Launch the shell through the Codex CLI sandbox.
Ideal when you have the Codex CLI installed and want the additional syscall and
filesystem restrictions provided by Anthropic's Seatbelt (macOS) or Landlock/seccomp
(Linux) profiles. Commands still run on the host, but within the sandbox requested by
the CLI. If the Codex binary is unavailable or the runtime lacks the required
kernel features (e.g., Landlock inside some containers), process startup fails with a
RuntimeError.
Configure sandbox behavior via config_overrides to align with your Codex CLI
profile. This policy does not add its own resource limits; combine it with
host-level guards (cgroups, container resource limits) as needed.
CodexSandboxExecutionPolicy(
self,
command_timeout: float = 30.0,
startup_timeout: float = 30.0,
termination_timeout: float = 10.0,
max_output_lines: int = 100,
max_output_bytes: int | None = None,
binary: str = 'codex',
platform: typing.Literal['auto', 'macos', 'linux'] = 'auto',
config_overrides: Mapping[str, typing.Any] = dict()
)