Documentation — Spybara

cli/reference.md +199 −12

Details

280| [`codex app`](https://developers.openai.com/codex/cli/reference#codex-app) | Stable | Launch the Codex desktop app on macOS or Windows. On macOS, Codex can open a workspace path; on Windows, Codex prints the path to open. |280| [`codex app`](https://developers.openai.com/codex/cli/reference#codex-app) | Stable | Launch the Codex desktop app on macOS or Windows. On macOS, Codex can open a workspace path; on Windows, Codex prints the path to open. |

281| [`codex app-server`](https://developers.openai.com/codex/cli/reference#codex-app-server) | Experimental | Launch the Codex app server for local development or debugging over stdio, WebSocket, or a Unix socket. |281| [`codex app-server`](https://developers.openai.com/codex/cli/reference#codex-app-server) | Experimental | Launch the Codex app server for local development or debugging over stdio, WebSocket, or a Unix socket. |

282| [`codex apply`](https://developers.openai.com/codex/cli/reference#codex-apply) | Stable | Apply the latest diff generated by a Codex Cloud task to your local working tree. Alias: `codex a`. |282| [`codex apply`](https://developers.openai.com/codex/cli/reference#codex-apply) | Stable | Apply the latest diff generated by a Codex Cloud task to your local working tree. Alias: `codex a`. |

283| [`codex archive`](https://developers.openai.com/codex/cli/reference#codex-archive-and-codex-unarchive) | Stable | Archive a saved interactive session by session ID or session name. |

283| [`codex cloud`](https://developers.openai.com/codex/cli/reference#codex-cloud) | Experimental | Browse or execute Codex Cloud tasks from the terminal without opening the TUI. Alias: `codex cloud-tasks`. |284| [`codex cloud`](https://developers.openai.com/codex/cli/reference#codex-cloud) | Experimental | Browse or execute Codex Cloud tasks from the terminal without opening the TUI. Alias: `codex cloud-tasks`. |

284| [`codex completion`](https://developers.openai.com/codex/cli/reference#codex-completion) | Stable | Generate shell completion scripts for Bash, Zsh, Fish, or PowerShell. |285| [`codex completion`](https://developers.openai.com/codex/cli/reference#codex-completion) | Stable | Generate shell completion scripts for Bash, Zsh, Fish, or PowerShell. |

285| [`codex debug app-server send-message-v2`](https://developers.openai.com/codex/cli/reference#codex-debug-app-server-send-message-v2) | Experimental | Debug app-server by sending a single V2 message through the built-in test client. |286| [`codex debug app-server send-message-v2`](https://developers.openai.com/codex/cli/reference#codex-debug-app-server-send-message-v2) | Experimental | Debug app-server by sending a single V2 message through the built-in test client. |

294| [`codex mcp`](https://developers.openai.com/codex/cli/reference#codex-mcp) | Experimental | Manage Model Context Protocol servers (list, add, remove, authenticate). |295| [`codex mcp`](https://developers.openai.com/codex/cli/reference#codex-mcp) | Experimental | Manage Model Context Protocol servers (list, add, remove, authenticate). |

295| [`codex mcp-server`](https://developers.openai.com/codex/cli/reference#codex-mcp-server) | Experimental | Run Codex itself as an MCP server over stdio. Useful when another agent consumes Codex. |296| [`codex mcp-server`](https://developers.openai.com/codex/cli/reference#codex-mcp-server) | Experimental | Run Codex itself as an MCP server over stdio. Useful when another agent consumes Codex. |

297| [`codex plugin`](https://developers.openai.com/codex/cli/reference#codex-plugin) | Experimental | Install, list, and remove plugins from configured marketplace sources. |

296| [`codex plugin marketplace`](https://developers.openai.com/codex/cli/reference#codex-plugin-marketplace) | Experimental | Add, list, upgrade, or remove plugin marketplaces from Git or local sources. |298| [`codex plugin marketplace`](https://developers.openai.com/codex/cli/reference#codex-plugin-marketplace) | Experimental | Add, list, upgrade, or remove plugin marketplaces from Git or local sources. |

297| [`codex remote-control`](https://developers.openai.com/codex/cli/reference#codex-remote-control) | Experimental | Ensure the local app-server daemon is running with remote-control support enabled. |299| [`codex remote-control`](https://developers.openai.com/codex/cli/reference#codex-remote-control) | Experimental | Ensure the local app-server daemon is running with remote-control support enabled. |

298| [`codex resume`](https://developers.openai.com/codex/cli/reference#codex-resume) | Stable | Continue a previous interactive session by ID or resume the most recent conversation. |300| [`codex resume`](https://developers.openai.com/codex/cli/reference#codex-resume) | Stable | Continue a previous interactive session by ID or resume the most recent conversation. |

299| [`codex sandbox`](https://developers.openai.com/codex/cli/reference#codex-sandbox) | Experimental | Run arbitrary commands inside Codex-provided macOS, Linux, or Windows sandboxes. |301| [`codex sandbox`](https://developers.openai.com/codex/cli/reference#codex-sandbox) | Experimental | Run arbitrary commands inside Codex-provided macOS, Linux, or Windows sandboxes. |

