1# Configuration Reference
2
3Use this page as a searchable reference for Codex configuration files. For conceptual guidance and examples, start with [Config basics](https://learn.chatgpt.com/docs/config-file/config-basic) and [Advanced Config](https://learn.chatgpt.com/docs/config-file/config-advanced).
4
5## `config.toml`
6
7User-level configuration lives in `~/.codex/config.toml`. You can also add project-scoped overrides in `.codex/config.toml` files. Codex loads project-scoped config files only when you trust the project.
8
9Project-scoped config can't override machine-local provider, auth,
10host-owned app request metadata, notification, configuration profile selection,
11or telemetry routing keys. Codex ignores `openai_base_url`,
12`chatgpt_base_url`, `apps_mcp_product_sku`, `model_provider`,
13`model_providers`, `notify`, `profile`, `profiles`,
14`experimental_realtime_ws_base_url`, and `otel` when they appear in a
15project-local `.codex/config.toml`; put provider, notification, and telemetry
16keys in user-level config instead. Config [profile files](https://learn.chatgpt.com/docs/config-file/config-advanced#profiles) live next to
17`config.toml` as `$CODEX_HOME/profile-name.config.toml`; select one with
18`--profile profile-name`.
19
20For sandbox and approval keys (`approval_policy`, `sandbox_mode`, and `sandbox_workspace_write.*`), pair this reference with [Sandbox and approvals](https://learn.chatgpt.com/docs/agent-approvals-security#sandbox-and-approvals), [Protected paths in writable roots](https://learn.chatgpt.com/docs/agent-approvals-security#protected-paths-in-writable-roots), and [Network access](https://learn.chatgpt.com/docs/agent-approvals-security#network-access). For beta permission profiles, see [Permissions](https://learn.chatgpt.com/docs/permissions).
21
22<ConfigTable
23 options={[
24 {
25 key: "model",
26 type: "string",
27 description: "Model to use (e.g., `gpt-5.5`).",
28 },
29 {
30 key: "review_model",
31 type: "string",
32 description:
33 "Optional model override used by `/review` (defaults to the current session model).",
34 },
35 {
36 key: "model_provider",
37 type: "string",
38 description: "Provider id from `model_providers` (default: `openai`).",
39 },
40 {
41 key: "openai_base_url",
42 type: "string",
43 description:
44 "Base URL override for the built-in `openai` model provider.",
45 },
46 {
47 key: "model_context_window",
48 type: "number",
49 description: "Context window tokens available to the active model.",
50 },
51 {
52 key: "model_auto_compact_token_limit",
53 type: "number",
54 description:
55 "Token threshold that triggers automatic history compaction (unset uses model defaults).",
56 },
57 {
58 key: "model_auto_compact_token_limit_scope",
59 type: "total | body_after_prefix",
60 description:
61 "Controls whether the auto-compaction threshold counts the full active context (`total`, the default) or only growth after the carried compaction-window prefix (`body_after_prefix`).",
62 },
63 {
64 key: "model_catalog_json",
65 type: "string (path)",
66 description:
67 "Optional path to a JSON model catalog loaded on startup. A selected `$CODEX_HOME/profile-name.config.toml` profile file can override this per profile.",
68 },
69 {
70 key: "oss_provider",
71 type: "lmstudio | ollama",
72 description:
73 "Default local provider used when running with `--oss` (defaults to prompting if unset).",
74 },
75 {
76 key: "approval_policy",
77 type: "untrusted | on-request | never | { granular = { sandbox_approval = bool, rules = bool, mcp_elicitations = bool, request_permissions = bool, skill_approval = bool } }",
78 description:
79 "Controls when Codex pauses for approval before executing commands. You can also use `approval_policy = { granular = { ... } }` to allow or auto-reject specific prompt categories while keeping other prompts interactive. `on-failure` is deprecated; use `on-request` for interactive runs or `never` for non-interactive runs.",
80 },
81 {
82 key: "approval_policy.granular.sandbox_approval",
83 type: "boolean",
84 description:
85 "When `true`, sandbox escalation approval prompts are allowed to surface.",
86 },
87 {
88 key: "approval_policy.granular.rules",
89 type: "boolean",
90 description:
91 "When `true`, approvals triggered by execpolicy `prompt` rules are allowed to surface.",
92 },
93 {
94 key: "approval_policy.granular.mcp_elicitations",
95 type: "boolean",
96 description:
97 "When `true`, MCP elicitation prompts are allowed to surface instead of being auto-rejected.",
98 },
99 {
100 key: "approval_policy.granular.request_permissions",
101 type: "boolean",
102 description:
103 "When `true`, prompts from the `request_permissions` tool are allowed to surface.",
104 },
105 {
106 key: "approval_policy.granular.skill_approval",
107 type: "boolean",
108 description:
109 "When `true`, skill-script approval prompts are allowed to surface.",
110 },
111 {
112 key: "approvals_reviewer",
113 type: "user | auto_review",
114 description:
115 "Who reviews eligible approval prompts under `on-request` or granular approval policies. Defaults to `user`; `auto_review` uses the reviewer subagent. This setting doesn't change sandboxing or review actions already allowed inside the sandbox.",
116 },
117 {
118 key: "auto_review.policy",
119 type: "string",
120 description:
121 "Local Markdown policy instructions for automatic review. Managed `guardian_policy_config` takes precedence. Blank values are ignored.",
122 },
123 {
124 key: "allow_login_shell",
125 type: "boolean",
126 description:
127 "Allow shell-based tools to use login-shell semantics. Defaults to `true`; when `false`, `login = true` requests are rejected and omitted `login` defaults to non-login shells.",
128 },
129 {
130 key: "sandbox_mode",
131 type: "read-only | workspace-write | danger-full-access",
132 description:
133 "Sandbox policy for filesystem and network access during command execution.",
134 },
135 {
136 key: "sandbox_workspace_write.writable_roots",
137 type: "array<string>",
138 description:
139 'Additional writable roots when `sandbox_mode = "workspace-write"`.',
140 },
141 {
142 key: "sandbox_workspace_write.network_access",
143 type: "boolean",
144 description:
145 "Allow outbound network access inside the workspace-write sandbox.",
146 },
147 {
148 key: "sandbox_workspace_write.exclude_tmpdir_env_var",
149 type: "boolean",
150 description:
151 "Exclude `$TMPDIR` from writable roots in workspace-write mode.",
152 },
153 {
154 key: "sandbox_workspace_write.exclude_slash_tmp",
155 type: "boolean",
156 description:
157 "Exclude `/tmp` from writable roots in workspace-write mode.",
158 },
159 {
160 key: "windows.sandbox",
161 type: "unelevated | elevated",
162 description:
163 "Windows-only native sandbox mode when running Codex natively on Windows.",
164 },
165 {
166 key: "windows.sandbox_private_desktop",
167 type: "boolean",
168 description:
169 "Run the final sandboxed child process on a private desktop by default on native Windows. Set `false` only for compatibility with the older `Winsta0\\\\Default` behavior.",
170 },
171 {
172 key: "computer_use.windows.always_allowed_app_ids",
173 type: "array<string>",
174 description:
175 "Windows app identifiers that Computer Use can open without prompting. Apps not in the list require approval; remove saved entries from the ChatGPT desktop app's Computer Use settings.",
176 },
177 {
178 key: "notify",
179 type: "array<string>",
180 description:
181 "Command invoked for notifications; receives a JSON payload from Codex.",
182 },
183 {
184 key: "check_for_update_on_startup",
185 type: "boolean",
186 description:
187 "Check for Codex updates on startup (set to false only when updates are centrally managed).",
188 },
189 {
190 key: "feedback.enabled",
191 type: "boolean",
192 description:
193 "Enable feedback submission via `/feedback` across local clients (default: true).",
194 },
195 {
196 key: "analytics.enabled",
197 type: "boolean",
198 description:
199 "Enable or disable analytics for this machine/profile. When unset, the client default applies.",
200 },
201 {
202 key: "instructions",
203 type: "string",
204 description:
205 "Reserved for future use; prefer `model_instructions_file` or `AGENTS.md`.",
206 },
207 {
208 key: "developer_instructions",
209 type: "string",
210 description:
211 "Additional developer instructions injected into the session (optional).",
212 },
213 {
214 key: "log_dir",
215 type: "string (path)",
216 description:
217 "Directory where Codex writes log files; defaults to `$CODEX_HOME/log`. Setting this explicitly also enables the opt-in plaintext TUI log, `codex-tui.log`, in that directory.",
218 },
219 {
220 key: "sqlite_home",
221 type: "string (path)",
222 description:
223 "Directory where Codex stores the SQLite-backed state DB used by agent jobs and other resumable runtime state.",
224 },
225 {
226 key: "compact_prompt",
227 type: "string",
228 description: "Inline override for the history compaction prompt.",
229 },
230 {
231 key: "model_instructions_file",
232 type: "string (path)",
233 description:
234 "Replacement for built-in instructions instead of `AGENTS.md`.",
235 },
236 {
237 key: "personality",
238 type: "none | friendly | pragmatic",
239 description:
240 "Default communication style for models that advertise `supportsPersonality`; can be overridden per thread/turn or via `/personality`.",
241 },
242 {
243 key: "service_tier",
244 type: "string",
245 description:
246 "Preferred service tier for new turns. Built-in values include `flex` and `fast`; legacy `fast` config maps to the request value `priority`, and catalog-provided tier IDs can also be stored.",
247 },
248 {
249 key: "experimental_compact_prompt_file",
250 type: "string (path)",
251 description:
252 "Load the compaction prompt override from a file (experimental).",
253 },
254 {
255 key: "skills.config",
256 type: "array<object>",
257 description: "Per-skill enablement overrides stored in config.toml.",
258 },
259 {
260 key: "skills.config.<index>.path",
261 type: "string (path)",
262 description: "Path to a skill folder containing `SKILL.md`.",
263 },
264 {
265 key: "skills.config.<index>.enabled",
266 type: "boolean",
