diff --git a/AGENTS.md b/AGENTS.md
index f8b3559..6fadcce 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -20,7 +20,9 @@
   `spoon-agent-job` images to `git.gbrown.org/gib`. In production,
   `SPOON_AGENT_JOB_IMAGE` should point to
   `git.gbrown.org/gib/spoon-agent-job:latest`, and the worker service requires
-  access to the host Docker socket.
+  access to the host Docker socket. API-key provider jobs run through OpenCode;
+  Codex ChatGPT login profiles run through the Codex CLI with an injected
+  `CODEX_HOME/.codex/auth.json` inside the isolated job workspace.
 
 ## Protected and generated files
 
diff --git a/README.md b/README.md
index 611dcc2..3bd2ab4 100644
--- a/README.md
+++ b/README.md
@@ -200,9 +200,10 @@ curl -H "Authorization: Bearer $SPOON_AGENT_WORKER_INTERNAL_TOKEN" \
   http://spoon-agent-worker:3921/health
 ```
 
-For the first production run, use an API-key based AI provider profile. Stored
-OpenCode/Codex `auth.json` profiles are supported in settings, but worker-side
-auth-file injection is still a follow-up before they can execute jobs.
+API-key based AI provider profiles run through OpenCode. Codex ChatGPT login
+profiles run through the Codex CLI: Spoon writes the encrypted `auth.json` into
+the isolated job workspace as `CODEX_HOME/.codex/auth.json` before execution.
+Treat that saved auth file like a password and only use it on trusted workers.
 
 </details>
 
@@ -294,7 +295,8 @@ The mobile app currently supports:
 - thread list/detail, message composer, resolve/cancel actions, and workspace
   review links
 - GitHub integration status and repository listing
-- AI provider profile management, including Codex/OpenCode auth JSON
+- AI provider profile management, including Codex auth JSON and API-key
+  providers
 - read-only workspace review for job status, messages, diffs, events,
   artifacts, and draft PR links
 
@@ -466,11 +468,12 @@ not call Infisical.
 - GitHub drift refresh, commit cache, PR cache, and sync-run history
 - Effective drift and ignored upstream change records
 - Global Threads page and Spoon-scoped Threads tab
-- OpenCode-oriented agent worker and browser workspace foundation
+- OpenCode/Codex-oriented agent worker and browser workspace foundation
 - Monaco editor with optional Vim mode
 - Diff viewer, command panel, worker logs, and artifacts
 - Encrypted Spoon secrets and bulk `.env` import
-- Encrypted AI provider profiles, including Codex/OpenCode auth support
+- Encrypted AI provider profiles, including Codex auth JSON and API-key
+  provider support
 - Authentik, GitHub, and password auth through Convex Auth
 - Self-hosted Convex/Postgres deployment model
 
diff --git a/apps/agent-worker/src/worker.ts b/apps/agent-worker/src/worker.ts
index b4a448b..1c74236 100644
--- a/apps/agent-worker/src/worker.ts
+++ b/apps/agent-worker/src/worker.ts
@@ -94,6 +94,7 @@ const sleep = (ms: number) => new Promise((resolve) => setTimeout(resolve, ms));
 
 const client = new ConvexHttpClient(env.convexUrl);
 const activeWorkspaces = new Map<string, ActiveWorkspace>();
+const jobContainerWorkspace = '/workspace';
 
 const appendEvent = async (
   jobId: Id<'agentJobs'>,