302| [`codex unarchive`](https://developers.openai.com/codex/cli/reference#codex-archive-and-codex-unarchive) | Stable | Restore an archived interactive session by session ID or session name. |

300| [`codex update`](https://developers.openai.com/codex/cli/reference#codex-update) | Stable | Check for and apply a Codex CLI update when the installed release supports self-update. |303| [`codex update`](https://developers.openai.com/codex/cli/reference#codex-update) | Stable | Check for and apply a Codex CLI update when the installed release supports self-update. |

301 304

302Key305Key

349 352

350Key353Key

351 354

355[`codex archive`](https://developers.openai.com/codex/cli/reference#codex-archive-and-codex-unarchive)

356

357Maturity

358

359Stable

360

361Details

362

363Archive a saved interactive session by session ID or session name.

364

365Key

366

352[`codex cloud`](https://developers.openai.com/codex/cli/reference#codex-cloud)367[`codex cloud`](https://developers.openai.com/codex/cli/reference#codex-cloud)

353 368

354Maturity369Maturity

505 520

506Key521Key

507 522

523[`codex plugin`](https://developers.openai.com/codex/cli/reference#codex-plugin)

524

525Maturity

526

527Experimental

528

529Details

530

531Install, list, and remove plugins from configured marketplace sources.

532

533Key

534

508[`codex plugin marketplace`](https://developers.openai.com/codex/cli/reference#codex-plugin-marketplace)535[`codex plugin marketplace`](https://developers.openai.com/codex/cli/reference#codex-plugin-marketplace)

509 536

510Maturity537Maturity

553 580

554Key581Key

555 582

583[`codex unarchive`](https://developers.openai.com/codex/cli/reference#codex-archive-and-codex-unarchive)

584

585Maturity

586

587Stable

588

589Details

590

591Restore an archived interactive session by session ID or session name.

592

593Key

594

556[`codex update`](https://developers.openai.com/codex/cli/reference#codex-update)595[`codex update`](https://developers.openai.com/codex/cli/reference#codex-update)

557 596

558Maturity597Maturity

581| --- | --- | --- |620| --- | --- | --- |

623| `--stdio` | `boolean` | Use stdio transport. Equivalent to `--listen stdio://` and mutually exclusive with `--listen`. |

615 655

616Key656Key

617 657

658`--stdio`

659

660Type / Values

661

662`boolean`

663

664Details

665

666Use stdio transport. Equivalent to `--listen stdio://` and mutually exclusive with `--listen`.

667

668Key

669

618`--ws-audience`670`--ws-audience`

619 671

620Type / Values672Type / Values

697 749

698Expected SHA-256 digest for capability-token authentication. Use instead of `--ws-token-file` when the client token comes from another source.750Expected SHA-256 digest for capability-token authentication. Use instead of `--ws-token-file` when the client token comes from another source.

699 751

700`codex app-server --listen stdio://` keeps the default JSONL-over-stdio behavior. `--listen ws://IP:PORT` enables WebSocket transport for app-server clients. The server accepts `ws://` listen URLs; use TLS termination or a secure proxy when clients connect with `wss://`. Use `--listen unix://` to accept WebSocket handshakes on Codex’s default Unix socket, or `--listen unix:///absolute/path.sock` to choose a socket path. If you generate schemas for client bindings, add `--experimental` to include gated fields and methods.752`codex app-server --listen stdio://` keeps the default JSONL-over-stdio behavior, and `codex app-server --stdio` is an alias for that transport. `--listen ws://IP:PORT` enables WebSocket transport for app-server clients. The server accepts `ws://` listen URLs; use TLS termination or a secure proxy when clients connect with `wss://`. Use `--listen unix://` to accept WebSocket handshakes on Codex’s default Unix socket, or `--listen unix:///absolute/path.sock` to choose a socket path. If you generate schemas for client bindings, add `--experimental` to include gated fields and methods.

701 753

702### `codex remote-control`754### `codex remote-control`

703 755

809 861

810Codex prints the patched files and exits non-zero if `git apply` fails (for example, due to conflicts).862Codex prints the patched files and exits non-zero if `git apply` fails (for example, due to conflicts).

811 863

864### `codex archive` and `codex unarchive`

865

866Archive or restore a saved interactive session by session ID or session name.

867Use these commands when you want to clean up the session picker without deleting

868the transcript. Session IDs take precedence over session names.

869

870```

871codex archive <SESSION>

872codex unarchive <SESSION>

873```

874

875| Key | Type / Values | Details |

876| --- | --- | --- |

878| `--remote-auth-token-env` | `ENV_VAR` | Read a bearer token from this environment variable when `--remote` requires authentication. |

880

881Key

882

883`--remote`

884

885Type / Values

886

887`ws://host:port | wss://host:port | unix:// | unix://PATH`

888

889Details

890

891Connect to a remote app-server endpoint before changing archive state.

