Bowline for coding agents

Bowline for OpenAI Codex CLI

Bowline puts your real ~/Code on every host the Codex CLI runs on: source, AGENTS.md, and .env already present. No re-clone, no copied secrets; edits sync back.

Running OpenAI Codex CLI across machines

A new host needs ~/.codex/auth.json (or OPENAI_API_KEY), the repo, and your .env before codex will run. A fresh box means signing in again, another clone, and copied secrets. The sandbox's writes stay on that machine.

Vendor
OpenAI
Type
CLI
Runs on
macOS, Linux, and Windows (native or WSL2). Rust binary.
Headless
Yes. It runs non-interactively in CI or over SSH.
Auth
Sign in with ChatGPT (Plus, Pro, or Team) or set OPENAI_API_KEY. Codex writes the credentials to ~/.codex/auth.json.
Env
Reads OPENAI_API_KEY from the environment and runs commands in a sandbox (read-only, workspace-write, or full-access) using Apple Seatbelt on macOS and Landlock with seccomp on Linux. It does not load a project .env for you.

What bowline does for OpenAI Codex CLI

bowline puts the project, its opaque Git state, AGENTS.md, and .env on every trusted host, so codex (or codex exec in CI) runs against the same tree and instructions without a re-clone or copied secrets. You point Codex at your ChatGPT login or OPENAI_API_KEY once per host. That is the one trust step. The sandbox writes to the workspace under ~/Code and those edits sync back to every machine; gate risky runs behind `bowline review` and `bowline accept`.

How OpenAI Codex CLI is configured

The files OpenAI Codex CLI reads. Every one of these that lives in the project travels with ~/Code, so OpenAI Codex CLI sees the same configuration on every machine.

  • ~/.codex/config.tomlmodel, provider, approval, and sandbox settings
  • ~/.codex/auth.jsonstored credentials (ChatGPT tokens or API key)
  • AGENTS.mdrepo-root instructions Codex reads
  • ~/.codex/AGENTS.mdglobal instructions
  • ~/.codex/Codex home (sessions, logs)

Set it up

Install bowline, trust the machine or host, then run OpenAI Codex CLI against ~/Code with source, config, and .env already present.

Terminal
curl -fsSL https://install.bowline.sh | sh   # on your laptop, once
bowline login
bowline connect build-box                     # bootstrap the host over SSH; ~/Code lands there
ssh build-box 'cd ~/Code/your-project && codex'

Questions

Does Bowline handle codex login for me?
No. bowline brings the repo, AGENTS.md, and .env to the host; you still authenticate Codex with ChatGPT or OPENAI_API_KEY (stored in ~/.codex/auth.json) once per host. It removes the re-clone and the copied secrets around it.
Can I run codex exec in CI or on a remote host?
Yes. codex exec '...' runs non-interactively. With bowline the host already holds the project and .env, so it runs against your real tree, and its sandbox writes sync back to your machines.
Do Codex's sandboxed edits reach my laptop?
Codex writes to the workspace under ~/Code, and bowline syncs that to every trusted device. For risky runs, start the agent under a lease and use bowline review and bowline accept before changes land.
ready when you are

Your ~/Code, on every machine and every agent.

Install bowline and your projects follow you. It just works.

Get started
curl -fsSL https://install.bowline.sh | sh

macOS app · Linux CLI. Then run bowline login.