@@ -239,7 +240,50 @@ const recordWorkspaceChange = async (args: {
 
 const commandToShell = (command: string) => ['bash', '-lc', command];
 
-const providerEnvironment = (claim: Claim): Record<string, string> => {
+const isCodexLoginProfile = (claim: Claim) =>
+  claim.aiProviderProfile?.provider === 'opencode_openai_login' ||
+  claim.aiProviderProfile?.authType === 'opencode_auth_json';
+
+const collectJsonStringValues = (value?: string): string[] => {
+  if (!value) return [];
+  try {
+    const parsed = JSON.parse(value) as unknown;
+    const values: string[] = [];
+    const visit = (item: unknown) => {
+      if (typeof item === 'string') {
+        if (item.length >= 12) values.push(item);
+        return;
+      }
+      if (Array.isArray(item)) {
+        item.forEach(visit);
+        return;
+      }
+      if (item && typeof item === 'object') {
+        Object.values(item).forEach(visit);
+      }
+    };
+    visit(parsed);
+    return values;
+  } catch {
+    return [];
+  }
+};
+
+const providerEnvironment = (
+  claim: Claim,
+  workspaceRoot?: string,
+): Record<string, string> => {
+  if (isCodexLoginProfile(claim)) {
+    if (!workspaceRoot) {
+      throw new Error('Codex auth profiles require a prepared workspace.');
+    }
+    return {
+      CODEX_HOME: path.join(workspaceRoot, '.codex'),
+      HOME: workspaceRoot,
+      XDG_DATA_HOME: path.join(workspaceRoot, '.local', 'share'),
+      XDG_CONFIG_HOME: path.join(workspaceRoot, '.config'),
+    };
+  }
   const profile = claim.aiProviderProfile;
   const secret = profile?.secret ?? claim.openai.apiKey;
   if (!secret) {
@@ -268,9 +312,7 @@ const providerEnvironment = (claim: Claim): Record<string, string> => {
   ) {
     return { OPENAI_API_KEY: secret, ...baseUrl };
   }
-  throw new Error(
-    'OpenCode login profiles are saved but need auth-file injection before execution.',
-  );
+  throw new Error('Unsupported AI provider profile.');
 };
 
 const opencodeModel = (claim: Claim) => {
@@ -288,6 +330,63 @@ const opencodeModel = (claim: Claim) => {
   return `${profile.provider}/${model}`;
 };
 
+const codexModel = (claim: Claim) => {
+  const model = claim.aiProviderProfile?.model ?? claim.openai.model;
+  return model.includes('/') ? model.split('/').at(-1) ?? model : model;
+};
+
+const writeJsonFile = async (filePath: string, content: string) => {
+  let normalized = content.trim();
+  try {
+    normalized = `${JSON.stringify(JSON.parse(normalized), null, 2)}\n`;
+  } catch {
+    throw new Error('Codex auth JSON is not valid JSON.');
+  }
+  await mkdir(path.dirname(filePath), { recursive: true });
+  await writeFile(filePath, normalized, { mode: 0o600 });
+};
+
+const prepareCodexAuth = async (workspace: ActiveWorkspace) => {
+  const secret = workspace.claim.aiProviderProfile?.secret;
+  if (!secret) {
+    throw new Error('Codex auth profile is missing auth.json contents.');
+  }
+  const codexAuthPath = path.join(workspace.workdir, '.codex', 'auth.json');
+  await writeJsonFile(codexAuthPath, secret);
+
+  // Also seed OpenCode's auth location with the saved JSON for forward
+  // compatibility if this profile later runs through OpenCode directly.
