yamanin/registry
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
registry/registry/coder-labs/modules/codex/README.md
35C4n0r c4661ae365
refactor(registry/coder-labs/modules/codex)!: remove agentapi, tasks and start logic (#879) 
Closes #878

## What

Major refactor of the `coder-labs/codex` module to mirror the
`coder/claude-code` v5 changes from #861.

## Changes

### Structural
- Replace `module "agentapi"` with `module "coder_utils"`
(`registry.coder.com/coder/coder-utils/coder v0.0.1`)
- Replace `scripts/install.sh` with `scripts/install.sh.tftpl`
(Terraform templatefile)
- Delete `scripts/start.sh`
- Module dir changed from `.codex-module` to
`.coder-modules/coder-labs/codex`
- Output changed from `task_app_id` to `scripts` (ordered list of coder
exp sync names)
- Extracted shared test helpers (`collectScripts`, `runScripts`) into
`agentapi/coder-utils-test-helpers.ts`

### Removed variables
All AgentAPI pass-throughs, boundary, and start-script-only variables:
`order`, `group`, `report_tasks`, `subdomain`, `cli_app`,
`web_app_display_name`, `cli_app_display_name`, `install_agentapi`,
`agentapi_version`, `ai_prompt`, `continue`, `enable_state_persistence`,
`codex_system_prompt`, `enable_boundary`, `boundary_config_path`,
`boundary_version`, `compile_boundary_from_source`,
`use_boundary_directly`, `codex_model`

### Retained
`install_codex` (toggle for skipping npm install when CLI is
pre-installed)

### Renamed
- `enable_aibridge` -> `enable_ai_gateway`

### Changed
- `workdir`: now optional (`default = null`)
- `openai_api_key`: conditional env var with `count`, marked `sensitive
= true`
- `base_config_toml`: heredoc description documenting generated
defaults; notes that `model_reasoning_effort` and workdir trust are only
applied in default config
- Default `config.toml`: stripped `sandbox_mode`, `approval_policy`,
`sandbox_workspace_write`, `notice.model_migrations`
- Install script: removed Node.js/NVM bootstrap (assumes npm
pre-installed), sources NVM if present, fails with actionable error if
npm missing
- `ARG_CODEX_VERSION` and `ARG_WORKDIR` base64-encoded to prevent
shell/TOML injection
- Duplicate `[model_providers.aibridge]` guarded with grep before
appending
- Debug header uses user-facing variable names

### Tests
- Terraform: 11 pass
- Bun: 15 pass (rewritten to shared `collectScripts`/`runScripts`
pattern)
- Added: `model-reasoning-effort-standalone`,
`ai-gateway-with-custom-base-config`,
`ai-gateway-custom-config-no-duplicate-provider`,
`install-codex-latest`, `workdir-trusted-project`,
`no-workdir-no-project-section`
- Negative assertions on `minimal-default-config`

### Docs
- Migration guide (v4 to v5) in README
- Quoted path in coder_app example
- AI Gateway note about custom `base_config_toml` requiring manual
`model_provider`

> [!WARNING]
> Breaking change. Drops support for Coder Tasks and Boundary. Keep
using v4.x.x if you depend on them.

---
*This PR was authored by Coder Agents.*

---------

Co-authored-by: Jay Kumar <jay.kumar@coder.com>
Co-authored-by: DevCats <christofer@coder.com>
2026-05-05 10:10:34 -05:00

4.9 KiB
Raw Blame History

display_name icon description verified tags
Codex CLI ../../../../.icons/openai.svg Install and configure the Codex CLI in your workspace. true
agent
codex
ai
openai
ai-gateway

Codex CLI

Install and configure the Codex CLI in your workspace.

module "codex" {
  source         = "registry.coder.com/coder-labs/codex/coder"
  version        = "5.0.0"
  agent_id       = coder_agent.main.id
  openai_api_key = var.openai_api_key
}

Warning

If upgrading from v4.x.x of this module: v5 is a major refactor that drops support for Coder Tasks and Boundary. v5 also assumes npm is pre-installed; it no longer bootstraps Node.js. Keep using v4.x.x if you depend on them. See the PR description for a full migration guide.

