diff --git a/pkg/app/up.go b/pkg/app/up.go
index 45ab926ee..0b7bfe8a4 100644
--- a/pkg/app/up.go
+++ b/pkg/app/up.go
@@ -158,6 +158,10 @@ var CommandUp = &cli.Command{
 			Usage:       "Specify the target platform for the build output, (for example, windows/amd64, linux/amd64, or darwin/arm64)",
 			DefaultText: runtimeutil.GetRuntimePlatform(),
 		},
+		&cli.StringSliceFlag{
+			Name:  "cap",
+			Usage: "Add capabilities to the environment (e.g. `SYS_PTRACE`)",
+		},
 	},
 
 	Action: up,
@@ -275,6 +279,7 @@ func up(clicontext *cli.Context) error {
 		NumCPU:          clicontext.String("cpus"),
 		NumMem:          clicontext.String("memory"),
 		CPUSet:          clicontext.String("cpu-set"),
+		Capabilities:    clicontext.StringSlice("cap"),
 	}
 	if len(startOptions.NumCPU) > 0 && len(startOptions.CPUSet) > 0 {
 		return errors.New("`--cpus` and `--cpu-set` are mutually exclusive")
diff --git a/pkg/envd/docker.go b/pkg/envd/docker.go
index db536c609..7e7475495 100644
--- a/pkg/envd/docker.go
+++ b/pkg/envd/docker.go
@@ -391,7 +391,9 @@ func (e dockerEngine) StartEnvd(ctx context.Context, so StartOptions) (*StartRes
 		"cpu-set":       so.CPUSet,
 		"memory":        so.NumMem,
 		"build-context": so.BuildContext,
+		"cap":           so.Capabilities,
 	})
+	logger.Debug("starting the envd docker environment")
 
 	bar := InitProgressBar(5)
 	defer bar.Finish()
@@ -498,6 +500,9 @@ func (e dockerEngine) StartEnvd(ctx context.Context, so StartOptions) (*StartRes
 	if so.ShmSize > 0 {
 		hostConfig.ShmSize = int64(so.ShmSize) * 1024 * 1024
 	}
+	if len(so.Capabilities) > 0 {
+		hostConfig.CapAdd = so.Capabilities
+	}
 	// resource
 	if len(so.NumCPU) > 0 {
 		cpu, err := strconv.ParseFloat(so.NumCPU, 64)
diff --git a/pkg/envd/types.go b/pkg/envd/types.go
index 06dffe8f4..2007cd2f2 100644
--- a/pkg/envd/types.go
+++ b/pkg/envd/types.go
@@ -45,6 +45,7 @@ type StartOptions struct {
 	Timeout         time.Duration
 	ShmSize         int
 	Forced          bool
+	Capabilities    []string
 	SshdHost        string
 
 	EngineSource
diff --git a/pkg/lang/ir/v1/agent.go b/pkg/lang/ir/v1/agent.go
index 51a315f16..ae83c9915 100644
--- a/pkg/lang/ir/v1/agent.go
+++ b/pkg/lang/ir/v1/agent.go
@@ -22,7 +22,7 @@ import (
 
 // https://github.com/openai/codex
 const (
-	codexDefaultVersion = "0.79.0"
+	codexDefaultVersion = "0.92.0"
 )
 
 func (g generalGraph) installAgentCodex(root llb.State, agent ir.CodeAgent) llb.State {