267 description: "Enable or disable the referenced skill.",
268 },
269 {
270 key: "apps.<id>.enabled",
271 type: "boolean",
272 description:
273 "Enable or disable a specific app/connector by id (default: true).",
274 },
275 {
276 key: "apps._default.enabled",
277 type: "boolean",
278 description:
279 "Default app enabled state for all apps unless overridden per app.",
280 },
281 {
282 key: "apps._default.destructive_enabled",
283 type: "boolean",
284 description:
285 "Default allow/deny for app tools with `destructive_hint = true`.",
286 },
287 {
288 key: "apps._default.open_world_enabled",
289 type: "boolean",
290 description:
291 "Default allow/deny for app tools with `open_world_hint = true`.",
292 },
293 {
294 key: "apps._default.approvals_reviewer",
295 type: "user | auto_review",
296 description:
297 "Default reviewer for app tool approval prompts unless overridden per app. When omitted, apps inherit the top-level `approvals_reviewer` value.",
298 },
299 {
300 key: "apps._default.default_tools_approval_mode",
301 type: "auto | prompt | writes | approve",
302 description:
303 "Default approval behavior for app tools without per-app or per-tool overrides.",
304 },
305 {
306 key: "apps.<id>.destructive_enabled",
307 type: "boolean",
308 description:
309 "Allow or block tools in this app that advertise `destructive_hint = true`.",
310 },
311 {
312 key: "apps.<id>.open_world_enabled",
313 type: "boolean",
314 description:
315 "Allow or block tools in this app that advertise `open_world_hint = true`.",
316 },
317 {
318 key: "apps.<id>.default_tools_enabled",
319 type: "boolean",
320 description:
321 "Default enabled state for tools in this app unless a per-tool override exists.",
322 },
323 {
324 key: "apps.<id>.approvals_reviewer",
325 type: "user | auto_review",
326 description:
327 "Reviewer for this app's tool approval prompts. Overrides `apps._default.approvals_reviewer`.",
328 },
329 {
330 key: "apps.<id>.default_tools_approval_mode",
331 type: "auto | prompt | writes | approve",
332 description:
333 "Default approval behavior for tools in this app unless a per-tool override exists.",
334 },
335 {
336 key: "apps.<id>.tools.<tool>.enabled",
337 type: "boolean",
338 description:
339 "Per-tool enabled override for an app tool (for example `repos/list`).",
340 },
341 {
342 key: "apps.<id>.tools.<tool>.approval_mode",
343 type: "auto | prompt | writes | approve",
344 description: "Per-tool approval behavior override for a single app tool.",
345 },
346 {
347 key: "tool_suggest.discoverables",
348 type: "array<table>",
349 description:
350 'Allow tool suggestions for additional discoverable connectors or plugins. Each entry uses `type = "connector"` or `"plugin"` and an `id`.',
351 },
352 {
353 key: "tool_suggest.disabled_tools",
354 type: "array<table>",
355 description:
356 'Disable suggestions for specific discoverable connectors or plugins. Each entry uses `type = "connector"` or `"plugin"` and an `id`.',
357 },
358 {
359 key: "features.apps",
360 type: "boolean",
361 description:
362 "Enable app (connector) integrations (stable; on by default).",
363 },
364 {
365 key: "features.hooks",
366 type: "boolean",
367 description:
368 "Enable lifecycle hooks loaded from `hooks.json` or inline `[hooks]` config. `features.codex_hooks` is a deprecated alias.",
369 },
370 {
371 key: "features.code_mode.enabled",
372 type: "boolean",
373 description:
374 "Enable code mode feature configuration. This feature is under development and off by default.",
375 },
376 {
377 key: "features.code_mode.excluded_tool_namespaces",
378 type: "array<string>",
379 description:
380 "Tool namespaces code mode excludes from nested code-mode tool guidance and executor exposure.",
381 },
382 {
383 key: "features.code_mode.direct_only_tool_namespaces",
384 type: "array<string>",
385 description:
386 "Tool namespaces code mode can use only through direct tool calls.",
387 },
388 {
389 key: "features.rollout_budget.enabled",
390 type: "boolean",
391 description:
392 "Enable rollout budget tracking. This feature is under development and off by default. When enabled, `features.rollout_budget.limit_tokens` is required.",
393 },
394 {
395 key: "features.rollout_budget.limit_tokens",
396 type: "integer",
397 description:
398 "Positive token limit for rollout budget tracking. Required when rollout budget is enabled.",
399 },
400 {
401 key: "features.rollout_budget.reminder_interval_tokens",
402 type: "integer",
403 description:
404 "Positive token interval between rollout budget reminders. Defaults to 10% of `limit_tokens`, with a minimum of 1 token.",
405 },
406 {
407 key: "features.rollout_budget.sampling_token_weight",
408 type: "number",
409 description:
410 "Finite non-negative multiplier for sampled tokens in rollout budget accounting. Defaults to `1.0`.",
411 },
412 {
413 key: "features.rollout_budget.prefill_token_weight",
414 type: "number",
415 description:
416 "Finite non-negative multiplier for prefill tokens in rollout budget accounting. Defaults to `1.0`.",
417 },
418 {
419 key: "hooks",
420 type: "table",
421 description:
422 "Lifecycle hooks configured inline in `config.toml`. Uses the same event schema as `hooks.json`; see the Hooks guide for examples and supported events.",
423 },
424 {
425 key: "hooks.<Event>",
426 type: "array<table>",
427 description:
428 "Matcher groups for hook events such as `PreToolUse`, `PermissionRequest`, `PostToolUse`, `PreCompact`, `PostCompact`, `SessionStart`, `SubagentStart`, `SubagentStop`, `UserPromptSubmit`, or `Stop`.",
429 },
430 {
431 key: "hooks.<Event>[].hooks",
432 type: "array<table>",
433 description:
434 "Hook handlers for a matcher group. Command hooks are currently supported; prompt and agent hook handlers are parsed but skipped.",
435 },
436 {
437 key: "hooks.<Event>[].hooks[].commandWindows",
438 type: "string",
439 description:
440 "Windows-only command override for command hooks. The TOML alias `command_windows` is also accepted.",
441 },
442 {
443 key: "features.memories",
444 type: "boolean",
445 description:
446 "Enable [Memories](https://learn.chatgpt.com/docs/customization/memories) (off by default).",
447 },
448 {
449 key: "mcp_servers.<id>.command",
450 type: "string",
451 description: "Launcher command for an MCP stdio server.",
452 },
453 {
454 key: "mcp_servers.<id>.args",
455 type: "array<string>",
456 description: "Arguments passed to the MCP stdio server command.",
457 },
458 {
459 key: "mcp_servers.<id>.env",
460 type: "map<string,string>",
461 description: "Environment variables forwarded to the MCP stdio server.",
462 },
463 {
464 key: "mcp_servers.<id>.env_vars",
465 type: 'array<string | { name = string, source = "local" | "remote" }>',
466 description:
467 'Additional environment variables to whitelist for an MCP stdio server. String entries default to `source = "local"`; use `source = "remote"` only with executor-backed remote stdio.',
468 },
469 {
470 key: "mcp_servers.<id>.cwd",
471 type: "string",
472 description: "Working directory for the MCP stdio server process.",
473 },
474 {
475 key: "mcp_servers.<id>.url",
476 type: "string",
477 description: "Endpoint for an MCP streamable HTTP server.",
478 },
479 {
480 key: "mcp_servers.<id>.auth",
481 type: "oauth | chatgpt",
482 description:
483 "Authentication fallback for an MCP HTTP server after configured bearer tokens and authorization headers. `oauth` (default) uses stored MCP OAuth credentials when available. `chatgpt` uses the current ChatGPT session for the trusted first-party ChatGPT origin, then falls back to stored OAuth. Both modes can connect without authentication if no credential source resolves.",
484 },
485 {
486 key: "mcp_servers.<id>.bearer_token_env_var",
487 type: "string",
488 description:
489 "Environment variable sourcing the bearer token for an MCP HTTP server.",
490 },
491 {
492 key: "mcp_servers.<id>.http_headers",
493 type: "map<string,string>",
494 description: "Static HTTP headers included with each MCP HTTP request.",
495 },
496 {
497 key: "mcp_servers.<id>.env_http_headers",
498 type: "map<string,string>",
499 description:
500 "HTTP headers populated from environment variables for an MCP HTTP server.",
501 },
502 {
503 key: "mcp_servers.<id>.enabled",
504 type: "boolean",
505 description: "Disable an MCP server without removing its configuration.",
506 },
507 {
508 key: "mcp_servers.<id>.required",
509 type: "boolean",
510 description:
511 "When true, fail startup/resume if this enabled MCP server cannot initialize.",
512 },
513 {
514 key: "mcp_servers.<id>.startup_timeout_sec",
515 type: "number",
516 description:
517 "Override the default 10s startup timeout for an MCP server.",
518 },
519 {
520 key: "mcp_servers.<id>.startup_timeout_ms",
521 type: "number",
522 description: "Alias for `startup_timeout_sec` in milliseconds.",
523 },
524 {
525 key: "mcp_servers.<id>.tool_timeout_sec",
526 type: "number",
527 description:
528 "Override the default 60s per-tool timeout for an MCP server.",
529 },
530 {
531 key: "mcp_servers.<id>.enabled_tools",
532 type: "array<string>",
533 description: "Allow list of tool names exposed by the MCP server.",
534 },
535 {
536 key: "mcp_servers.<id>.disabled_tools",
537 type: "array<string>",
538 description:
539 "Deny list applied after `enabled_tools` for the MCP server.",
540 },
541 {
542 key: "mcp_servers.<id>.default_tools_approval_mode",
543 type: "auto | prompt | writes | approve",
544 description:
545 "Default approval behavior for MCP tools on this server unless a per-tool override exists.",
546 },
547 {
548 key: "mcp_servers.<id>.tools.<tool>.approval_mode",
549 type: "auto | prompt | writes | approve",
550 description:
551 "Per-tool approval behavior override for one MCP tool on this server.",
552 },
553 {
554 key: "mcp_servers.<id>.scopes",
555 type: "array<string>",
556 description:
557 "OAuth scopes to request when authenticating to that MCP server.",
558 },
559 {
560 key: "mcp_servers.<id>.oauth_resource",
561 type: "string",
562 description:
563 "Optional RFC 8707 OAuth resource parameter to include during MCP login.",
564 },
565 {
566 key: "mcp_servers.<id>.experimental_environment",
567 type: "local | remote",
