build/docs: use pipx for Poetry and clarify Codex sandboxing

Author: jamm1985

.env.dist

@@ -16,7 +16,7 @@ CODE_SERVER_EXTENSIONS="ms-python.python ms-pyright.pyright charliermarsh.ruff m
 PYTHON_VERSION=3.14
 PYTHONUNBUFFERED=1
 PIP_DEFAULT_TIMEOUT=300
-POETRY_VERSION=2.3.2
+POETRY_VERSION=2.3.4
 POETRY_OPTIONS_APP="--only main --compile"
 POETRY_OPTIONS_DEV="--no-root --with dev --compile"
 POETRY_NO_INTERACTION=1

Dockerfile

@@ -8,7 +8,7 @@ ARG MIRROR_LIST_COUNTRY=RU
 ARG BUILD_PACKAGES="pyenv git gnupg sudo postgresql-libs mariadb-libs openmp"
 ARG PYTHON_VERSION=3.14
 ARG PIP_DEFAULT_TIMEOUT=300
-ARG POETRY_VERSION=2.3.2
+ARG POETRY_VERSION=2.3.4
 RUN echo "* soft core 0" >> /etc/security/limits.conf && \
     echo "* hard core 0" >> /etc/security/limits.conf && \
     echo "* soft nofile 10000" >> /etc/security/limits.conf
@@ -53,15 +53,19 @@ RUN pyenv install --skip-existing $PYTHON_VERSION && \
 ENV PYTHONUNBUFFERED=1
 ENV PIP_DEFAULT_TIMEOUT=$PIP_DEFAULT_TIMEOUT
 ENV POETRY_NO_INTERACTION=1
-ENV POETRY_HOME=/opt/poetry
 ENV POETRY_CACHE_DIR=/var/cache/pypoetry
 ENV PIP_CACHE_DIR=/var/cache/pip
 ENV VIRTUAL_ENV=/opt/venv
 RUN python -m venv --copies $VIRTUAL_ENV
 ENV PATH=$VIRTUAL_ENV/bin:$PATH
 RUN pip install --upgrade pip
-RUN curl -sSL https://install.python-poetry.org | POETRY_VERSION=$POETRY_VERSION python -
-ENV PATH=$POETRY_HOME/bin:$PATH
+ENV TOOLS_VENV=/opt/tools-venv
+RUN python -m venv --copies $TOOLS_VENV && \
+    $TOOLS_VENV/bin/pip install --no-cache-dir --upgrade pip pipx
+ENV PIPX_HOME=/opt/pipx
+ENV PIPX_BIN_DIR=/usr/local/bin
+RUN $TOOLS_VENV/bin/pipx install --python "$(command -v python)" "poetry==${POETRY_VERSION}" && \
+    poetry --version
 ENV PYTHONPATH=/application/src
 ENV PROJECT_ROOT=/application
 ENV HOME=$DOCKER_USER_HOME

README.md

@@ -209,7 +209,8 @@ Set the `.env` values used by `compose.yaml` and the Docker build. Common ones:
 
 * `TZ` — Container timezone (e.g. `Europe/Berlin`, `Asia/Vladivostok`).
 * `DOCKER_PLATFORM` — Target architecture (e.g. `linux/amd64`, `linux/arm64`).
-* `DOCKER_HOST_UID` / `DOCKER_HOST_GID` — Host user/group IDs for file ownership.
+* `DOCKER_HOST_UID` / `DOCKER_HOST_GID` — Host user/group IDs for file
+  ownership.
 * `DOCKER_USER` / `DOCKER_USER_HOME` — Container user + home directory.
 * `MIRROR_LIST_COUNTRY` — Arch mirror country code for pacman.
 * `BUILD_PACKAGES` — System packages needed to build Python and runtime deps.
@@ -220,11 +221,13 @@ Set the `.env` values used by `compose.yaml` and the Docker build. Common ones:
 * `POETRY_OPTIONS_DEV` — Poetry install flags for the dev image.
 * `PIP_DEFAULT_TIMEOUT` — Pip network timeout (seconds).
 * `JUPYTER_TOKEN` — Token for JupyterLab login.
-* `CODE_SERVER_EXTENSIONS` — Space-separated extension IDs preinstalled in code-server.
+* `CODE_SERVER_EXTENSIONS` — Space-separated extension IDs preinstalled in
+  code-server.
 * `CODE_SERVER_HOST` — Bind address for code-server (usually `0.0.0.0`).
 * `CODE_SERVER_PORT` — Port for code-server.
 * `CODE_SERVER_AUTH` — code-server auth mode (`password` or `none`).
-* `CODE_SERVER_PASSWORD` — Password used by code-server when auth is `password`.
+* `CODE_SERVER_PASSWORD` — Password used by code-server when auth is
+  `password`.
 * `OPENAI_API_KEY` — API key for Codex.
 * `GEMINI_API_KEY` — API key for Gemini.
 
@@ -317,7 +320,8 @@ docker compose run --rm dev ruff format --check
 This template includes a minimal GitHub Actions workflow in
 `.github/workflows/ci.yml` that:
 
-* builds `dev`, `app`, `vim-ide`, `codex`, `gemini`, `jupyterlab`, and `code-server`
+* builds `dev`, `app`, `vim-ide`, `codex`, `gemini`, `jupyterlab`, and
+  `code-server`
 * checks `vim`, `codex`, `gemini`, `jupyter-lab`, and `code-server` binaries
 * runs `ruff check .`
 * runs `ruff format --check .`
@@ -346,6 +350,16 @@ docker compose build codex
 docker compose run --rm codex
 ```
 
+If Codex asks for a less restricted sandbox while already running inside this
+container, rerun it with:
+
+```bash
+docker compose run --rm codex -s danger-full-access
+```
+
+Use this only when you want Codex to execute commands directly inside the
+container instead of using its own internal sandbox.
+
 ```bash
 docker compose build gemini
 docker compose run --rm gemini
@@ -504,6 +518,12 @@ Browser-based auth persists under `${DOCKER_USER_HOME}/.codex` and
 `${DOCKER_USER_HOME}/.gemini` via the `codex-auth` and `gemini-auth` Docker
 volumes.
 
+`codex -s danger-full-access` disables Codex's internal command sandbox. It
+does not change Docker's seccomp profile and does not add Linux capabilities to
+the container. In this mode, Codex gets the same access as the container
+itself, including the bind-mounted `/application` workspace, available network
+access, and the persisted auth volume under `${DOCKER_USER_HOME}/.codex`.
+
 ## 🧠 Vim IDE Features
 
 This template comes with a thoughtfully configured Vim environment that

compose.yaml

@@ -17,7 +17,7 @@ x-default-args: &default-args
   CODE_SERVER_EXTENSIONS: ${CODE_SERVER_EXTENSIONS:-ms-python.python ms-pyright.pyright charliermarsh.ruff ms-toolsai.jupyter}
   PYTHON_VERSION: ${PYTHON_VERSION:-3.14}
   PIP_DEFAULT_TIMEOUT: ${PIP_DEFAULT_TIMEOUT:-300}
-  POETRY_VERSION: ${POETRY_VERSION:-2.3.2}
+  POETRY_VERSION: ${POETRY_VERSION:-2.3.4}
   POETRY_OPTIONS_APP: ${POETRY_OPTIONS_APP:---only main --compile}
   POETRY_OPTIONS_DEV: ${POETRY_OPTIONS_DEV:---no-root --with dev --compile}