892

893Key

894

895`--remote-auth-token-env`

896

897Type / Values

898

899`ENV_VAR`

900

901Details

902

903Read a bearer token from this environment variable when `--remote` requires authentication.

904

905Key

906

907`SESSION`

908

909Type / Values

910

911`session ID | session name`

912

913Details

914

915Saved session to archive or restore. Session IDs take precedence over session names.

916

812### `codex cloud`917### `codex cloud`

813 918

814Interact with Codex cloud tasks from the terminal. The default command opens an interactive picker; `codex cloud exec` submits a task directly, and `codex cloud list` returns recent tasks for scripting or quick inspection.919Interact with Codex cloud tasks from the terminal. The default command opens an interactive picker; `codex cloud exec` submits a task directly, and `codex cloud list` returns recent tasks for scripting or quick inspection.

1673 1778

1674OAuth actions (`login`, `logout`) only work with streamable HTTP servers (and only when the server supports OAuth).1779OAuth actions (`login`, `logout`) only work with streamable HTTP servers (and only when the server supports OAuth).

1675 1780

1781### `codex plugin`

1782

1783Install, list, and remove plugins from configured marketplaces.

1784

1785| Key | Type / Values | Details |

1786| --- | --- | --- |

1787| `add <plugin[@marketplace]>` | `[--marketplace, -m NAME] [--json]` | Install a plugin from a configured marketplace. Use `--marketplace` or `-m` when the plugin argument omits `@marketplace`. |

1788| `list` | `[--marketplace, -m NAME] [--available --json] [--json]` | List installed plugins. With `--json`, output has `installed` and `available` arrays; `--available` includes uninstalled marketplace plugins and requires `--json`. |

1789| `marketplace` | | Manage configured marketplace sources. See `codex plugin marketplace` below. |

1790| `remove <plugin[@marketplace]>` | `[--marketplace, -m NAME] [--json]` | Remove an installed plugin from local config and cache. Use `--json` for automation-friendly output. |

1791

1792Key

1793

1794`add <plugin[@marketplace]>`

1795

1796Type / Values

1797

1798`[--marketplace, -m NAME] [--json]`

1799

1800Details

1801

1802Install a plugin from a configured marketplace. Use `--marketplace` or `-m` when the plugin argument omits `@marketplace`.

1803

1804Key

1805

1806`list`

1807

1808Type / Values

1809

1810`[--marketplace, -m NAME] [--available --json] [--json]`

1811

1812Details

1813

1814List installed plugins. With `--json`, output has `installed` and `available` arrays; `--available` includes uninstalled marketplace plugins and requires `--json`.

1815

1816Key

1817

1818`marketplace`

1819

1820Details

1821

1822Manage configured marketplace sources. See `codex plugin marketplace` below.

1823

1824Key

1825

1826`remove <plugin[@marketplace]>`

1827

1828Type / Values

1829

1830`[--marketplace, -m NAME] [--json]`

1831

1832Details

1833

1834Remove an installed plugin from local config and cache. Use `--json` for automation-friendly output.

1835

1836`codex plugin add --json` prints `pluginId`, `name`, `marketplaceName`,

1837`version`, `installedPath`, and `authPolicy`. `codex plugin list --json` prints

1838`installed` and `available` arrays. Entries include `pluginId`, `name`,

1839`marketplaceName`, `version`, `installed`, `enabled`, `source`, `installPolicy`,

1840`authPolicy`, and, when available, `marketplaceSource` with the configured

1841marketplace source type and value. `codex plugin remove --json` prints

1842`pluginId`, `name`, and `marketplaceName`.

1843

1676### `codex plugin marketplace`1844### `codex plugin marketplace`

1677 1845

1678Manage plugin marketplace sources that Codex can browse and install from.1846Manage plugin marketplace sources that Codex can browse and install from.

1679 1847

1680| Key | Type / Values | Details |1848| Key | Type / Values | Details |

1681| --- | --- | --- |1849| --- | --- | --- |

1682| `add <source>` | `[--ref REF] [--sparse PATH]` | Install a plugin marketplace from GitHub shorthand, a Git URL, an SSH URL, or a local marketplace root directory. `--sparse` is supported only for Git sources and can be repeated. |1850| `add <source>` | `[--ref REF] [--sparse PATH] [--json]` | Install a plugin marketplace from GitHub shorthand, a Git URL, an SSH URL, or a local marketplace root directory. `--sparse` is supported only for Git sources and can be repeated. |

1686 1854

1687Key1855Key

1688 1856

1690 1858

1691Type / Values1859Type / Values

1692 1860

1693`[--ref REF] [--sparse PATH]`1861`[--ref REF] [--sparse PATH] [--json]`

1694 1862

1695Details1863Details

1696 1864

1700 1868

1701`list`1869`list`

1702 1870

1871Type / Values

1872

1873`[--json]`

1874

1703Details1875Details

1704 1876

1705Show plugin marketplaces Codex is currently considering and the root path for each marketplace.1877Show plugin marketplaces Codex is currently considering and the root path for each marketplace.

