clone/codex
1
0
Fork 0
mirror of https://github.com/openai/codex.git synced 2026-05-03 19:06:58 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
dee5f5ea38880f57c1f0c0f38b3033f21ae79b7a
codex/sdk/python/examples/README.md
mcgrew-oai dee5f5ea38 Harden package-manager install policy (#19163) 
## Summary

This PR hardens package-manager usage across the repo to reduce
dependency supply-chain risk. It also removes the stale `codex-cli`
Docker path, which was already broken on `main`, instead of keeping a
bitrotted container workflow alive.

## What changed

- Updated pnpm package manager pins and workspace install settings.
- Removed stale `codex-cli` Docker assets instead of trying to keep a
broken local container path alive.
- Added uv settings and lockfiles for the Python SDK packages.
- Updated Python SDK setup docs to use `uv sync`.

## Why

This is primarily a security hardening change. It reduces
package-install and supply-chain risk by ensuring dependency installs go
through pinned package managers, committed lockfiles, release-age
settings, and reviewed build-script controls.

For `codex-cli`, the right follow-up was to remove the local Docker path
rather than keep patching it:

- `codex-cli/Dockerfile` installed `codex.tgz` with `npm install -g`,
which bypassed the repo lockfile and age-gated pnpm settings.
- The local `codex-cli/scripts/build_container.sh` helper was already
broken on `main`: it called `pnpm run build`, but
`codex-cli/package.json` does not define a `build` script.
- The container path itself had bitrotted enough that keeping it would
require extra packaging-specific behavior that was not otherwise needed
by the repo.

## Gaps addressed

- Global npm installs bypassed the repo lockfile in Docker and CLI
reinstall paths, including `codex-cli/Dockerfile` and
`codex-cli/bin/codex.js`.
- CI and Docker pnpm installs used `--frozen-lockfile`, but the repo was
missing stricter pnpm workspace settings for dependency build scripts.
- Python SDK projects had `pyproject.toml` metadata but no committed
`uv.lock` coverage or uv age/index settings in `sdk/python` and
`sdk/python-runtime`.
- The secure devcontainer install path used npm/global install behavior
without a local locked package-manager boundary.
- The local `codex-cli` Docker helper was already broken on `main`, so
this PR removes that stale Docker path instead of preserving a broken
surface.
- pnpm was already pinned, but not to the current repo-wide pnpm version
target.

## Verification

- `pnpm install --frozen-lockfile`
- `.devcontainer/codex-install`: `pnpm install --prod --frozen-lockfile`
- `.devcontainer/codex-install`: `./node_modules/.bin/codex --version`
- `sdk/python`: `uv lock --check`, `uv sync --locked --all-extras
--dry-run`, `uv build`
- `sdk/python-runtime`: `uv lock --check`, `uv sync --locked --dry-run`,
`uv build --wheel`
- `pnpm -r --filter ./sdk/typescript run build`
- `pnpm -r --filter ./sdk/typescript run lint`
- `pnpm -r --filter ./sdk/typescript run test`
- `node --check codex-cli/bin/codex.js`
- `docker build -f .devcontainer/Dockerfile.secure -t codex-secure-test
.`
- `cargo build -p codex-cli`
- repo-wide package-manager audit
2026-04-24 14:36:19 -04:00

2.7 KiB
Raw Blame History

Python SDK Examples

Each example folder contains runnable versions:

  • sync.py (public sync surface: Codex)
  • async.py (public async surface: AsyncCodex)

All examples intentionally use only public SDK exports from codex_app_server.

Prerequisites

  • Python >=3.10
  • Install SDK dependencies for the same Python interpreter you will use to run examples

Recommended setup (from sdk/python):

uv sync
source .venv/bin/activate

When running examples from this repo checkout, the SDK source uses the local tree and does not bundle a runtime binary. The helper in examples/_bootstrap.py uses the installed openai-codex-cli-bin runtime package.

If the pinned openai-codex-cli-bin runtime is not already installed, the bootstrap will download the matching GitHub release artifact, stage a temporary local openai-codex-cli-bin package, install it into your active interpreter, and clean up the temporary files afterward.

Current pinned runtime version: 0.116.0-alpha.1

Run examples

From sdk/python:

python examples/<example-folder>/sync.py
python examples/<example-folder>/async.py

The examples bootstrap local imports from sdk/python/src automatically, so no SDK wheel install is required. You only need the Python dependencies for your active interpreter and an installed openai-codex-cli-bin runtime package (either already present or automatically provisioned by the bootstrap).

Recommended first run

python examples/01_quickstart_constructor/sync.py
python examples/01_quickstart_constructor/async.py

Index

  • 01_quickstart_constructor/
    • first run / sanity check
  • 02_turn_run/
    • inspect full turn output fields
  • 03_turn_stream_events/
    • stream a turn with a small curated event view
  • 04_models_and_metadata/
    • discover visible models for the connected runtime
  • 05_existing_thread/
    • resume a real existing thread (created in-script)
  • 06_thread_lifecycle_and_controls/
    • thread lifecycle + control calls
  • 07_image_and_text/
    • remote image URL + text multimodal turn
  • 08_local_image_and_text/
    • local image + text multimodal turn using a generated temporary sample image
  • 09_async_parity/
    • parity-style sync flow (see async parity in other examples)
  • 10_error_handling_and_retry/
    • overload retry pattern + typed error handling structure
  • 11_cli_mini_app/
    • interactive chat loop
  • 12_turn_params_kitchen_sink/
    • structured output with a curated advanced turn(...) configuration
  • 13_model_select_and_turn_params/
    • list models, pick highest model + highest supported reasoning effort, run turns, print message and usage
  • 14_turn_controls/
    • separate best-effort steer() and interrupt() demos with concise summaries
Reference in New Issue View Git Blame Copy Permalink