568 description:
569 "Experimental placement for an MCP server. `remote` starts stdio servers through a remote executor environment; streamable HTTP remote placement is not implemented.",
570 },
571 {
572 key: "agents.max_threads",
573 type: "number",
574 description:
575 "Maximum number of agent threads that can be open concurrently. Defaults to `6` when unset.",
576 },
577 {
578 key: "agents.max_depth",
579 type: "number",
580 description:
581 "Maximum nesting depth allowed for spawned agent threads (root sessions start at depth 0; default: 1).",
582 },
583 {
584 key: "agents.job_max_runtime_seconds",
585 type: "number",
586 description:
587 "Default per-worker timeout for `spawn_agents_on_csv` jobs. When unset, the tool falls back to 1800 seconds per worker.",
588 },
589 {
590 key: "agents.interrupt_message",
591 type: "boolean",
592 description:
593 "Record a model-visible message when an agent turn is interrupted (default: true).",
594 },
595 {
596 key: "agents.<name>.description",
597 type: "string",
598 description:
599 "Role guidance shown to Codex when choosing and spawning that agent type.",
600 },
601 {
602 key: "agents.<name>.config_file",
603 type: "string (path)",
604 description:
605 "Path to a TOML config layer for that role; relative paths resolve from the config file that declares the role.",
606 },
607 {
608 key: "agents.<name>.nickname_candidates",
609 type: "array<string>",
610 description:
611 "Optional pool of display nicknames for spawned agents in that role.",
612 },
613 {
614 key: "memories.generate_memories",
615 type: "boolean",
616 description:
617 "When `false`, newly created threads are not stored as memory-generation inputs. Defaults to `true`.",
618 },
619 {
620 key: "memories.use_memories",
621 type: "boolean",
622 description:
623 "When `false`, Codex skips injecting existing memories into future sessions. Defaults to `true`.",
624 },
625 {
626 key: "memories.disable_on_external_context",
627 type: "boolean",
628 description:
629 "When `true`, threads that use external context such as MCP tool calls, web search, or tool search are kept out of memory generation. Defaults to `false`. Legacy alias: `memories.no_memories_if_mcp_or_web_search`.",
630 },
631 {
632 key: "memories.max_raw_memories_for_consolidation",
633 type: "number",
634 description:
635 "Maximum recent raw memories retained for global consolidation. Defaults to `256` and is capped at `4096`.",
636 },
637 {
638 key: "memories.max_unused_days",
639 type: "number",
640 description:
641 "Maximum days since a memory was last used before it becomes ineligible for consolidation. Defaults to `30` and is clamped to `0`-`365`.",
642 },
643 {
644 key: "memories.max_rollout_age_days",
645 type: "number",
646 description:
647 "Maximum age of threads considered for memory generation. Defaults to `30` and is clamped to `0`-`90`.",
648 },
649 {
650 key: "memories.max_rollouts_per_startup",
651 type: "number",
652 description:
653 "Maximum rollout candidates processed per startup pass. Defaults to `16` and is capped at `128`.",
654 },
655 {
656 key: "memories.min_rollout_idle_hours",
657 type: "number",
658 description:
659 "Minimum idle time before a thread is considered for memory generation. Defaults to `6` and is clamped to `1`-`48`.",
660 },
661 {
662 key: "memories.min_rate_limit_remaining_percent",
663 type: "number",
664 description:
665 "Minimum remaining percentage required in Codex rate-limit windows before memory generation starts. Defaults to `25` and is clamped to `0`-`100`.",
666 },
667 {
668 key: "memories.extract_model",
669 type: "string",
670 description: "Optional model override for per-thread memory extraction.",
671 },
672 {
673 key: "memories.consolidation_model",
674 type: "string",
675 description: "Optional model override for global memory consolidation.",
676 },
677 {
678 key: "features.unified_exec",
679 type: "boolean",
680 description:
681 "Use the unified PTY-backed exec tool (stable; enabled by default except on Windows).",
682 },
683 {
684 key: "features.shell_snapshot",
685 type: "boolean",
686 description:
687 "Snapshot shell environment to speed up repeated commands (stable; on by default).",
688 },
689 {
690 key: "features.multi_agent",
691 type: "boolean",
692 description:
693 "Enable multi-agent collaboration tools (`spawn_agent`, `send_input`, `resume_agent`, `wait_agent`, and `close_agent`) (stable; on by default).",
694 },
695 {
696 key: "features.goals",
697 type: "boolean",
698 description:
699 "Enable persisted goals and automatic continuation (stable; on by default).",
700 },
701 {
702 key: "features.remote_plugin",
703 type: "boolean",
704 description: "Enable the remote plugin catalog (stable; on by default).",
705 },
706 {
707 key: "features.personality",
708 type: "boolean",
709 description:
710 "Enable personality selection controls (stable; on by default).",
711 },
712 {
713 key: "features.network_proxy",
714 type: "boolean | table",
715 description:
716 "Enable sandboxed networking. Use a table form when setting network policy options such as `domains` (experimental; off by default).",
717 },
718 {
719 key: "features.network_proxy.enabled",
720 type: "boolean",
721 description: "Enable sandboxed networking. Defaults to `false`.",
722 },
723 {
724 key: "features.network_proxy.domains",
725 type: "map<string, allow | deny>",
726 description:
727 "Domain policy for sandboxed networking. Unset by default, which means no external destinations are allowed until you add `allow` rules. Supports exact hosts, `*.example.com` for subdomains only, `**.example.com` for apex plus subdomains, and global `*` allow rules; prefer scoped rules because `*` broadly opens public outbound access. Add `deny` rules for blocked destinations; `deny` wins on conflicts.",
728 },
729 {
730 key: "features.network_proxy.unix_sockets",
731 type: "map<string, allow | deny>",
732 description:
733 "Unix socket policy for sandboxed networking. Unset by default; add `allow` entries for permitted sockets.",
734 },
735 {
736 key: "features.network_proxy.allow_local_binding",
737 type: "boolean",
738 description:
739 "Allow broader local/private-network access. Defaults to `false`; exact local IP literal or `localhost` allow rules can still permit specific local targets.",
740 },
741 {
742 key: "features.network_proxy.enable_socks5",
743 type: "boolean",
744 description: "Expose SOCKS5 support. Defaults to `true`.",
745 },
746 {
747 key: "features.network_proxy.enable_socks5_udp",
748 type: "boolean",
749 description: "Allow UDP over SOCKS5. Defaults to `true`.",
750 },
751 {
752 key: "features.network_proxy.allow_upstream_proxy",
753 type: "boolean",
754 description:
755 "Allow chaining through an upstream proxy from the environment. Defaults to `true`.",
756 },
757 {
758 key: "features.network_proxy.dangerously_allow_non_loopback_proxy",
759 type: "boolean",
760 description:
761 "Permit non-loopback listener addresses. Defaults to `false`; enabling it can expose proxy listeners beyond localhost.",
762 },
763 {
764 key: "features.network_proxy.dangerously_allow_all_unix_sockets",
765 type: "boolean",
766 description:
767 "Permit arbitrary Unix socket destinations instead of allowlist-only access. Defaults to `false`; use only in tightly controlled environments.",
768 },
769 {
770 key: "features.network_proxy.proxy_url",
771 type: "string",
772 description:
773 'HTTP listener URL for sandboxed networking. Defaults to `"http://127.0.0.1:3128"`.',
774 },
775 {
776 key: "features.network_proxy.socks_url",
777 type: "string",
778 description:
779 'SOCKS5 listener URL. Defaults to `"http://127.0.0.1:8081"`.',
780 },
781 {
782 key: "features.web_search",
783 type: "boolean",
784 description:
785 "Deprecated legacy toggle; prefer the top-level `web_search` setting.",
786 },
787 {
788 key: "features.web_search_cached",
789 type: "boolean",
790 description:
791 'Deprecated legacy toggle. When `web_search` is unset, true maps to `web_search = "cached"`.',
792 },
793 {
794 key: "features.web_search_request",
795 type: "boolean",
796 description:
797 'Deprecated legacy toggle. When `web_search` is unset, true maps to `web_search = "live"`.',
798 },
799 {
800 key: "features.shell_tool",
801 type: "boolean",
802 description:
803 "Enable the default `shell` tool for running commands (stable; on by default).",
804 },
805 {
806 key: "features.enable_request_compression",
807 type: "boolean",
808 description:
809 "Compress streaming request bodies with zstd when supported (stable; on by default).",
810 },
811 {
812 key: "features.skill_mcp_dependency_install",
813 type: "boolean",
814 description:
815 "Allow prompting and installing missing MCP dependencies for skills (stable; on by default).",
816 },
817 {
818 key: "features.fast_mode",
819 type: "boolean",
820 description:
821 "Enable model-catalog service tier selection in the TUI, including Fast-tier commands when the active model advertises them (stable; on by default).",
822 },
823 {
824 key: "features.prevent_idle_sleep",
825 type: "boolean",
826 description:
827 "Prevent the machine from sleeping while a turn is actively running (experimental; off by default).",
828 },
829 {
830 key: "suppress_unstable_features_warning",
831 type: "boolean",
832 description:
833 "Suppress the warning that appears when under-development feature flags are enabled.",
834 },
835 {
836 key: "model_providers.<id>",
837 type: "table",
838 description:
839 "Custom provider definition. Built-in provider IDs (`openai`, `ollama`, and `lmstudio`) are reserved and cannot be overridden.",
840 },
841 {
842 key: "model_providers.<id>.name",
843 type: "string",
844 description: "Display name for a custom model provider.",
845 },
846 {
847 key: "model_providers.<id>.base_url",
848 type: "string",
849 description: "API base URL for the model provider.",
850 },
851 {
852 key: "model_providers.<id>.env_key",
853 type: "string",
854 description: "Environment variable supplying the provider API key.",
855 },
856 {
857 key: "model_providers.<id>.env_key_instructions",
858 type: "string",
859 description: "Optional setup guidance for the provider API key.",
860 },
861 {