1708 1880

1709`remove <marketplace-name>`1881`remove <marketplace-name>`

1710 1882

1883Type / Values

1884

1885`[--json]`

1886

1711Details1887Details

1712 1888

1713Remove a configured plugin marketplace.1889Remove a configured plugin marketplace.

1716 1892

1717`upgrade [marketplace-name]`1893`upgrade [marketplace-name]`

1718 1894

1895Type / Values

1896

1897`[--json]`

1898

1719Details1899Details

1720 1900

1721Refresh one configured Git marketplace, or all configured Git marketplaces when no name is provided.1901Refresh one configured Git marketplace, or all configured Git marketplaces when no name is provided.

1729including implicitly discovered default marketplaces and configured marketplace1909including implicitly discovered default marketplaces and configured marketplace

1730snapshots.1910snapshots.

1731 1911

1912Add `--json` to marketplace add, list, upgrade, or remove commands for

1913automation-friendly output. Marketplace add JSON includes `marketplaceName`,

1914`installedRoot`, and `alreadyAdded`; list JSON includes a `marketplaces` array

1915with `name`, `root`, and optional `marketplaceSource`; upgrade JSON includes

1916`selectedMarketplaces`, `upgradedRoots`, and `errors`; remove JSON includes

1917`marketplaceName` and `installedRoot`.

1918

1732### `codex mcp-server`1919### `codex mcp-server`

1733 1920

1734Run Codex as an MCP server over stdio so that other tools can connect. This command inherits global configuration overrides and exits when the downstream client closes the connection.1921Run Codex as an MCP server over stdio so that other tools can connect. This command inherits global configuration overrides and exits when the downstream client closes the connection.

1844 2031

1904 2091

1905Key2092Key

1906 2093

1907`--permissions-profile`2094`--permissions-profile, -P`

1908 2095

1909Type / Values2096Type / Values

1910 2097

1945| `--cd, -C` | `DIR` | Working directory used for profile resolution and command execution. Requires `--permissions-profile`. |2132| `--cd, -C` | `DIR` | Working directory used for profile resolution and command execution. Requires `--permissions-profile`. |

1951 2138

1987 2174

1988Key2175Key

1989 2176

1990`--permissions-profile`2177`--permissions-profile, -P`

1991 2178

1992Type / Values2179Type / Values

1993 2180

2028| `--cd, -C` | `DIR` | Working directory used for profile resolution and command execution. Requires `--permissions-profile`. |2215| `--cd, -C` | `DIR` | Working directory used for profile resolution and command execution. Requires `--permissions-profile`. |

2034 2221

2070 2257

2071Key2258Key

2072 2259

2073`--permissions-profile`2260`--permissions-profile, -P`

2074 2261

2075Type / Values2262Type / Values

2076 2263

cli/slash-commands.md +12 −0

Details

36| [`/archive`](#archive-the-current-session-with-archive) | Archive the current session and exit Codex. | Remove the current session from active session lists without deleting its transcript. |

36| [`/compact`](#keep-transcripts-lean-with-compact) | Summarize the visible conversation to free tokens. | Use after long runs so Codex retains key points without blowing the context window. |37| [`/compact`](#keep-transcripts-lean-with-compact) | Summarize the visible conversation to free tokens. | Use after long runs so Codex retains key points without blowing the context window. |

37| [`/copy`](#copy-the-latest-response-with-copy) | Copy the latest completed Codex output. | Grab the latest finished response or plan text without manually selecting it. You can also press `Ctrl+O`. |38| [`/copy`](#copy-the-latest-response-with-copy) | Copy the latest completed Codex output. | Grab the latest finished response or plan text without manually selecting it. You can also press `Ctrl+O`. |

188`Ctrl`+`L` only clears the terminal view and keeps the current189`Ctrl`+`L` only clears the terminal view and keeps the current

189chat. Codex disables both actions while a task is in progress.190chat. Codex disables both actions while a task is in progress.

190 191

192### Archive the current session with `/archive`

193

1941. Type `/archive` and press Enter.

1952. Confirm that you want to archive the current session and exit Codex.

196

197Expected: Codex archives the current session and closes the interactive TUI.

198Codex keeps the session transcript stored locally; restore it later with

199`codex unarchive <SESSION>`.

200

201`/archive` is unavailable while a task is running.

202

191### Update permissions with `/permissions`203### Update permissions with `/permissions`

192 204

1931. Type `/permissions` and press Enter.2051. Type `/permissions` and press Enter.

config-reference.md +60 −0

Details

3281Use `[features]` in `requirements.toml` to pin feature flags by the same3281Use `[features]` in `requirements.toml` to pin feature flags by the same

3282canonical keys that `config.toml` uses. Omitted keys remain unconstrained.3282canonical keys that `config.toml` uses. Omitted keys remain unconstrained.

3283 3283

3284Managed permission-profile allowlists require Codex 0.138.0 or later. Codex

32850.137.0 and earlier ignore `allowed_permission_profiles` and managed

3286`default_permissions`.

