Smoothing Codex CLI’s unit-test loop in containerized workflows (MacOS)

[alanhilligoss]

I’ve been running the OpenAI Codex CLI (recently switched over to native) for several weeks now and the productivity bump is real - changes/fixes big and small are getting done in minutes instead of hours. I also appreciate the built-in safety: diffs before apply, sandboxed commands, no silent network calls.

My main speed-bump so far: after almost every change is wrapped up, Codex immediately runs the unit tests - which is great in theory! For my projects that rely on Docker Compose, that step hangs because the CLI fires the tests outside the container and macOS Seatbelt blocks /var/run/docker.sock. I even added an explicit allow-list entry for the socket in my ~/.codex/config, but the call still fails; Codex eventually times out and moves on, adding delays to each iteration.

I can tell it to skip this in AGENTS.md but figured I'd check here first, because I really like the idea of it being able to run unit tests within a container that it spins up on its own.

Has anyone cracked this? Any workarounds? Or is Docker integration already penciled in for a future release? Still thrilled with the tool - just excited to bring the same smooth test loop it seems like containerized projects enjoy on Linux.

[bolinfest]

@alanhilligoss I'm not completely clear on what the ideal solution for you is. Is it that you want some specific commands to be allowed to run outside the sandbox without using something as blunt as --dangerously-bypass-approvals-and-sandbox?

You mention:

I even added an explicit allow-list entry for the socket in my ~/.codex/config, but the call still fails; Codex eventually times out and moves on, adding delays to each iteration.

What did you add? Note that config.json only applies to the TypeScript CLI (config.toml is the config file for the Rust CLI). I haven't addressed #1260 for the native CLI yet with respect to allowing individual commands to run outside the sandbox.

[alanhilligoss]

@bolinfest Thanks for the response! After looking over #1260, that does seem to cover what I was getting at. Being able to allow a specific set of commands would be a great solution, I’ve subscribed to that issue for updates.

I am using config.toml, but revisiting the docs, I’m not sure my attempt to allow additional directories was actually doing anything 😅 Really appreciate the config.md file, it’s super helpful.

Now back to chipping away at the MCP course I'm taking and, hopefully soon, experimenting with adding some local MCP resources!