Examples

Standalone mode with a launcher app

locals {
  codex_workdir = "/home/coder/project"
}

module "codex" {
  source         = "registry.coder.com/coder-labs/codex/coder"
  version        = "5.0.0"
  agent_id       = coder_agent.main.id
  workdir        = local.codex_workdir
  openai_api_key = var.openai_api_key
}

resource "coder_app" "codex" {
  agent_id     = coder_agent.main.id
  slug         = "codex"
  display_name = "Codex"
  icon         = "/icon/openai.svg"
  open_in      = "slim-window"
  command      = <<-EOT
    #!/bin/bash
    set -e
    cd "${local.codex_workdir}"
    codex
  EOT
}

Note

The coder_app command re-executes on every pane reconnect. This works for interactive codex (which stays alive), but one-shot commands like codex exec will re-run each time. For one-shot prompts, use a coder_script (runs once at startup) and a coder_app that attaches to the existing session (e.g. via tmux/screen).

Usage with AI Gateway

AI Gateway is a Premium Coder feature that provides centralized LLM proxy management. Requires Coder >= 2.30.0.

module "codex" {
  source            = "registry.coder.com/coder-labs/codex/coder"
  version           = "5.0.0"
  agent_id          = coder_agent.main.id
  workdir           = "/home/coder/project"
  enable_ai_gateway = true
}

When enable_ai_gateway = true, the module configures Codex to use the aigateway model provider in config.toml with the workspace owner's session token for authentication.

Caution

enable_ai_gateway = true is mutually exclusive with openai_api_key. Setting both fails at plan time.

Note

If you provide a custom base_config_toml, the module writes it verbatim and does not inject model_provider = "aigateway" automatically. Add it to your config yourself:

model_provider = "aigateway"

Advanced Configuration

module "codex" {
  source         = "registry.coder.com/coder-labs/codex/coder"
  version        = "5.0.0"
  agent_id       = coder_agent.main.id
  workdir        = "/home/coder/project"
  openai_api_key = var.openai_api_key

  codex_version = "0.128.0"

  base_config_toml = <<-EOT
    sandbox_mode = "danger-full-access"
    approval_policy = "never"
    preferred_auth_method = "apikey"
  EOT

  additional_mcp_servers = <<-EOT
    [mcp_servers.GitHub]
    command = "npx"
    args = ["-y", "@modelcontextprotocol/server-github"]
    type = "stdio"
  EOT
}

Serialize a downstream coder_script after the install pipeline

The module exposes the scripts output: an ordered list of coder exp sync names for the scripts this module creates (pre_install, install, post_install). Scripts that were not configured are absent.

module "codex" {
  source         = "registry.coder.com/coder-labs/codex/coder"
  version        = "5.0.0"
  agent_id       = coder_agent.main.id
  openai_api_key = var.openai_api_key
}

resource "coder_script" "post_codex" {
  agent_id     = coder_agent.main.id
  display_name = "Run after Codex install"
  run_on_start = true
  script       = <<-EOT
    #!/bin/bash
    set -euo pipefail
    trap 'coder exp sync complete post-codex' EXIT
    coder exp sync want post-codex ${join(" ", module.codex.scripts)}
    coder exp sync start post-codex

    codex --version
  EOT
}

Configuration

When no custom base_config_toml is provided, the module uses a minimal default with preferred_auth_method = "apikey". For advanced options, see Codex config docs.

Troubleshooting

Check the log files in ~/.coder-modules/coder-labs/codex/logs/ for detailed information.

cat ~/.coder-modules/coder-labs/codex/logs/install.log
cat ~/.coder-modules/coder-labs/codex/logs/pre_install.log
cat ~/.coder-modules/coder-labs/codex/logs/post_install.log

References