862 key: "model_providers.<id>.experimental_bearer_token",
863 type: "string",
864 description:
865 "Direct bearer token for the provider (discouraged; use `env_key`).",
866 },
867 {
868 key: "model_providers.<id>.requires_openai_auth",
869 type: "boolean",
870 description:
871 "The provider uses OpenAI authentication (defaults to false).",
872 },
873 {
874 key: "model_providers.<id>.wire_api",
875 type: "responses",
876 description:
877 "Protocol used by the provider. `responses` is the only supported value, and it is the default when omitted.",
878 },
879 {
880 key: "model_providers.<id>.query_params",
881 type: "map<string,string>",
882 description: "Extra query parameters appended to provider requests.",
883 },
884 {
885 key: "model_providers.<id>.http_headers",
886 type: "map<string,string>",
887 description: "Static HTTP headers added to provider requests.",
888 },
889 {
890 key: "model_providers.<id>.env_http_headers",
891 type: "map<string,string>",
892 description:
893 "HTTP headers populated from environment variables when present.",
894 },
895 {
896 key: "model_providers.<id>.request_max_retries",
897 type: "number",
898 description:
899 "Retry count for HTTP requests to the provider (default: 4).",
900 },
901 {
902 key: "model_providers.<id>.stream_max_retries",
903 type: "number",
904 description: "Retry count for SSE streaming interruptions (default: 5).",
905 },
906 {
907 key: "model_providers.<id>.stream_idle_timeout_ms",
908 type: "number",
909 description:
910 "Idle timeout for SSE streams in milliseconds (default: 300000).",
911 },
912 {
913 key: "model_providers.<id>.supports_websockets",
914 type: "boolean",
915 description:
916 "Whether that provider supports the Responses API WebSocket transport.",
917 },
918 {
919 key: "model_providers.<id>.auth",
920 type: "table",
921 description:
922 "Command-backed bearer token configuration for a custom provider. Do not combine with `env_key`, `experimental_bearer_token`, or `requires_openai_auth`.",
923 },
924 {
925 key: "model_providers.<id>.auth.command",
926 type: "string",
927 description:
928 "Command to run when Codex needs a bearer token. The command must print the token to stdout.",
929 },
930 {
931 key: "model_providers.<id>.auth.args",
932 type: "array<string>",
933 description: "Arguments passed to the token command.",
934 },
935 {
936 key: "model_providers.<id>.auth.timeout_ms",
937 type: "number",
938 description:
939 "Maximum token command runtime in milliseconds (default: 5000).",
940 },
941 {
942 key: "model_providers.<id>.auth.refresh_interval_ms",
943 type: "number",
944 description:
945 "How often Codex proactively refreshes the token in milliseconds (default: 300000). Set to `0` to refresh only after an authentication retry.",
946 },
947 {
948 key: "model_providers.<id>.auth.cwd",
949 type: "string (path)",
950 description: "Working directory for the token command.",
951 },
952 {
953 key: "model_providers.amazon-bedrock.aws.profile",
954 type: "string",
955 description:
956 "AWS profile name used by the built-in `amazon-bedrock` provider.",
957 },
958 {
959 key: "model_providers.amazon-bedrock.aws.region",
960 type: "string",
961 description: "AWS region used by the built-in `amazon-bedrock` provider.",
962 },
963 {
964 key: "model_reasoning_effort",
965 type: "minimal | low | medium | high | xhigh",
966 description:
967 "Adjust reasoning effort for supported models (Responses API only; `xhigh` is model-dependent).",
968 },
969 {
970 key: "plan_mode_reasoning_effort",
971 type: "none | minimal | low | medium | high | xhigh",
972 description:
973 "Plan-mode-specific reasoning override. When unset, Plan mode uses its built-in preset default.",
974 },
975 {
976 key: "model_reasoning_summary",
977 type: "auto | concise | detailed | none",
978 description:
979 "Select reasoning summary detail or disable summaries entirely.",
980 },
981 {
982 key: "model_verbosity",
983 type: "low | medium | high",
984 description:
985 "Optional GPT-5 Responses API verbosity override; when unset, the selected model/preset default is used.",
986 },
987 {
988 key: "model_supports_reasoning_summaries",
989 type: "boolean",
990 description: "Force Codex to send or not send reasoning metadata.",
991 },
992 {
993 key: "shell_environment_policy.inherit",
994 type: "all | core | none",
995 description:
996 "Baseline environment inheritance when spawning subprocesses.",
997 },
998 {
999 key: "shell_environment_policy.ignore_default_excludes",
1000 type: "boolean",
1001 description:
1002 "Keep variables containing KEY/SECRET/TOKEN before other filters run.",
1003 },
1004 {
1005 key: "shell_environment_policy.exclude",
1006 type: "array<string>",
1007 description:
1008 "Glob patterns for removing environment variables after the defaults.",
1009 },
1010 {
1011 key: "shell_environment_policy.include_only",
1012 type: "array<string>",
1013 description:
1014 "Whitelist of patterns; when set only matching variables are kept.",
1015 },
1016 {
1017 key: "shell_environment_policy.set",
1018 type: "map<string,string>",
1019 description:
1020 "Explicit environment overrides injected into every subprocess.",
1021 },
1022 {
1023 key: "shell_environment_policy.experimental_use_profile",
1024 type: "boolean",
1025 description: "Use the user shell profile when spawning subprocesses.",
1026 },
1027 {
1028 key: "project_root_markers",
1029 type: "array<string>",
1030 description:
1031 "List of project root marker filenames; used when searching parent directories for the project root.",
1032 },
1033 {
1034 key: "project_doc_max_bytes",
1035 type: "number",
1036 description:
1037 "Maximum bytes read from `AGENTS.md` when building project instructions.",
1038 },
1039 {
1040 key: "project_doc_fallback_filenames",
1041 type: "array<string>",
1042 description: "Additional filenames to try when `AGENTS.md` is missing.",
1043 },
1044 {
1045 key: "history.persistence",
1046 type: "save-all | none",
1047 description:
1048 "Control whether Codex saves session transcripts to history.jsonl.",
1049 },
1050 {
1051 key: "tool_output_token_limit",
1052 type: "number",
1053 description:
1054 "Token budget for storing individual tool/function outputs in history.",
1055 },
1056 {
1057 key: "background_terminal_max_timeout",
1058 type: "number",
1059 description:
1060 "Maximum poll window in milliseconds for empty `write_stdin` polls (background terminal polling). Default: `300000` (5 minutes). Replaces the older `background_terminal_timeout` key.",
1061 },
1062 {
1063 key: "history.max_bytes",
1064 type: "number",
1065 description:
1066 "If set, caps the history file size in bytes by dropping oldest entries.",
1067 },
1068 {
1069 key: "file_opener",
1070 type: "vscode | vscode-insiders | windsurf | cursor | none",
1071 description:
1072 "URI scheme used to open citations from Codex output (default: `vscode`).",
1073 },
1074 {
1075 key: "otel.environment",
1076 type: "string",
1077 description:
1078 "Environment tag applied to emitted OpenTelemetry events (default: `dev`).",
1079 },
1080 {
1081 key: "otel.exporter",
1082 type: "none | otlp-http | otlp-grpc",
1083 description:
1084 "Select the OpenTelemetry exporter and provide any endpoint metadata.",
1085 },
1086 {
1087 key: "otel.trace_exporter",
1088 type: "none | otlp-http | otlp-grpc",
1089 description:
1090 "Select the OpenTelemetry trace exporter and provide any endpoint metadata.",
1091 },
1092 {
1093 key: "otel.metrics_exporter",
1094 type: "none | statsig | otlp-http | otlp-grpc",
1095 description:
1096 "Select the OpenTelemetry metrics exporter (defaults to `statsig`).",
1097 },
1098 {
1099 key: "otel.log_user_prompt",
1100 type: "boolean",
1101 description:
1102 "Opt in to exporting raw user prompts with OpenTelemetry logs.",
1103 },
1104 {
1105 key: "otel.exporter.<id>.endpoint",
1106 type: "string",
1107 description: "Exporter endpoint for OTEL logs.",
1108 },
1109 {
1110 key: "otel.exporter.<id>.protocol",
1111 type: "binary | json",
1112 description: "Protocol used by the OTLP/HTTP exporter.",
1113 },
1114 {
1115 key: "otel.exporter.<id>.headers",
1116 type: "map<string,string>",
1117 description: "Static headers included with OTEL exporter requests.",
1118 },
1119 {
1120 key: "otel.trace_exporter.<id>.endpoint",
1121 type: "string",
1122 description: "Trace exporter endpoint for OTEL logs.",
1123 },
1124 {
1125 key: "otel.trace_exporter.<id>.protocol",
1126 type: "binary | json",
1127 description: "Protocol used by the OTLP/HTTP trace exporter.",
1128 },
1129 {
1130 key: "otel.trace_exporter.<id>.headers",
1131 type: "map<string,string>",
1132 description: "Static headers included with OTEL trace exporter requests.",
1133 },
1134 {
1135 key: "otel.exporter.<id>.tls.ca-certificate",
1136 type: "string",
1137 description: "CA certificate path for OTEL exporter TLS.",
1138 },
1139 {
1140 key: "otel.exporter.<id>.tls.client-certificate",
1141 type: "string",
1142 description: "Client certificate path for OTEL exporter TLS.",
1143 },
1144 {
1145 key: "otel.exporter.<id>.tls.client-private-key",
1146 type: "string",
1147 description: "Client private key path for OTEL exporter TLS.",
1148 },
1149 {
1150 key: "otel.trace_exporter.<id>.tls.ca-certificate",
1151 type: "string",
1152 description: "CA certificate path for OTEL trace exporter TLS.",
1153 },
1154 {
1155 key: "otel.trace_exporter.<id>.tls.client-certificate",
1156 type: "string",
1157 description: "Client certificate path for OTEL trace exporter TLS.",
1158 },
1159 {
1160 key: "otel.trace_exporter.<id>.tls.client-private-key",
1161 type: "string",
1162 description: "Client private key path for OTEL trace exporter TLS.",
1163 },
1164 {
1165 key: "tui",
1166 type: "table",
1167 description:
1168 "TUI-specific options such as enabling inline desktop notifications.",
1169 },
1170 {
1171 key: "tui.notifications",
1172 type: "boolean | array<string>",
1173 description:
1174 "Enable TUI notifications; optionally restrict to specific event types.",
1175 },
1176 {
1177 key: "tui.notification_method",
1178 type: "auto | osc9 | bel",
1179 description:
1180 "Notification method for terminal notifications (default: auto).",
1181 },
1182 {
1183 key: "tui.notification_condition",
