feat: update AGENTS.md path to ~/.codex directory and enhance README with default configuration details

DevelopmentCats · DevelopmentCats · commit 50e5fdbb8331 · 2025-08-20T16:44:13.000Z
diff --git a/registry/coder-labs/modules/codex/README.md b/registry/coder-labs/modules/codex/README.md
@@ -84,12 +84,32 @@ module "codex" {
 ## How it Works
 
 - **Install**: The module installs Codex CLI and sets up the environment
-- **System Prompt**: If `codex_system_prompt` and `folder` are set, creates the directory (if needed) and writes the prompt to `AGENTS.md`
+- **System Prompt**: If `codex_system_prompt` is set, writes the prompt to `AGENTS.md` in the `~/.codex/` directory
 - **Start**: Launches Codex CLI in the specified directory, wrapped by AgentAPI
 - **Configuration**: Sets `OPENAI_API_KEY` environment variable and passes `--model` flag to Codex CLI (if variables provided)
 
 ## Configuration
 
+### **Default Configuration**
+
+When no custom `base_config_toml` is provided, the module uses these secure defaults:
+
+```toml
+sandbox_mode = "workspace-write"
+approval_policy = "never"
+preferred_auth_method = "apikey"
+
+[sandbox_workspace_write]
+network_access = true
+writable_roots = ["$/path/to/your/folder$", "$HOME/.codex"]
+```
+
+The default configuration allows writing to only two specific directories:
+- Your specified `folder` (working directory)
+- `$HOME/.codex` (for configuration files like AGENTS.md)
+
+This provides secure sandbox boundaries while preventing access to other sensitive directories.
+
 ### **Custom Configuration (Optional)**
 
 For custom Codex configuration, use `base_config_toml` and/or `additional_mcp_servers`:
diff --git a/registry/coder-labs/modules/codex/main.test.ts b/registry/coder-labs/modules/codex/main.test.ts
@@ -292,7 +292,7 @@ describe("codex", async () => {
       },
     });
     await execModuleScript(id);
-    const resp = await readFileContainer(id, "/home/coder/AGENTS.md");
+    const resp = await readFileContainer(id, "/home/coder/.codex/AGENTS.md");
     expect(resp).toContain(prompt);
   });
 
@@ -305,7 +305,7 @@ describe("codex", async () => {
     `.trim();
     const pre_install_script = dedent`
         #!/bin/bash
-        echo -e "${prompt_3}" >> /home/coder/AGENTS.md
+        echo -e "${prompt_3}" >> /home/coder/.codex/AGENTS.md
         `.trim();
 
     const { id } = await setup({
@@ -315,7 +315,7 @@ describe("codex", async () => {
       },
     });
     await execModuleScript(id);
-    const resp = await readFileContainer(id, "/home/coder/AGENTS.md");
+    const resp = await readFileContainer(id, "/home/coder/.codex/AGENTS.md");
     expect(resp).toContain(prompt_1);
     expect(resp).toContain(prompt_2);
 
@@ -327,7 +327,7 @@ describe("codex", async () => {
       },
     });
     await execModuleScript(id_2);
-    const resp_2 = await readFileContainer(id_2, "/home/coder/AGENTS.md");
+    const resp_2 = await readFileContainer(id_2, "/home/coder/.codex/AGENTS.md");
     expect(resp_2).toContain(prompt_1);
     const count = (resp_2.match(new RegExp(prompt_1, "g")) || []).length;
     expect(count).toBe(1);
@@ -355,7 +355,7 @@ describe("codex", async () => {
     const prompt = await execContainer(id, [
       "ls",
       "-l",
-      "/home/coder/AGENTS.md",
+      "/home/coder/.codex/AGENTS.md",
     ]);
     expect(prompt.exitCode).not.toBe(0);
     expect(prompt.stderr).toContain("No such file or directory");