+  const openCodeAuthPath = path.join(
+    workspace.workdir,
+    '.local',
+    'share',
+    'opencode',
+    'auth.json',
+  );
+  await writeJsonFile(openCodeAuthPath, secret);
+
+  await appendEvent(
+    workspace.claim.job._id,
+    'info',
+    'clone',
+    'Prepared Codex auth JSON for the isolated workspace.',
+  );
+};
+
+const agentCommand = (claim: Claim, prompt: string) => {
+  if (isCodexLoginProfile(claim)) {
+    return commandToShell(
+      `codex exec --model ${quoteShell(codexModel(claim))} --sandbox workspace-write ${quoteShell(prompt)}`,
+    );
+  }
+  return commandToShell(
+    `opencode run --model ${quoteShell(opencodeModel(claim))} ${quoteShell(prompt)}`,
+  );
+};
+
+const agentFailurePrefix = (claim: Claim) =>
+  isCodexLoginProfile(claim) ? 'codex failed' : 'opencode failed';
+
 const systemPromptForJob = (claim: Claim) => {
   const base = [
     `Spoon: ${claim.spoon.name}`,
@@ -605,6 +704,7 @@ const runClaim = async (claim: Claim) => {
   const secretValues = [
     claim.openai.apiKey ?? '',
     claim.aiProviderProfile?.secret ?? '',
+    ...collectJsonStringValues(claim.aiProviderProfile?.secret),
     ...claim.secrets.map((secret) => secret.value),
   ].filter(Boolean);
   const redact = createRedactor(secretValues);
@@ -632,6 +732,9 @@ const runClaim = async (claim: Claim) => {
       githubToken,
       redact,
     };
+    if (isCodexLoginProfile(claim)) {
+      await prepareCodexAuth(workspace);
+    }
     await materializeEnvFile(workspace);
     const detected = await detectPackageCommands(repoDir);
     await addArtifact({
@@ -800,18 +903,19 @@ export const sendWorkspaceMessage = async (jobId: string, prompt: string) => {
     if ((claim.job.runtime ?? 'opencode') !== 'opencode') {
       throw new Error('Legacy OpenAI direct jobs are no longer supported.');
     }
-    const model = opencodeModel(claim);
-    const aiEnv = providerEnvironment(claim);
+    const aiEnv = providerEnvironment(
+      claim,
+      env.runtime === 'docker' ? jobContainerWorkspace : workdir,
+    );
     const secretEnv = Object.fromEntries(
       claim.secrets.map((secret) => [secret.name, secret.value]),
     );
+    const command = agentCommand(claim, prompt);
     const result =
       env.runtime === 'docker'
         ? await runInJobContainer({
             workdir,
-            command: commandToShell(
-              `opencode run --model ${quoteShell(model)} ${quoteShell(prompt)}`,
-            ),
+            command,
             environment: {
               ...aiEnv,
               ...secretEnv,
@@ -821,10 +925,7 @@ export const sendWorkspaceMessage = async (jobId: string, prompt: string) => {
           })
         : await run(
             'bash',
-            [
-              '-lc',
-              `opencode run --model ${quoteShell(model)} ${quoteShell(prompt)}`,
-            ],
+            command.slice(1),
             {
               cwd: repoDir,
               env: {
@@ -842,7 +943,7 @@ export const sendWorkspaceMessage = async (jobId: string, prompt: string) => {
       content: truncate(result.output, 40_000),
     });
     if (result.exitCode !== 0) {
-      throw new Error(`opencode failed:\n${result.output}`);
+      throw new Error(`${agentFailurePrefix(claim)}:\n${result.output}`);
     }
     if (claim.job.jobType === 'maintenance_review') {
       const decision = parseMaintenanceDecision(result.output);
diff --git a/apps/expo/src/components/settings/ai-provider-profile-form.tsx b/apps/expo/src/components/settings/ai-provider-profile-form.tsx
index 28160e3..1454b7a 100644
--- a/apps/expo/src/components/settings/ai-provider-profile-form.tsx
+++ b/apps/expo/src/components/settings/ai-provider-profile-form.tsx
@@ -153,7 +153,7 @@ export const AiProviderProfileForm = ({
       <SheetSelect
         label='Provider'
         options={[
-          { label: 'OpenCode OpenAI login', value: 'opencode_openai_login' },
+          { label: 'Codex ChatGPT login', value: 'opencode_openai_login' },
           { label: 'OpenAI', value: 'openai' },
           { label: 'Anthropic', value: 'anthropic' },
           { label: 'Google', value: 'google' },
@@ -173,7 +173,7 @@ export const AiProviderProfileForm = ({
         label='Auth type'
         options={[
           { label: 'API key', value: 'api_key' },
-          { label: 'OpenCode auth JSON', value: 'opencode_auth_json' },
+          { label: 'Codex auth JSON', value: 'opencode_auth_json' },
           { label: 'None', value: 'none' },
         ]}
         value={authType}
@@ -181,8 +181,9 @@ export const AiProviderProfileForm = ({
       />
       {authType === 'opencode_auth_json' ? (
         <Text className='text-muted-foreground text-sm leading-5'>
-          Copy auth.json from your Codex/OpenCode auth folder, for example
-          ~/.codex/auth.json, and paste it here.