3287

3288Use `allowed_sandbox_modes` with `sandbox_mode`. For permission-profile

3289deployments, use `allowed_permission_profiles` with managed

3290`default_permissions`.

3291

3284| Key | Type / Values | Details |3292| Key | Type / Values | Details |

3285| --- | --- | --- |3293| --- | --- | --- |

3286| `allow_managed_hooks_only` | `boolean` | When `true`, Codex skips user, project, session, and plugin hooks while still allowing managed hooks from `requirements.toml` and other managed config layers. |3294| `allow_managed_hooks_only` | `boolean` | When `true`, Codex skips user, project, session, and plugin hooks while still allowing managed hooks from `requirements.toml` and other managed config layers. |

3297| `allowed_permission_profiles` | `table<boolean>` | Complete list of allowed permission profiles. Profiles set to `true` are allowed. Profiles that are omitted or set to `false` are denied, including profiles added in future versions. When requirements sources are combined, entries are matched by profile name. |

3298| `allowed_permission_profiles.<name>` | `boolean` | Allow or deny a built-in or custom permission profile defined in a loaded config or requirements source. An earlier requirements source can use `false` to turn off a profile allowed by a later source. |

3290| `allowed_web_search_modes` | `array<string>` | Allowed values for `web_search` (`disabled`, `cached`, `live`). `disabled` is always allowed; an empty list effectively allows only `disabled`. |3300| `allowed_web_search_modes` | `array<string>` | Allowed values for `web_search` (`disabled`, `cached`, `live`). `disabled` is always allowed; an empty list effectively allows only `disabled`. |

3301| `default_permissions` | `string` | Managed default permission profile. The profile must be allowed by `allowed_permission_profiles`. Set this explicitly for predictable behavior; if omitted, Codex defaults to `:workspace` only when both `:workspace` and `:read-only` are explicitly allowed. |

3291| `experimental_network` | `table` | Network access requirements enforced from `requirements.toml`. These constraints are separate from `features.network_proxy` and can configure sandboxed networking without the user feature flag. |3302| `experimental_network` | `table` | Network access requirements enforced from `requirements.toml`. These constraints are separate from `features.network_proxy` and can configure sandboxed networking without the user feature flag. |

3292| `experimental_network.allow_local_binding` | `boolean` | Permit broader local/private-network access for sandboxed networking. Exact local IP literal or `localhost` allow rules can still permit specific local targets when this stays `false`. |3303| `experimental_network.allow_local_binding` | `boolean` | Permit broader local/private-network access for sandboxed networking. Exact local IP literal or `localhost` allow rules can still permit specific local targets when this stays `false`. |

3331| `permissions.<name>` | `table` | Admin-defined permission profile. The name can't start with `:`, use the reserved name `filesystem`, or duplicate a profile from a loaded config. Uses the same profile fields as `config.toml`; see the Permissions guide for the complete profile schema. |

3320| `permissions.filesystem.deny_read` | `array<string>` | Admin-enforced filesystem read denials. Entries can be paths or glob patterns, and users cannot weaken them with local config. |3332| `permissions.filesystem.deny_read` | `array<string>` | Admin-enforced filesystem read denials. Entries can be paths or glob patterns, and users cannot weaken them with local config. |

3322| `remote_sandbox_config` | `array<table>` | Host-specific sandbox requirements. The first entry whose `hostname_patterns` match the resolved host name overrides top-level `allowed_sandbox_modes` for that requirements source. Host-specific entries currently override sandbox modes only. |3334| `remote_sandbox_config` | `array<table>` | Host-specific sandbox requirements. The first entry whose `hostname_patterns` match the resolved host name overrides top-level `allowed_sandbox_modes` for that requirements source. Host-specific entries currently override sandbox modes only. |

3369 3381

3370Key3382Key

3371 3383

3384`allowed_permission_profiles`

3385

3386Type / Values

3387

3388`table<boolean>`

3389

3390Details

3391

3392Complete list of allowed permission profiles. Profiles set to `true` are allowed. Profiles that are omitted or set to `false` are denied, including profiles added in future versions. When requirements sources are combined, entries are matched by profile name.

3393

3394Key

3395

3396`allowed_permission_profiles.<name>`

3397

3398Type / Values

3399

3400`boolean`

3401

3402Details

3403

3404Allow or deny a built-in or custom permission profile defined in a loaded config or requirements source. An earlier requirements source can use `false` to turn off a profile allowed by a later source.

3405

3406Key

3407

3372`allowed_sandbox_modes`3408`allowed_sandbox_modes`

3373 3409

3374Type / Values3410Type / Values

3393 3429

3394Key3430Key

3395 3431

3432`default_permissions`

3433

3434Type / Values

3435

3436`string`

3437

3438Details

3439

3440Managed default permission profile. The profile must be allowed by `allowed_permission_profiles`. Set this explicitly for predictable behavior; if omitted, Codex defaults to `:workspace` only when both `:workspace` and `:read-only` are explicitly allowed.