1184 type: "unfocused | always",
1185 description:
1186 "Control whether TUI notifications fire only when the terminal is unfocused or regardless of focus. Defaults to `unfocused`.",
1187 },
1188 {
1189 key: "tui.animations",
1190 type: "boolean",
1191 description:
1192 "Enable terminal animations (welcome screen, shimmer, spinner) (default: true).",
1193 },
1194 {
1195 key: "tui.alternate_screen",
1196 type: "auto | always | never",
1197 description:
1198 "Control alternate screen usage for the TUI (default: auto; auto skips it in Zellij to preserve scrollback).",
1199 },
1200 {
1201 key: "tui.vim_mode_default",
1202 type: "boolean",
1203 description:
1204 "Start the composer in Vim normal mode instead of insert mode (default: false). You can still toggle it per session with `/vim`.",
1205 },
1206 {
1207 key: "tui.raw_output_mode",
1208 type: "boolean",
1209 description:
1210 "Start the TUI in raw scrollback mode for copy-friendly terminal selection (default: false). You can toggle it with `/raw` or the default `alt-r` key binding.",
1211 },
1212 {
1213 key: "tui.show_tooltips",
1214 type: "boolean",
1215 description:
1216 "Show onboarding tooltips in the TUI welcome screen (default: true).",
1217 },
1218 {
1219 key: "tui.status_line",
1220 type: "array<string> | null",
1221 description:
1222 "Ordered list of TUI footer status-line item identifiers. `null` disables the status line.",
1223 },
1224 {
1225 key: "tui.terminal_title",
1226 type: "array<string> | null",
1227 description:
1228 'Ordered list of terminal window/tab title item identifiers. Defaults to `["spinner", "project"]`; `null` disables title updates.',
1229 },
1230 {
1231 key: "tui.theme",
1232 type: "string",
1233 description:
1234 "Syntax-highlighting theme override (kebab-case theme name).",
1235 },
1236 {
1237 key: "tui.keymap.<context>.<action>",
1238 type: "string | array<string>",
1239 description:
1240 "Keyboard shortcut binding for a TUI action. Supported contexts include `global`, `chat`, `composer`, `editor`, `vim_normal`, `vim_operator`, `vim_text_object`, `pager`, `list`, and `approval`. Selected composer actions fall back to matching `tui.keymap.global` bindings; context-specific bindings take precedence when supported.",
1241 },
1242 {
1243 key: "tui.keymap.<context>.<action> = []",
1244 type: "empty array",
1245 description:
1246 "Unbind the action in that keymap context. Key names use normalized strings such as `ctrl-a`, `shift-enter`, `page-down`, or `minus`.",
1247 },
1248 {
1249 key: "plugins.<plugin>.mcp_servers.<server>.enabled",
1250 type: "boolean",
1251 description:
1252 "Enable or disable an MCP server bundled by an installed plugin without changing the plugin manifest.",
1253 },
1254 {
1255 key: "plugins.<plugin>.mcp_servers.<server>.default_tools_approval_mode",
1256 type: "auto | prompt | writes | approve",
1257 description:
1258 "Default approval behavior for tools on a plugin-provided MCP server.",
1259 },
1260 {
1261 key: "plugins.<plugin>.mcp_servers.<server>.enabled_tools",
1262 type: "array<string>",
1263 description:
1264 "Allow list of tools exposed from a plugin-provided MCP server.",
1265 },
1266 {
1267 key: "plugins.<plugin>.mcp_servers.<server>.disabled_tools",
1268 type: "array<string>",
1269 description:
1270 "Deny list applied after `enabled_tools` for a plugin-provided MCP server.",
1271 },
1272 {
1273 key: "plugins.<plugin>.mcp_servers.<server>.tools.<tool>.approval_mode",
1274 type: "auto | prompt | writes | approve",
1275 description:
1276 "Per-tool approval behavior override for a plugin-provided MCP tool.",
1277 },
1278 {
1279 key: "tui.model_availability_nux.<model>",
1280 type: "integer",
1281 description: "Internal startup-tooltip state keyed by model slug.",
1282 },
1283 {
1284 key: "hide_agent_reasoning",
1285 type: "boolean",
1286 description:
1287 "Suppress reasoning events in both the TUI and `codex exec` output.",
1288 },
1289 {
1290 key: "show_raw_agent_reasoning",
1291 type: "boolean",
1292 description:
1293 "Surface raw reasoning content when the active model emits it.",
1294 },
1295 {
1296 key: "disable_paste_burst",
1297 type: "boolean",
1298 description: "Disable burst-paste detection in the TUI.",
1299 },
1300 {
1301 key: "windows_wsl_setup_acknowledged",
1302 type: "boolean",
1303 description: "Track Windows onboarding acknowledgement (Windows only).",
1304 },
1305 {
1306 key: "chatgpt_base_url",
1307 type: "string",
1308 description: "Override the base URL used during the ChatGPT login flow.",
1309 },
1310 {
1311 key: "cli_auth_credentials_store",
1312 type: "file | keyring | auto",
1313 description:
1314 "Control where the CLI stores cached credentials (file-based auth.json vs OS keychain).",
1315 },
1316 {
1317 key: "mcp_oauth_credentials_store",
1318 type: "auto | file | keyring",
1319 description: "Preferred store for MCP OAuth credentials.",
1320 },
1321 {
1322 key: "mcp_oauth_callback_port",
1323 type: "integer",
1324 description:
1325 "Optional fixed port for the local HTTP callback server used during MCP OAuth login. When unset, Codex binds to an ephemeral port chosen by the OS.",
1326 },
1327 {
1328 key: "mcp_oauth_callback_url",
1329 type: "string",
1330 description:
1331 "Optional base callback URL override for MCP OAuth login (for example, a devbox ingress URL). Codex appends a server-specific callback ID before sending the final OAuth `redirect_uri`, so register the full derived URI with your provider. `mcp_oauth_callback_port` still controls the callback listener port.",
1332 },
1333 {
1334 key: "experimental_use_unified_exec_tool",
1335 type: "boolean",
1336 description:
1337 "Legacy name for enabling unified exec; prefer `[features].unified_exec` or `codex --enable unified_exec`.",
1338 },
1339 {
1340 key: "tools.web_search",
1341 type: 'boolean | { context_size = "low|medium|high", allowed_domains = [string], location = { country, region, city, timezone } }',
1342 description:
1343 "Optional web search tool configuration. The legacy boolean form is still accepted, but the object form lets you set search context size, allowed domains, and approximate user location.",
1344 },
1345 {
1346 key: "tools.view_image",
1347 type: "boolean",
1348 description: "Enable the local-image attachment tool `view_image`.",
1349 },
1350 {
1351 key: "web_search",
1352 type: "disabled | cached | indexed | live",
1353 description:
1354 'Web search mode (default: `"cached"`; cached uses an OpenAI-maintained index without external web access; indexed permits external access only when gated by the search index; if you use `--yolo` or another full access sandbox setting, it defaults to `"live"`). Use `"live"` for unrestricted live retrieval, or `"disabled"` to remove the tool.',
1355 },
1356 {
1357 key: "default_permissions",
1358 type: "string",
1359 description:
1360 "Name of the default permissions profile to apply to sandboxed tool calls. Built-ins are `:read-only`, `:workspace`, and `:danger-full-access`; custom profile names require matching `[permissions.<name>]` tables. Don't combine with `sandbox_mode` or `[sandbox_workspace_write]`.",
1361 },
1362 {
1363 key: "permissions.<name>.description",
1364 type: "string",
1365 description:
1366 "Human-readable description for this named profile. A profile does not inherit its parent's description through `extends`.",
1367 },
1368 {
1369 key: "permissions.<name>.extends",
1370 type: "string",
1371 description:
1372 "Optional parent profile applied before this named profile. Set it to another named profile, `:read-only`, or `:workspace`; `:danger-full-access`, undefined parents, and cycles are rejected.",
1373 },
1374 {
1375 key: "permissions.<name>.workspace_roots",
1376 type: "table",
1377 description:
1378 "Profile-defined workspace roots that receive `:workspace_roots` filesystem rules alongside the session's runtime workspace roots.",
1379 },
1380 {
1381 key: "permissions.<name>.workspace_roots.<path>",
1382 type: "boolean",
1383 description:
1384 "Opt a path into the profile's workspace root set when `true`. Disabled entries remain inactive.",
1385 },
1386 {
1387 key: "permissions.<name>.filesystem",
1388 type: "table",
1389 description:
1390 "Named filesystem permission profile. Each key is an absolute path or special token such as `:minimal` or `:workspace_roots`.",
1391 },
1392 {
1393 key: "permissions.<name>.filesystem.glob_scan_max_depth",
1394 type: "number",
1395 description:
1396 "Maximum depth for expanding deny-read glob patterns on platforms that snapshot matches before sandbox startup. Must be at least `1` when set.",
1397 },
1398 {
1399 key: "permissions.<name>.filesystem.<path-or-glob>",
1400 type: '"read" | "write" | "deny" | table',
1401 description:
1402 'Grant direct access for a path, glob pattern, or special token, or scope nested entries under that root. Use `"deny"` to deny reads for matching paths.',
1403 },
1404 {
1405 key: 'permissions.<name>.filesystem.":workspace_roots".<subpath-or-glob>',
1406 type: '"read" | "write" | "deny"',
1407 description:
1408 'Scoped filesystem access relative to each effective workspace root. Use `"."` for the root itself; glob subpaths such as `"**/*.env"` can deny reads with `"deny"`.',
1409 },
1410 {
1411 key: "permissions.<name>.network.enabled",
1412 type: "boolean",
1413 description:
1414 "Enable network access for this named permissions profile. This changes the sandbox network policy; it does not start the network proxy by itself.",
1415 },
1416 {
1417 key: "permissions.<name>.network.proxy_url",
1418 type: "string",
1419 description:
1420 "HTTP listener URL used when this permissions profile enables sandboxed networking.",
1421 },
1422 {
1423 key: "permissions.<name>.network.enable_socks5",
1424 type: "boolean",
1425 description:
1426 "Expose SOCKS5 support when this permissions profile enables sandboxed networking.",
1427 },
1428 {
1429 key: "permissions.<name>.network.socks_url",
1430 type: "string",
1431 description: "SOCKS5 proxy endpoint used by this permissions profile.",
1432 },
1433 {
1434 key: "permissions.<name>.network.enable_socks5_udp",
1435 type: "boolean",
1436 description: "Allow UDP over the SOCKS5 listener when enabled.",