+          Copy auth.json from your Codex auth folder, for example
+          ~/.codex/auth.json, and paste it here. Spoon writes it into isolated
+          agent workspaces for Codex CLI runs.
         </Text>
       ) : null}
       {authType !== 'none' ? (
diff --git a/apps/next/src/components/agent-workspace/agent-workspace-shell.tsx b/apps/next/src/components/agent-workspace/agent-workspace-shell.tsx
index c80856e..1de588f 100644
--- a/apps/next/src/components/agent-workspace/agent-workspace-shell.tsx
+++ b/apps/next/src/components/agent-workspace/agent-workspace-shell.tsx
@@ -95,13 +95,13 @@ export const AgentWorkspaceShell = ({ jobId }: { jobId: Id<'agentJobs'> }) => {
   };
 
   return (
-    <main className='border-border bg-muted/20 min-h-[calc(100vh-5rem)] overflow-hidden rounded-md border'>
+    <main className='border-border bg-muted/20 flex h-[calc(100vh-8.5rem)] min-h-[720px] flex-col overflow-hidden rounded-md border'>
       <JobStatusBar job={job} />
       <div className='border-border bg-background flex items-center justify-end border-b px-4 py-2'>
         <WorkspaceActions job={job} disabled={workspaceDisabled} />
       </div>
-      <div className='grid min-h-[680px] grid-cols-1 xl:grid-cols-[260px_minmax(0,1fr)_360px]'>
-        <aside className='border-border bg-background min-h-[260px] border-r'>
+      <div className='grid min-h-0 flex-1 grid-cols-1 lg:grid-cols-[280px_minmax(0,1fr)] 2xl:grid-cols-[300px_minmax(0,1fr)_420px]'>
+        <aside className='border-border bg-background min-h-0 border-r'>
           <div className='border-border border-b p-3'>
             <h2 className='text-sm font-semibold'>Files</h2>
             <p className='text-muted-foreground text-xs'>Current workspace</p>
@@ -117,16 +117,19 @@ export const AgentWorkspaceShell = ({ jobId }: { jobId: Id<'agentJobs'> }) => {
             }}
           />
         </aside>
-        <section className='bg-background min-w-0'>
-          <Tabs defaultValue='editor' className='h-full'>
+        <section className='bg-background flex min-w-0 flex-col'>
+          <Tabs defaultValue='editor' className='flex min-h-0 flex-1 flex-col'>
             <TabsList
               variant='line'
-              className='border-border h-11 w-full justify-start rounded-none border-b px-3'
+              className='border-border h-11 flex-none justify-start rounded-none border-b px-3'
             >
               <TabsTrigger value='editor'>Editor</TabsTrigger>
               <TabsTrigger value='diff'>Diff</TabsTrigger>
+              <TabsTrigger value='thread' className='2xl:hidden'>
+                Thread
+              </TabsTrigger>
             </TabsList>
-            <TabsContent value='editor' className='m-0'>
+            <TabsContent value='editor' className='m-0 min-h-0 flex-1'>
               <CodeEditor
                 path={selectedPath}
                 content={fileContent}
@@ -134,13 +137,23 @@ export const AgentWorkspaceShell = ({ jobId }: { jobId: Id<'agentJobs'> }) => {
                 onSave={saveFile}
               />
             </TabsContent>
-            <TabsContent value='diff' className='m-0'>
+            <TabsContent value='diff' className='m-0 min-h-0 flex-1'>
               <DiffViewer diff={diff} onRefresh={loadDiff} />
             </TabsContent>
+            <TabsContent
+              value='thread'
+              className='m-0 min-h-0 flex-1 2xl:hidden'
+            >
+              <AgentThread
+                jobId={jobId}
+                messages={messages}
+                disabled={workspaceDisabled}
+              />
+            </TabsContent>
           </Tabs>
           <CommandPanel jobId={jobId} disabled={workspaceDisabled} />
         </section>
-        <aside className='border-border bg-muted/20 min-w-0 border-l'>
+        <aside className='border-border bg-muted/20 hidden min-w-0 border-l 2xl:block'>
           <AgentThread
             jobId={jobId}
             messages={messages}