3441

3442Key

3443

3396`experimental_network`3444`experimental_network`

3397 3445

3398Type / Values3446Type / Values

3741 3789

3742Key3790Key

3743 3791

3792`permissions.<name>`

3793

3794Type / Values

3795

3796`table`

3797

3798Details

3799

3800Admin-defined permission profile. The name can't start with `:`, use the reserved name `filesystem`, or duplicate a profile from a loaded config. Uses the same profile fields as `config.toml`; see the Permissions guide for the complete profile schema.

3801

3802Key

3803

3744`permissions.filesystem.deny_read`3804`permissions.filesystem.deny_read`

3745 3805

3746Type / Values3806Type / Values

enterprise/admin-setup.md +17 −0

Details

158 158

159Use cloud-managed `requirements.toml` policies to enforce the guardrails you want for each group. The snippets below are examples you can adapt, not required settings.159Use cloud-managed `requirements.toml` policies to enforce the guardrails you want for each group. The snippets below are examples you can adapt, not required settings.

160 160

161For Codex 0.138.0 or later, prefer `allowed_permission_profiles` with managed

162`default_permissions`. Use `allowed_sandbox_modes` only for legacy deployments

163that still configure `sandbox_mode`.

164

161![Example managed requirements policy](/images/codex/enterprise/example_policy.png)165![Example managed requirements policy](/images/codex/enterprise/example_policy.png)

162 166

163Example: limit web search, sandbox mode, and approvals for a standard local rollout:167Example: limit web search, sandbox mode, and approvals for a standard local rollout:

168allowed_approval_policies = ["on-request"]172allowed_approval_policies = ["on-request"]

169```173```

170 174

175Example: allow the standard permission profiles for an upgraded fleet:

176

177Permission-profile allowlists require Codex 0.138.0 or later. Use this example

178only after every managed client runs a supporting release.

179

180```

181default_permissions = ":workspace"

182

183[allowed_permission_profiles]

184":read-only" = true

185":workspace" = true

186```

187

171Example: disable Browser Use, the in-app browser, and Computer Use:188Example: disable Browser Use, the in-app browser, and Computer Use:

172 189

173```190```

enterprise/managed-configuration.md +134 −7

Details

7 7

8## Admin-enforced requirements (requirements.toml)8## Admin-enforced requirements (requirements.toml)

9 9

10Requirements constrain security-sensitive settings (approval policy, approvals reviewer, automatic review policy, sandbox mode, web search mode, managed hooks, and optionally which MCP servers users can enable). When resolving configuration (for example from `config.toml`, [profile files](https://developers.openai.com/codex/config-advanced#profiles), or CLI config overrides), if a value conflicts with an enforced rule, Codex falls back to a compatible value and notifies the user. If you configure an `mcp_servers` allowlist, Codex enables an MCP server only when both its name and identity match an approved entry; otherwise, Codex disables it.10Requirements constrain security-sensitive settings (approval policy, approvals reviewer, automatic review policy, sandbox mode, permission profiles, web search mode, managed hooks, and optionally which MCP servers users can enable). When resolving configuration (for example from `config.toml`, [profile files](https://developers.openai.com/codex/config-advanced#profiles), or CLI config overrides), if a value conflicts with an enforced rule, Codex falls back to a compatible value and notifies the user. If you configure an `mcp_servers` allowlist, Codex enables an MCP server only when both its name and identity match an approved entry; otherwise, Codex disables it.

11 11

12Requirements can also constrain [feature flags](https://developers.openai.com/codex/config-basic/#feature-flags) via the `[features]` table in `requirements.toml`. Note that features aren’t always security-sensitive, but enterprises can pin values if desired. Omitted keys remain unconstrained.12Requirements can also constrain [feature flags](https://developers.openai.com/codex/config-basic/#feature-flags) via the `[features]` table in `requirements.toml`. Note that features aren’t always security-sensitive, but enterprises can pin values if desired. Omitted keys remain unconstrained.

13 13

14For Codex 0.138.0 or later, prefer [permission profiles](https://developers.openai.com/codex/permissions)

15with `allowed_permission_profiles` and managed `default_permissions`. Use

16`allowed_sandbox_modes` only for legacy deployments that still configure

17`sandbox_mode`.

14For the exact key list, see the [`requirements.toml` section in Configuration Reference](https://developers.openai.com/codex/config-reference#requirementstoml).19For the exact key list, see the [`requirements.toml` section in Configuration Reference](https://developers.openai.com/codex/config-reference#requirementstoml).

