Skip to main content
Codex is OpenAI’s CLI coding agent. It reads repositories, writes files, runs commands, and stores local session state. Running it under nono keeps that access confined to the project and state paths you intentionally grant.

Why Sandbox Codex?

Codex is designed to inspect code, execute tools, and persist local state. Without isolation:
  • It could read files outside the repository you meant to expose
  • A prompt injection or tool mistake could modify unrelated files on the same machine
  • Long-lived local state could become a path for broader access than the current task needs
nono makes those boundaries kernel-enforced instead of advisory.

Quick Start

nono run --profile codex -- codex
The built-in profile provides:
  • Read+write access to the current working directory
  • Read+write access to ~/.codex (config, auth state, sessions, caches, and local metadata)
  • Read access to common user-local runtime paths for Rust, Node.js, Python, and Nix toolchains
  • Network access enabled
  • Interactive mode enabled for the terminal UI

Custom Profile

Create ~/.config/nono/profiles/codex.json if you want different permissions: 
{
  "meta": {
    "name": "codex",
    "version": "1.0.0",
    "description": "Codex with additional project access"
  },
  "filesystem": {
    "allow": ["$WORKDIR", "$HOME/.codex"],
    "read": ["$HOME/shared-libs"]
  },
  "network": {
    "block": false
  }
}
Custom profiles with the same name override the built-in profile. Remove or rename the file to revert to the built-in version.

Security Tips

Restrict to a Specific Project

The built-in profile grants access to the directory you run Codex from. To pin access to a specific repository: 
nono run --profile codex --workdir ~/projects/my-app -- codex

Read-Only Workspace

If you want Codex to keep its local state but not modify the repository: 
nono run --read . --allow ~/.codex -- codex review

Block Network for Local-Only Work

If you want to inspect local code without allowing outbound access: 
nono run --profile codex --net-block -- codex

Use Network Filtering

If you want Codex limited to the built-in host allowlist for coding workflows: 
nono run --profile codex --network-profile codex -- codex

Additional Home-Directory Tools

The built-in profile covers common Rust, Node.js, Python, and Nix runtime locations under ~/, but some developer tools still install into other home-directory paths such as ~/go/bin or ~/.bun/bin. If a tool exists on your PATH but Codex cannot launch it inside the sandbox, grant read access to the specific path entry: 
nono run --profile codex \
  --read ~/.bun/bin \
  --read ~/go/bin \
  -- codex
See Network Filtering and Security Profiles for details on host allowlists, profile format, and precedence rules.