diff --git a/apps/next/src/components/agent-workspace/code-editor.tsx b/apps/next/src/components/agent-workspace/code-editor.tsx
index a1a4c0f..c0c0bba 100644
--- a/apps/next/src/components/agent-workspace/code-editor.tsx
+++ b/apps/next/src/components/agent-workspace/code-editor.tsx
@@ -79,7 +79,7 @@ export const CodeEditor = ({
   };
 
   return (
-    <div className='flex h-full min-h-[520px] flex-col'>
+    <div className='flex h-full min-h-0 flex-col'>
       <div className='border-border flex h-11 items-center justify-between gap-3 border-b px-3'>
         <div className='min-w-0'>
           <p className='truncate font-mono text-xs'>{path}</p>
@@ -104,7 +104,8 @@ export const CodeEditor = ({
       </div>
       <div className='min-h-0 flex-1'>
         <MonacoEditor
-          height='520px'
+          height='100%'
+          width='100%'
           path={path}
           value={value}
           theme='vs-dark'
@@ -114,6 +115,7 @@ export const CodeEditor = ({
             fontSize: 13,
             scrollBeyondLastLine: false,
             wordWrap: 'on',
+            automaticLayout: true,
           }}
           onMount={(editor) => {
             editorRef.current = editor as MonacoEditorInstance;
diff --git a/apps/next/src/components/agent-workspace/diff-viewer.tsx b/apps/next/src/components/agent-workspace/diff-viewer.tsx
index 319e29c..e9c4b55 100644
--- a/apps/next/src/components/agent-workspace/diff-viewer.tsx
+++ b/apps/next/src/components/agent-workspace/diff-viewer.tsx
@@ -15,7 +15,7 @@ export const DiffViewer = ({
   diff: string;
   onRefresh: () => Promise<void>;
 }) => (
-  <div className='flex h-full min-h-[520px] flex-col'>
+  <div className='flex h-full min-h-0 flex-col'>
     <div className='border-border flex h-11 items-center justify-between border-b px-3'>
       <div>
         <p className='text-sm font-medium'>Workspace diff</p>
@@ -27,7 +27,8 @@ export const DiffViewer = ({
     </div>
     {diff.trim() ? (
       <MonacoEditor
-        height='520px'
+        height='100%'
+        width='100%'
         language='diff'
         theme='vs-dark'
         value={diff}
@@ -36,6 +37,7 @@ export const DiffViewer = ({
           minimap: { enabled: false },
           fontSize: 13,
           scrollBeyondLastLine: false,
+          automaticLayout: true,
         }}
       />
     ) : (
diff --git a/apps/next/src/components/app-shell/app-shell.tsx b/apps/next/src/components/app-shell/app-shell.tsx
index 0f76e17..f025819 100644
--- a/apps/next/src/components/app-shell/app-shell.tsx
+++ b/apps/next/src/components/app-shell/app-shell.tsx
@@ -1,11 +1,21 @@
 'use client';
 
 import type { ReactNode } from 'react';
+import { usePathname } from 'next/navigation';
 
 export const AppShell = ({ children }: { children: ReactNode }) => {
+  const pathname = usePathname();
+  const isWorkspace = /\/spoons\/[^/]+\/agent\/[^/]+/.test(pathname);
+
   return (
     <div className='bg-muted/20 flex-1 border-t'>
-      <div className='container mx-auto min-w-0 px-4 py-6 md:px-6'>
+      <div
+        className={
+          isWorkspace
+            ? 'min-w-0 px-3 py-3 md:px-4'
+            : 'container mx-auto min-w-0 px-4 py-6 md:px-6'
+        }
+      >
         {children}
       </div>
     </div>
diff --git a/apps/next/src/components/integrations/ai-provider-profiles-panel.tsx b/apps/next/src/components/integrations/ai-provider-profiles-panel.tsx
index b3b9c2b..1c7c9ad 100644
--- a/apps/next/src/components/integrations/ai-provider-profiles-panel.tsx
+++ b/apps/next/src/components/integrations/ai-provider-profiles-panel.tsx
@@ -85,7 +85,7 @@ const providerOptions: {
   },
   {
     value: 'opencode_openai_login',
-    label: 'OpenCode OpenAI login',
+    label: 'Codex ChatGPT login',
     authType: 'opencode_auth_json',
   },
 ];
@@ -282,8 +282,8 @@ export const AiProviderProfilesPanel = () => {
             ))
           ) : (
             <p className='text-muted-foreground text-sm'>
-              Add API-key providers for OpenCode, or store an OpenCode OpenAI
-              login profile for the next auth-file injection pass.