15 20

16### Locations and precedence21### Locations and precedence

17 22

~~18Codex applies requirements layers in this order (earlier wins per field):~~23Codex checks requirement sources in this order. If the same setting appears more

24than once, the first value wins:

19 25

201. Cloud-managed requirements (ChatGPT Business or Enterprise)261. Cloud-managed requirements (ChatGPT Business or Enterprise)

212. macOS managed preferences (MDM) via `com.openai.codex:requirements_toml_base64`272. macOS managed preferences (MDM) via `com.openai.codex:requirements_toml_base64`

223. System `requirements.toml` (`/etc/codex/requirements.toml` on Unix systems, including Linux/macOS, or `%ProgramData%\OpenAI\Codex\requirements.toml` on Windows)283. System `requirements.toml` (`/etc/codex/requirements.toml` on Unix systems, including Linux/macOS, or `%ProgramData%\OpenAI\Codex\requirements.toml` on Windows)

23 29

24Across layers, Codex merges requirements per field: if an earlier layer sets a field (including an empty list), later layers don’t override that field, but lower layers can still fill fields that remain unset.30Codex checks these sources from top to bottom. For ordinary settings and lists,

31it uses the first value it finds. A later source can still provide a setting

32that earlier sources leave unset.

34Tables combine one entry at a time. For `allowed_permission_profiles`, a later

35source can add profile names that earlier sources don’t mention. If two sources

36set the same profile name, the earlier source wins.

25 37

26For backwards compatibility, Codex also interprets legacy `managed_config.toml` fields `approval_policy` and `sandbox_mode` as requirements (allowing only that single value).38For backwards compatibility, Codex also interprets legacy `managed_config.toml` fields `approval_policy` and `sandbox_mode` as requirements (allowing only that single value).

27 39

72allowed_sandbox_modes = ["read-only", "workspace-write"]84allowed_sandbox_modes = ["read-only", "workspace-write"]

73```85```

74 86

87### Control available permission profiles

89Use `allowed_permission_profiles` to control which built-in and custom

90[permission profiles](https://developers.openai.com/codex/permissions) users can select. This is the

91permission-profile equivalent of `allowed_sandbox_modes`; use the allowlist that

92matches how your users select permissions.

94Permission-profile allowlists require Codex 0.138.0 or later. Codex 0.137.0 and

95earlier ignore `allowed_permission_profiles` and managed

96`default_permissions`.

98Use the permission-profile examples below only after every managed client runs a

99supporting release. Don’t deploy managed custom profiles until the fleet upgrade

100is complete.

101

102When the table is present, it is the complete list of allowed profiles. Profiles

103set to `true` are allowed. Profiles that are omitted or set to `false` are

104denied, including built-ins added in future Codex versions.

105

106#### Allow the standard profiles

107

108This policy allows read-only and workspace access, but not full access:

109

110```

111default_permissions = ":workspace"

112

113[allowed_permission_profiles]

114":read-only" = true

115":workspace" = true

116# ":danger-full-access" is omitted, so it is denied.

117```

118

119#### Add a managed least-privilege default

120

121Admins can define a custom profile in the same requirements source. Use

122organization-specific profile names that won’t collide with names in users’

123loaded config. Custom names can’t start with `:` or use the reserved `filesystem`

124name.

125

126Don’t deploy managed custom profiles to clients running Codex 0.137.0 or

127earlier. Those clients recognize the profile table but not the managed default

128that selects it.

129

130For example:

131

132```

133default_permissions = "acme_review_only"

134

135[allowed_permission_profiles]

136":read-only" = true

137":workspace" = true

138acme_review_only = true

139# ":danger-full-access" is intentionally omitted, so it is denied.

140

141[permissions.acme_review_only]

142description = "Review code without modifying the workspace."

143extends = ":read-only"

144```

145

146#### Allow only enterprise-defined profiles

147

148Omit all built-ins when users should select only admin-defined profiles:

149

150```

151default_permissions = "acme_workspace"

152

153[allowed_permission_profiles]

154acme_workspace = true

155

156[permissions.acme_workspace]

157description = "Workspace access with sensitive files denied."

158extends = ":workspace"

159

160[permissions.acme_workspace.filesystem]

161glob_scan_max_depth = 3

162

163[permissions.acme_workspace.filesystem.":workspace_roots"]

164"**/*.env" = "deny"

165```

166

167The custom profile can extend `:workspace` even though users can’t select the

168built-in `:workspace` profile directly.

169

170#### Turn off a profile allowed by another source

171

172Permission allowlists combine by profile name. Because Codex checks cloud

173requirements before system requirements, cloud requirements can use `false` to

174turn off a profile allowed by the system file.

175

176Cloud requirements:

177

178```

179default_permissions = ":read-only"

180

181[allowed_permission_profiles]

182":read-only" = true

183":workspace" = false

184```

185

186System requirements:

187

188```

189[allowed_permission_profiles]

190":read-only" = true

191":workspace" = true # Not honored because cloud requirements set this to false.

192```

193

194Set `default_permissions` explicitly to an allowed profile. If it is omitted,

195Codex defaults to `:workspace` only when both `:workspace` and `:read-only` are

196explicitly allowed. When `allowed_permission_profiles` is absent, managed

197requirements don’t restrict which profile names users can select. Every entry

198must name a built-in profile or a custom profile defined in a loaded config or

199requirements source. Define custom profiles in managed requirements when their

200behavior should be controlled centrally.