1437 },
1438 {
1439 key: "permissions.<name>.network.allow_upstream_proxy",
1440 type: "boolean",
1441 description:
1442 "Allow sandboxed networking to chain through another upstream proxy.",
1443 },
1444 {
1445 key: "permissions.<name>.network.dangerously_allow_non_loopback_proxy",
1446 type: "boolean",
1447 description:
1448 "Permit non-loopback bind addresses for sandboxed networking listeners. Enabling it can expose listeners beyond localhost.",
1449 },
1450 {
1451 key: "permissions.<name>.network.dangerously_allow_all_unix_sockets",
1452 type: "boolean",
1453 description:
1454 "Allow arbitrary Unix socket destinations instead of the default restricted set. Use only in tightly controlled environments.",
1455 },
1456 {
1457 key: "permissions.<name>.network.mode",
1458 type: "limited | full",
1459 description: "Network proxy mode used for subprocess traffic.",
1460 },
1461 {
1462 key: "permissions.<name>.network.domains",
1463 type: "table",
1464 description:
1465 "Domain rules for sandboxed networking. Supports exact hosts, `*.example.com` for subdomains only, `**.example.com` for apex plus subdomains, and global `*` allow rules. `deny` wins on conflicts.",
1466 },
1467 {
1468 key: "permissions.<name>.network.domains.<pattern>",
1469 type: "allow | deny",
1470 description:
1471 "Allow or deny an exact host or scoped wildcard pattern such as `*.example.com` or `**.example.com`.",
1472 },
1473 {
1474 key: "permissions.<name>.network.unix_sockets",
1475 type: "table",
1476 description:
1477 "Unix socket allowlist overrides for sandboxed networking. Use socket paths as keys; `allow` adds a path, and `deny` rejects it.",
1478 },
1479 {
1480 key: "permissions.<name>.network.unix_sockets.<path>",
1481 type: "allow | deny",
1482 description:
1483 "Add an absolute Unix socket path to the effective allowlist with `allow`, or reject it with `deny`. Denied entries are omitted from the effective allowlist.",
1484 },
1485 {
1486 key: "permissions.<name>.network.allow_local_binding",
1487 type: "boolean",
1488 description:
1489 "Permit broader local/private-network access through sandboxed networking. Exact local IP literal or `localhost` allow rules can still permit specific local targets when this stays `false`.",
1490 },
1491 {
1492 key: "projects.<path>.trust_level",
1493 type: "string",
1494 description:
1495 'Mark a project or worktree as trusted or untrusted (`"trusted"` | `"untrusted"`). Untrusted projects skip project-scoped `.codex/` layers, including project-local config, hooks, and rules.',
1496 },
1497 {
1498 key: "notice.hide_full_access_warning",
1499 type: "boolean",
1500 description: "Track acknowledgement of the full access warning prompt.",
1501 },
1502 {
1503 key: "notice.hide_world_writable_warning",
1504 type: "boolean",
1505 description:
1506 "Track acknowledgement of the Windows world-writable directories warning.",
1507 },
1508 {
1509 key: "notice.hide_rate_limit_model_nudge",
1510 type: "boolean",
1511 description: "Track opt-out of the rate limit model switch reminder.",
1512 },
1513 {
1514 key: "notice.hide_gpt5_1_migration_prompt",
1515 type: "boolean",
1516 description: "Track acknowledgement of the GPT-5.1 migration prompt.",
1517 },
1518 {
1519 key: "notice.hide_gpt-5.1-codex-max_migration_prompt",
1520 type: "boolean",
1521 description:
1522 "Track acknowledgement of the gpt-5.1-codex-max migration prompt.",
1523 },
1524 {
1525 key: "notice.model_migrations",
1526 type: "map<string,string>",
1527 description: "Track acknowledged model migrations as old->new mappings.",
1528 },
1529 {
1530 key: "forced_login_method",
1531 type: "chatgpt | api",
1532 description: "Restrict Codex to a specific authentication method.",
1533 },
1534 {
1535 key: "forced_chatgpt_workspace_id",
1536 type: "string (uuid)",
1537 description: "Limit ChatGPT logins to a specific workspace identifier.",
1538 },
1539 ]}
1540 client:load
1541/>
1542
1543You can find the latest JSON schema for `config.toml` [here](https://learn.chatgpt.com/docs/config-schema.json).
1544
1545To get autocompletion and diagnostics when editing `config.toml` in VS Code or Cursor, you can install the [Even Better TOML](https://marketplace.visualstudio.com/items?itemName=tamasfe.even-better-toml) extension and add this line to the top of your `config.toml`:
1546
1547```toml
1548#:schema https://developers.openai.com/codex/config-schema.json
1549```
1550
1551Note: Rename `experimental_instructions_file` to `model_instructions_file`. Codex deprecates the old key; update existing configs to the new name.
1552
1553## `requirements.toml`
1554
1555`requirements.toml` is an admin-enforced configuration file that constrains security-sensitive settings users can't override. For details, locations, and examples, see [Admin-enforced requirements](https://learn.chatgpt.com/docs/enterprise/managed-configuration#admin-enforced-requirements-requirementstoml).
1556
1557For ChatGPT Business and Enterprise users, Codex can also apply cloud-fetched
1558requirements. See the security page for precedence details.
1559
1560Use `[features]` in `requirements.toml` to pin runtime feature flags by the same
1561canonical keys that `config.toml` uses. Requirements can also include documented
1562app-only keys that don't belong in `config.toml`. Omitted keys remain
1563unconstrained.
1564
1565Managed permission-profile allowlists require Codex 0.138.0 or later. Codex
15660.137.0 and earlier ignore `allowed_permission_profiles` and managed
1567`default_permissions`.
1568
1569Use `allowed_sandbox_modes` with `sandbox_mode`. For permission-profile
1570deployments, use `allowed_permission_profiles` with managed
1571`default_permissions`.
1572
1573The `[models.new_thread]` table supplies managed defaults, not enforcement.
1574Explicit launch choices from dedicated CLI flags or `--config` overrides take
1575precedence. An explicit model or reasoning-effort override skips both managed
1576model fields; `service_tier` is independent.
1577
1578<ConfigTable
1579 options={[
1580 {
1581 key: "allowed_approval_policies",
1582 type: "array<string>",
1583 description:
1584 "Allowed values for `approval_policy` (for example `untrusted`, `on-request`, `never`, and `granular`).",
1585 },
1586 {
1587 key: "allowed_approvals_reviewers",
1588 type: "array<string>",
1589 description:
1590 "Allowed values for `approvals_reviewer`, such as `user` and `auto_review`.",
1591 },
1592 {
1593 key: "guardian_policy_config",
1594 type: "string",
1595 description:
1596 "Managed Markdown policy instructions for automatic review. This takes precedence over local `[auto_review].policy`. Blank values are ignored.",
1597 },
1598 {
1599 key: "allowed_permission_profiles",
1600 type: "table<boolean>",
1601 description:
1602 "Complete list of allowed permission profiles. Profiles set to `true` are allowed. Profiles that are omitted or set to `false` are denied, including profiles added in future versions. When requirements sources are combined, entries are matched by profile name.",
1603 },
1604 {
1605 key: "allowed_permission_profiles.<name>",
1606 type: "boolean",
1607 description:
1608 "Allow or deny a built-in or custom permission profile defined in a loaded config or requirements source. A later, higher-precedence requirements source can use `false` to turn off a profile allowed by an earlier, lower-precedence source.",
1609 },
1610 {
1611 key: "default_permissions",
1612 type: "string",
1613 description:
1614 "Managed default permission profile. The profile must be allowed by `allowed_permission_profiles`. Set this explicitly for predictable behavior; if omitted, Codex defaults to `:workspace` only when both `:workspace` and `:read-only` are explicitly allowed.",
1615 },
1616 {
1617 key: "enforce_residency",
1618 type: "string",
1619 description:
1620 "Require Codex service traffic to use a supported data residency. Currently accepts `us`.",
1621 },
1622 {
1623 key: "models",
1624 type: "table",
1625 description:
1626 "Managed model defaults for new threads. These values take priority over user and project defaults, but an explicit selection for the new thread can override them.",
1627 },
1628 {
1629 key: "models.new_thread",
1630 type: "table",
1631 description:
1632 "Defaults to apply when a new local thread starts. Each model setting is optional.",
1633 },
1634 {
1635 key: "models.new_thread.model",
1636 type: "string",
1637 description:
1638 "Default model for new threads. An explicit `--model` or model/reasoning `--config` override takes precedence.",
1639 },
1640 {
1641 key: "models.new_thread.model_reasoning_effort",
1642 type: "string",
1643 description:
1644 "Default reasoning effort for new threads. An explicit model or reasoning-effort override skips both managed model fields.",
1645 },
1646 {
1647 key: "models.new_thread.service_tier",
1648 type: "string",
1649 description:
1650 "Default service tier for new threads. An explicit service-tier override takes precedence independently of the model fields.",
1651 },
1652 {
1653 key: "permissions",
1654 type: "table",
1655 description:
1656 "Admin-defined permission profiles keyed by profile name. Uses the same profile fields as `config.toml`.",
1657 },
1658 {
1659 key: "permissions.<name>",
1660 type: "table",
1661 description:
1662 "Admin-defined permission profile. The name can't start with `:`, use the reserved name `filesystem`, or duplicate a profile from a loaded config. Uses the same profile fields as `config.toml`; see the Permissions guide for the complete profile schema.",
1663 },
1664 {
1665 key: "allowed_sandbox_modes",
1666 type: "array<string>",
1667 description: "Allowed values for `sandbox_mode`.",
1668 },
1669 {
1670 key: "windows",
1671 type: "table",
1672 description: "Native Windows sandbox requirements.",
1673 },
1674 {
1675 key: "windows.allowed_sandbox_implementations",
1676 type: "array<string>",
1677 description:
1678 "Allowed native Windows sandbox implementations for `windows.sandbox` (`elevated` and `unelevated`). The list must not be empty. When both are allowed and no mode is selected, Codex prefers `elevated`.",
1679 },
1680 {
1681 key: "remote_sandbox_config",
1682 type: "array<table>",