+              Add API-key providers for OpenCode, or store a Codex ChatGPT login
+              profile for runs that should use your Codex plan.
             </p>
           )}
         </CardContent>
@@ -332,7 +332,7 @@ export const AiProviderProfilesPanel = () => {
             <div className='grid gap-2'>
               <Label>
                 {selectedProvider.authType === 'opencode_auth_json'
-                  ? 'OpenCode auth JSON'
+                  ? 'Codex auth JSON'
                   : 'API key'}
               </Label>
               {selectedProvider.authType === 'opencode_auth_json' ? (
@@ -347,8 +347,9 @@ export const AiProviderProfilesPanel = () => {
                     <code className='bg-muted rounded px-1 py-0.5'>
                       ~/.codex/auth.json
                     </code>
-                    . It is stored encrypted and should be treated like a
-                    password.
+                    . Spoon writes it into the isolated job workspace as
+                    Codex&apos;s auth cache. It is stored encrypted and should
+                    be treated like a password.
                   </p>
                 </>
               ) : (
diff --git a/docker/agent-job.Dockerfile b/docker/agent-job.Dockerfile
index 3d1697b..81c768f 100644
--- a/docker/agent-job.Dockerfile
+++ b/docker/agent-job.Dockerfile
@@ -5,6 +5,7 @@ ENV COREPACK_ENABLE_DOWNLOAD_PROMPT=0
 RUN apt-get update \
   && apt-get install -y --no-install-recommends \
     bash \
+    bubblewrap \
     build-essential \
     ca-certificates \
     curl \
@@ -14,11 +15,9 @@ RUN apt-get update \
     python3 \
     ripgrep \
   && corepack enable \
-  && npm install -g bun@1.3.10 opencode-ai@latest \
+  && npm install -g bun@1.3.10 opencode-ai@latest @openai/codex@latest \
   && rm -rf /var/lib/apt/lists/*
 
-RUN useradd --create-home --shell /bin/bash agent
-USER agent
 WORKDIR /workspace
 
 CMD ["bash"]
diff --git a/scripts/pem-to-env b/scripts/pem-to-env
new file mode 100755
index 0000000..5669f17
--- /dev/null
+++ b/scripts/pem-to-env
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+usage() {
+  printf 'usage: pem-to-env VARIABLE_NAME path/to/key.pem\n' >&2
+  exit 2
+}
+
+[[ "$#" -eq 2 ]] || usage
+
+name="$1"
+file="$2"
+
+case "$name" in
+  [A-Za-z_][A-Za-z0-9_]*) ;;
+  *) printf 'pem-to-env: invalid environment variable name: %s\n' "$name" >&2; exit 2 ;;
+esac
+
+[[ -f "$file" ]] || {
+  printf 'pem-to-env: file not found: %s\n' "$file" >&2
+  exit 1
+}
+
+printf '%s="' "$name"
+awk 'NF { gsub(/\r/, ""); gsub(/\\/,"\\\\"); gsub(/"/,"\\\""); printf "%s\\n", $0 }' "$file"
+printf '"\n'