-bypass-approvals-and-sandbox..." - codex --dangerously-bypass-approvals-and-sandbox - else - echo "✅ Starting standard interactive mode..." - codex - fi - ;; - *) - echo "✅ Starting standard interactive mode..." - codex - ;; - esac - else - # Arguments were provided but no query - apply flags to interactive mode - echo "🔄 Starting interactive session with provided flags..." - echo "💡 Tips:" - echo " - Use 'help' to see available commands" - echo " - Use 'exit' or Ctrl+C to quit" - echo "" - - # Build command with any flags that were provided - CODEX_CMD="codex" - if [ "$AUTO_MODE" = true ]; then - echo " - Running with --full-auto mode" - CODEX_CMD="$CODEX_CMD --full-auto" - fi - if [ "$BYPASS_SANDBOX" = true ]; then - echo " - ⚠️ Running with --dangerously-bypass-approvals-and-sandbox" - CODEX_CMD="$CODEX_CMD --dangerously-bypass-approvals-and-sandbox" - fi - echo "" - - # Execute with the built command - $CODEX_CMD - fi -else - echo "❌ Error: Query is required for exec mode" - echo "Use -h or --help for usage information" - exit 1 -fi diff --git a/tools/cli/containers/run_codex_container.sh b/tools/cli/containers/run_codex_container.sh deleted file mode 100755 index 9e1276e..0000000 --- a/tools/cli/containers/run_codex_container.sh +++ /dev/null @@ -1,84 +0,0 @@ -#!/bin/bash -# run_codex_container.sh - Run Codex CLI in Docker container - -set -e - -echo "🐳 Starting Codex CLI in Container" - -# Check if required Docker images exist, build if not -check_and_build_images() { - local images_missing=false - - # Check for codex-agent image - if ! docker images | grep -q "template-repo-codex-agent"; then - echo "📦 Codex agent image not found, building..." - images_missing=true - fi - - # Build missing images - if [ "$images_missing" = true ]; then - echo "🔨 Building required Docker images..." - echo "This may take a few minutes on first run..." - - # Build the codex-agent image - echo "Building Codex agent image..." - docker compose build codex-agent - - echo "✅ Docker images built successfully!" - echo "" - fi -} - -# Build images if needed -check_and_build_images - -# Check for auth file on host -AUTH_DIR="$HOME/.codex" -AUTH_FILE="$AUTH_DIR/auth.json" - -if [ ! -f "$AUTH_FILE" ]; then - echo "⚠️ Codex authentication not found at $AUTH_FILE" - echo "" - echo "Please authenticate with Codex on your host machine first:" - echo " codex auth" - echo "" - echo "This will create the auth.json file that the container needs." - exit 1 -fi - -echo "✅ Found Codex auth file: $AUTH_FILE" -echo " This will be mounted into the container" - -# Check for help flag specifically -if [[ "$1" == "-h" ]] || [[ "$1" == "--help" ]]; then - echo "Usage: $0 [codex-options]" - echo "" - echo "Description:" - echo " Start a Codex session in a container" - echo " Automatically mounts your ~/.codex auth directory" - echo " All arguments are passed directly to the codex command" - echo "" - echo "Examples:" - echo " $0 # Interactive mode" - echo " $0 --full-auto # Auto-approve with sandbox" - echo " $0 exec -q 'Write code' # Execute a query" - echo "" - echo "Note: Requires Codex authentication on host machine first (codex auth)" - exit 0 -fi - -# Start session (interactive or with arguments) -if [ $# -eq 0 ]; then - echo "🔄 Starting interactive session in container..." - echo "💡 Tips:" - echo " - Use 'help' to see available commands" - echo " - Use 'exit' or Ctrl+C to quit" - echo "" -else - echo "🔄 Running Codex in container with arguments: $*" - echo "" -fi - -# Start session in container, forwarding all arguments -# The volume mount and HOME are configured in docker-compose.yml -docker compose run --rm -it codex-agent codex "$@"