1683 description:
1684 "Host-specific sandbox requirements. The first entry whose `hostname_patterns` match the resolved host name overrides top-level `allowed_sandbox_modes` for that requirements source. Host-specific entries currently override sandbox modes only.",
1685 },
1686 {
1687 key: "remote_sandbox_config[].hostname_patterns",
1688 type: "array<string>",
1689 description:
1690 "Case-insensitive host name patterns. Supports `*` for any sequence of characters and `?` for one character.",
1691 },
1692 {
1693 key: "remote_sandbox_config[].allowed_sandbox_modes",
1694 type: "array<string>",
1695 description:
1696 "Allowed sandbox modes to apply when this host-specific entry matches.",
1697 },
1698 {
1699 key: "allowed_web_search_modes",
1700 type: "array<string>",
1701 description:
1702 "Allowed values for `web_search` (`disabled`, `cached`, `indexed`, `live`). `disabled` is always allowed; an empty list effectively allows only `disabled`.",
1703 },
1704 {
1705 key: "allow_managed_hooks_only",
1706 type: "boolean",
1707 description:
1708 "When `true`, Codex skips user, project, session, and plugin hooks while still allowing managed hooks from `requirements.toml` and other managed config layers.",
1709 },
1710 {
1711 key: "allow_appshots",
1712 type: "boolean",
1713 description:
1714 "Set to `false` to disable Appshots for managed users. If omitted, Appshots remain unconstrained by requirements and follow normal product availability.",
1715 },
1716 {
1717 key: "allow_remote_control",
1718 type: "boolean",
1719 description:
1720 "Set to `false` to disable device remote control for managed users. If omitted, device remote control remains unconstrained by requirements and follows normal product availability.",
1721 },
1722 {
1723 key: "features.plugin_sharing",
1724 type: "boolean",
1725 description:
1726 "Set to `false` in cloud-managed `requirements.toml` to disable workspace sharing for locally built plugins.",
1727 },
1728 {
1729 key: "features",
1730 type: "table",
1731 description:
1732 "Pinned feature values. Use canonical names from `config.toml` for runtime features; documented app-only requirement keys are also supported here.",
1733 },
1734 {
1735 key: "features.<name>",
1736 type: "boolean",
1737 description:
1738 "Require a documented runtime or app feature to stay enabled or disabled.",
1739 },
1740 {
1741 key: "features.apps",
1742 type: "boolean",
1743 description:
1744 "Pin Apps integration availability on or off for managed users.",
1745 },
1746 {
1747 key: "features.in_app_browser",
1748 type: "boolean",
1749 description:
1750 "Set to `false` in `requirements.toml` to disable the built-in browser pane.",
1751 },
1752 {
1753 key: "features.browser_use",
1754 type: "boolean",
1755 description:
1756 "Set to `false` in `requirements.toml` to disable Computer Use in browsers and Browser Agent availability.",
1757 },
1758 {
1759 key: "features.browser_use_external",
1760 type: "boolean",
1761 description:
1762 "Set to `false` in `requirements.toml` to disable Computer Use in external browsers.",
1763 },
1764 {
1765 key: "features.browser_use_full_cdp_access",
1766 type: "boolean",
1767 description:
1768 "Set to `false` in `requirements.toml` to disable full Chrome DevTools Protocol access in the local runtime, including Browser Developer mode, and prevent the ChatGPT desktop app from enabling the corresponding setting. If omitted, normal product availability applies.",
1769 },
1770 {
1771 key: "features.fast_mode",
1772 type: "boolean",
1773 description:
1774 "Pin the canonical `fast_mode` feature on or off for managed users.",
1775 },
1776 {
1777 key: "features.guardian_approval",
1778 type: "boolean",
1779 description:
1780 "Pin Guardian approval availability on or off for managed users.",
1781 },
1782 {
1783 key: "features.memories",
1784 type: "boolean",
1785 description: "Pin Memories availability on or off for managed users.",
1786 },
1787 {
1788 key: "features.multi_agent",
1789 type: "boolean",
1790 description: "Pin multi-agent availability on or off for managed users.",
1791 },
1792 {
1793 key: "features.plugins",
1794 type: "boolean",
1795 description: "Pin plugin availability on or off for managed users.",
1796 },
1797 {
1798 key: "features.remote_plugin",
1799 type: "boolean",
1800 description:
1801 "Pin remote plugin catalog availability on or off for managed users.",
1802 },
1803 {
1804 key: "features.computer_use",
1805 type: "boolean",
1806 description:
1807 "Set to `false` in `requirements.toml` to disable Computer Use, Record & Replay, and related install or enablement flows.",
1808 },
1809 {
1810 key: "features.workspace_dependencies",
1811 type: "boolean",
1812 description:
1813 "Pin bundled workspace-dependency runtime availability on or off for managed users.",
1814 },
1815 {
1816 key: "computer_use",
1817 type: "table",
1818 description:
1819 "Computer Use requirements enforced from `requirements.toml`.",
1820 },
1821 {
1822 key: "computer_use.allow_locked_computer_use",
1823 type: "boolean",
1824 description:
1825 "Set to `false` to prevent Computer Use from operating after a managed macOS device locks. If omitted, locked use remains unconstrained by requirements.",
1826 },
1827 {
1828 key: "experimental_network",
1829 type: "table",
1830 description:
1831 "Network access requirements enforced from `requirements.toml`. These constraints are separate from `features.network_proxy` and can configure sandboxed networking without the user feature flag.",
1832 },
1833 {
1834 key: "experimental_network.enabled",
1835 type: "boolean",
1836 description:
1837 "Enable sandboxed networking requirements. This does not grant network access when the active sandbox keeps command networking off.",
1838 },
1839 {
1840 key: "experimental_network.http_port",
1841 type: "integer",
1842 description:
1843 "Loopback HTTP listener port to use for `[experimental_network]` requirements.",
1844 },
1845 {
1846 key: "experimental_network.socks_port",
1847 type: "integer",
1848 description:
1849 "Loopback SOCKS5 listener port to use for `[experimental_network]` requirements.",
1850 },
1851 {
1852 key: "experimental_network.allow_upstream_proxy",
1853 type: "boolean",
1854 description:
1855 "Allow sandboxed networking to chain through an upstream proxy from the environment.",
1856 },
1857 {
1858 key: "experimental_network.dangerously_allow_non_loopback_proxy",
1859 type: "boolean",
1860 description:
1861 "Permit non-loopback listener addresses for `[experimental_network]` requirements. Enabling it can expose listeners beyond localhost.",
1862 },
1863 {
1864 key: "experimental_network.dangerously_allow_all_unix_sockets",
1865 type: "boolean",
1866 description:
1867 "Permit arbitrary Unix socket destinations instead of allowlist-only access. Use only in tightly controlled environments.",
1868 },
1869 {
1870 key: "experimental_network.domains",
1871 type: "map<string, allow | deny>",
1872 description:
1873 "Map-shaped administrator domain policy for sandboxed networking. Supports exact hosts, `*.example.com` for subdomains only, `**.example.com` for apex plus subdomains, and global `*` allow rules; prefer scoped rules because `*` broadly opens public outbound access. `deny` wins on conflicts. Do not combine this with `experimental_network.allowed_domains` or `experimental_network.denied_domains`.",
1874 },
1875 {
1876 key: "experimental_network.allowed_domains",
1877 type: "array<string>",
1878 description:
1879 "List-shaped administrator allow rules for sandboxed networking. Do not combine this with `experimental_network.domains`.",
1880 },
1881 {
1882 key: "experimental_network.denied_domains",
1883 type: "array<string>",
1884 description:
1885 "List-shaped administrator deny rules for sandboxed networking. Do not combine this with `experimental_network.domains`.",
1886 },
1887 {
1888 key: "experimental_network.managed_allowed_domains_only",
1889 type: "boolean",
1890 description:
1891 "When `true`, only administrator-managed allow rules remain effective while sandboxed networking requirements are active; user allowlist additions are ignored. Without managed allow rules, user-added domain allow rules do not remain effective.",
1892 },
1893 {
1894 key: "experimental_network.unix_sockets",
1895 type: "map<string, allow | deny>",
1896 description:
1897 "Administrator-managed Unix socket policy for sandboxed networking.",
1898 },
1899 {
1900 key: "experimental_network.allow_local_binding",
1901 type: "boolean",
1902 description:
1903 "Permit broader local/private-network access for sandboxed networking. Exact local IP literal or `localhost` allow rules can still permit specific local targets when this stays `false`.",
1904 },
1905 {
1906 key: "hooks",
1907 type: "table",
1908 description:
1909 "Admin-enforced managed lifecycle hooks. Requires a managed hook directory and uses the same event schema as inline `[hooks]` in `config.toml`.",
1910 },
1911 {
1912 key: "hooks.managed_dir",
1913 type: "string (absolute path)",
1914 description:
1915 "Directory containing managed hook scripts on macOS and Linux. Codex validates that it is absolute and exists before loading managed hooks.",
1916 },
1917 {
1918 key: "hooks.windows_managed_dir",
1919 type: "string (absolute path)",
1920 description:
1921 "Directory containing managed hook scripts on Windows. Codex validates that it is absolute and exists before loading managed hooks.",
1922 },
1923 {
1924 key: "hooks.<Event>",
1925 type: "array<table>",
1926 description:
1927 "Matcher groups for a hook event such as `PreToolUse`, `PermissionRequest`, `PostToolUse`, `PreCompact`, `PostCompact`, `SessionStart`, `SubagentStart`, `SubagentStop`, `UserPromptSubmit`, or `Stop`.",
1928 },
1929 {
1930 key: "hooks.<Event>[].hooks",
1931 type: "array<table>",
1932 description:
1933 "Hook handlers for a matcher group. Command hooks are currently supported; prompt and agent hook handlers are parsed but skipped.",
1934 },
1935 {
1936 key: "hooks.<Event>[].hooks[].commandWindows",
1937 type: "string",
1938 description:
1939 "Windows-only command override for command hooks. The TOML alias `command_windows` is also accepted.",
1940 },
1941 {