201

75### Override sandbox requirements by host202### Override sandbox requirements by host

76 203

77Use `[[remote_sandbox_config]]` when one managed policy should apply different204Use `[[remote_sandbox_config]]` when one managed policy should apply different

207]334]

208```335```

209 336

210When deny-read requirements are present, Codex constrains local sandbox mode to337When deny-read requirements are present, Codex rejects full-access permissions

211`read-only` or `workspace-write` so Codex can enforce them. On native338and keeps local execution in a read-only or workspace sandbox so it can enforce

212Windows, managed `deny_read` applies to direct file tools; shell subprocess339them. On native Windows, managed `deny_read` applies to direct file tools; shell

213reads don’t use this sandbox rule.340subprocess reads don’t use this sandbox rule.

214 341

215### Enforce managed hooks from requirements342### Enforce managed hooks from requirements

216 343

permissions.md +17 −3

Details

5Permission profiles do not compose with the older sandbox settings. Configure5Permission profiles do not compose with the older sandbox settings. Configure

6either `default_permissions` and `[permissions]`, or `sandbox_mode` /6either `default_permissions` and `[permissions]`, or `sandbox_mode` /

7`sandbox_workspace_write`, but not both. If `sandbox_mode` appears in any7`sandbox_workspace_write`, but not both. If `sandbox_mode` appears in any

~~8active config layer, you pass `--sandbox`, or a config profile sets~~8loaded config file, you pass `--sandbox`, or the selected config profile sets

9`sandbox_mode`, Codex uses those older sandbox settings instead of9`sandbox_mode`, Codex uses those older sandbox settings instead of

10`default_permissions`.10`default_permissions`.

11 11

12Managed `allowed_permission_profiles` is the exception: it makes Codex use

13permission profiles. Remove older settings such as

14`sandbox_mode` and `[sandbox_workspace_write]` before deploying a managed

15profile allowlist. For a mixed-version enterprise rollout, you can keep the

16managed `allowed_sandbox_modes` requirement as a temporary compatibility

17constraint until every client runs Codex 0.138.0 or later.

12Permission profiles let you apply least-privilege boundaries to local commands19Permission profiles let you apply least-privilege boundaries to local commands

13Codex runs on your behalf. A profile is a named policy that combines filesystem20Codex runs on your behalf. A profile is a named policy that combines filesystem

14rules, which define what commands can read or write, with network rules, which21rules, which define what commands can read or write, with network rules, which

39In this example, `project-edit` is a user-defined profile name, not a built-in46In this example, `project-edit` is a user-defined profile name, not a built-in

40value.47value.

41 48

49Enterprise administrators can define profiles and restrict which profiles

50users may select through managed `requirements.toml`. Once

51`allowed_permission_profiles` is present, omitted profiles are denied,

52including omitted built-ins and profiles added in future Codex versions. See

53[Control available permission profiles](https://developers.openai.com/codex/enterprise/managed-configuration#control-available-permission-profiles)

54for the recommended managed configuration.

42Custom profiles use two related concepts:56Custom profiles use two related concepts:

43 57

44- `[permissions.<name>.workspace_roots]` adds concrete directories that should58- `[permissions.<name>.workspace_roots]` adds concrete directories that should

144 158

146| --- | --- | --- | --- |160| --- | --- | --- | --- |

147| `default_permissions` | String profile name | None | Names the permissions profile Codex applies by default. The value must match a profile under `[permissions]` or a built-in profile such as `:workspace`. Required when permission profiles are active. If an older sandbox setting is active, Codex uses those older sandbox settings instead. |161| `default_permissions` | String profile name | None | Names the permissions profile Codex applies by default. It must match a profile under `[permissions]` or a built-in such as `:workspace`. Set it explicitly for predictable behavior; managed requirements may omit it only when both `:workspace` and `:read-only` are explicitly allowed. Codex uses older sandbox settings unless managed `allowed_permission_profiles` tells it to use permission profiles in this setup. |

150| `permissions.<name>.extends` | String profile name | None | Starts this profile from another named profile or the built-in `:read-only` or `:workspace` profile. Codex rejects `:danger-full-access`, unknown parents, and inheritance cycles. |164| `permissions.<name>.extends` | String profile name | None | Starts this profile from another named profile or the built-in `:read-only` or `:workspace` profile. Codex rejects `:danger-full-access`, unknown parents, and inheritance cycles. |

sdk.md +5 −1

Details

70pip install openai-codex70pip install openai-codex

71```71```

72 72

~~73Published SDK builds automatically use their pinned runtime. Pass `AppServerConfig(codex_bin=...)` only when you intentionally want to run against a specific local app-server binary.~~73Published SDK builds automatically use their pinned runtime. Pass `CodexConfig(codex_bin=...)` only when you intentionally want to run against a specific local Codex executable.

75While the Python SDK is in beta, `pip install openai-codex` selects the latest

76published beta build. After a stable SDK release exists, use

77`pip install --pre openai-codex` to opt in to newer prerelease builds.

74 78

75### Usage79### Usage

76 80

Documentation 2026-06-06 00:58 UTC to 2026-06-09 18:50 UTC