1942 key: "permissions.filesystem.deny_read",
1943 type: "array<string>",
1944 description:
1945 "Admin-enforced filesystem read denials. Entries can be paths or glob patterns, and users cannot weaken them with local config.",
1946 },
1947 {
1948 key: "mcp_servers",
1949 type: "table",
1950 description:
1951 "Allowlist of MCP servers that may be enabled. Both the server name (`<id>`) and its identity must match for the MCP server to be enabled. Any configured MCP server not in the allowlist (or with a mismatched identity) is disabled.",
1952 },
1953 {
1954 key: "mcp_servers.<id>.identity",
1955 type: "table",
1956 description:
1957 "Identity rule for a single MCP server. Set either `command` (stdio) or `url` (streamable HTTP).",
1958 },
1959 {
1960 key: "mcp_servers.<id>.identity.command",
1961 type: "string | table",
1962 description:
1963 "Allow an MCP stdio server by exact command string, or use a matcher table to require an exact executable and ordered argument matchers. The string form doesn't inspect arguments, `cwd`, `env`, or `env_vars`.",
1964 },
1965 {
1966 key: "mcp_servers.<id>.identity.command.executable",
1967 type: "string",
1968 description:
1969 "Executable that the stdio server's configured `command` must match exactly.",
1970 },
1971 {
1972 key: "mcp_servers.<id>.identity.command.args",
1973 type: "array<table>",
1974 description:
1975 "Ordered argument matchers for a stdio server. The configured argument list must have the same length, and every position must match. Command matchers don't inspect `cwd`, `env`, or `env_vars`.",
1976 },
1977 {
1978 key: "mcp_servers.<id>.identity.command.args[].match",
1979 type: "exact | prefix | regex",
1980 description: "Match operation for this argument position.",
1981 },
1982 {
1983 key: "mcp_servers.<id>.identity.command.args[].value",
1984 type: "string",
1985 description: "Value used by an `exact` or `prefix` argument matcher.",
1986 },
1987 {
1988 key: "mcp_servers.<id>.identity.command.args[].expression",
1989 type: "string",
1990 description:
1991 "Regular expression used by a `regex` argument matcher. The expression must be valid and match the complete argument value.",
1992 },
1993 {
1994 key: "mcp_servers.<id>.identity.url",
1995 type: "string | table",
1996 description:
1997 "Allow an MCP streamable HTTP server by exact URL string, or use an `exact`, `prefix`, or `regex` value matcher table.",
1998 },
1999 {
2000 key: "mcp_servers.<id>.identity.url.match",
2001 type: "exact | prefix | regex",
2002 description: "Match operation for the configured MCP server URL.",
2003 },
2004 {
2005 key: "mcp_servers.<id>.identity.url.value",
2006 type: "string",
2007 description: "Value used by an `exact` or `prefix` URL matcher.",
2008 },
2009 {
2010 key: "mcp_servers.<id>.identity.url.expression",
2011 type: "string",
2012 description:
2013 "Regular expression used by a `regex` URL matcher. The expression must be valid and match the complete URL value.",
2014 },
2015 {
2016 key: "plugins",
2017 type: "table",
2018 description:
2019 "Plugin-specific MCP server allowlists keyed by plugin identifier. When this table is present, plugin-bundled servers without a matching plugin and server entry are disabled.",
2020 },
2021 {
2022 key: "plugins.<plugin>.mcp_servers",
2023 type: "table",
2024 description:
2025 "Allowlist for MCP servers bundled with one plugin. Plugin server requirements use the same exact identity and matcher forms as top-level `mcp_servers` requirements.",
2026 },
2027 {
2028 key: "plugins.<plugin>.mcp_servers.<server>.identity",
2029 type: "table",
2030 description:
2031 "Identity rule for one plugin-bundled MCP server. Set either `command` (stdio) or `url` (streamable HTTP).",
2032 },
2033 {
2034 key: "plugins.<plugin>.mcp_servers.<server>.identity.command",
2035 type: "string | table",
2036 description:
2037 "Allow a plugin's stdio MCP server by exact command string, or use a matcher table to require an exact executable and ordered argument matchers.",
2038 },
2039 {
2040 key: "plugins.<plugin>.mcp_servers.<server>.identity.command.executable",
2041 type: "string",
2042 description:
2043 "Executable that the plugin-bundled stdio server's configured command must match exactly.",
2044 },
2045 {
2046 key: "plugins.<plugin>.mcp_servers.<server>.identity.command.args",
2047 type: "array<table>",
2048 description:
2049 "Ordered argument matchers for a plugin-bundled stdio server. The configured argument list must have the same length, and every position must match.",
2050 },
2051 {
2052 key: "plugins.<plugin>.mcp_servers.<server>.identity.command.args[].match",
2053 type: "exact | prefix | regex",
2054 description: "Match operation for this argument position.",
2055 },
2056 {
2057 key: "plugins.<plugin>.mcp_servers.<server>.identity.command.args[].value",
2058 type: "string",
2059 description: "Value used by an `exact` or `prefix` argument matcher.",
2060 },
2061 {
2062 key: "plugins.<plugin>.mcp_servers.<server>.identity.command.args[].expression",
2063 type: "string",
2064 description:
2065 "Regular expression used by a `regex` argument matcher. The expression must match the complete argument value.",
2066 },
2067 {
2068 key: "plugins.<plugin>.mcp_servers.<server>.identity.url",
2069 type: "string | table",
2070 description:
2071 "Allow a plugin's streamable HTTP MCP server by exact URL string, or use an `exact`, `prefix`, or `regex` value matcher table.",
2072 },
2073 {
2074 key: "plugins.<plugin>.mcp_servers.<server>.identity.url.match",
2075 type: "exact | prefix | regex",
2076 description: "Match operation for the plugin-bundled MCP server URL.",
2077 },
2078 {
2079 key: "plugins.<plugin>.mcp_servers.<server>.identity.url.value",
2080 type: "string",
2081 description: "Value used by an `exact` or `prefix` URL matcher.",
2082 },
2083 {
2084 key: "plugins.<plugin>.mcp_servers.<server>.identity.url.expression",
2085 type: "string",
2086 description:
2087 "Regular expression used by a `regex` URL matcher. The expression must match the complete URL value.",
2088 },
2089 {
2090 key: "marketplaces",
2091 type: "table",
2092 description:
2093 "Admin requirements for plugin marketplace sources. Rules take effect when `restrict_to_allowed_sources` is `true`.",
2094 },
2095 {
2096 key: "marketplaces.restrict_to_allowed_sources",
2097 type: "boolean",
2098 description:
2099 "When `true`, require user-configured marketplace sources to match `allowed_sources` for marketplace add, plugin install, and configured Git marketplace refresh operations. Codex-managed OpenAI marketplaces remain allowed when their reserved source and name match. This doesn't filter already configured user marketplaces at runtime.",
2100 },
2101 {
2102 key: "marketplaces.allowed_sources",
2103 type: "table",
2104 description:
2105 "Allowed marketplace sources keyed by administrator-chosen rule name. Distinct names accumulate across requirements layers; fields under the same name use normal layer precedence.",
2106 },
2107 {
2108 key: "marketplaces.allowed_sources.<name>",
2109 type: "table",
2110 description:
2111 "One allowed source rule. The final `source` value after requirements merge determines which sibling fields Codex interprets.",
2112 },
2113 {
2114 key: "marketplaces.allowed_sources.<name>.source",
2115 type: "git | host_pattern | local",
2116 description:
2117 "Marketplace source matcher type. Use `git` for one repository, `host_pattern` for Git hosts matched by regular expression, or `local` for one directory.",
2118 },
2119 {
2120 key: "marketplaces.allowed_sources.<name>.url",
2121 type: "string",
2122 description:
2123 'Git repository URL required when `source = "git"`. Codex normalizes the configured and allowed URLs before requiring an exact repository match.',
2124 },
2125 {
2126 key: "marketplaces.allowed_sources.<name>.ref",
2127 type: "string",
2128 description:
2129 "Optional exact Git ref for a `git` rule. When omitted, the rule allows any ref for the matching repository.",
2130 },
2131 {
2132 key: "marketplaces.allowed_sources.<name>.host_pattern",
2133 type: "string",
2134 description:
2135 'Regular expression required when `source = "host_pattern"`. Codex matches it against the lowercase hostname parsed from an HTTPS, SSH, or SCP-style Git source. Use `^` and `$` to require a whole-host match.',
2136 },
2137 {
2138 key: "marketplaces.allowed_sources.<name>.path",
2139 type: "string (absolute path)",
2140 description:
2141 'Local marketplace directory required when `source = "local"`. Codex requires an absolute path and compares paths after normalization.',
2142 },
2143 {
2144 key: "apps",
2145 type: "table",
2146 description:
2147 "Managed app requirements keyed by app identifier. Requirements can disable an app or constrain approval behavior for individual tools.",
2148 },
2149 {
2150 key: "apps.<id>.enabled",
2151 type: "boolean",
2152 description:
2153 "Set to `false` to disable an app. A disabled requirement remains restrictive when multiple requirements sources are merged.",
2154 },
2155 {
2156 key: "apps.<id>.tools.<tool>.approval_mode",
2157 type: "auto | prompt | writes | approve",
2158 description: "Set the managed approval mode for one app tool.",
2159 },
2160 {
2161 key: "rules",
2162 type: "table",
2163 description:
2164 "Admin-enforced command rules merged with `.rules` files. Requirements rules must be restrictive.",
2165 },
2166 {
2167 key: "rules.prefix_rules",
2168 type: "array<table>",
2169 description:
2170 "List of enforced prefix rules. Each rule must include `pattern` and `decision`.",
2171 },
2172 {
2173 key: "rules.prefix_rules[].pattern",
2174 type: "array<table>",
2175 description:
2176 "Command prefix expressed as pattern tokens. Each token sets either `token` or `any_of`.",
2177 },
2178 {
2179 key: "rules.prefix_rules[].pattern[].token",
2180 type: "string",
2181 description: "A single literal token at this position.",
2182 },
2183 {
2184 key: "rules.prefix_rules[].pattern[].any_of",
2185 type: "array<string>",
2186 description: "A list of allowed alternative tokens at this position.",
2187 },
2188 {
2189 key: "rules.prefix_rules[].decision",
2190 type: "prompt | forbidden",
2191 description:
2192 "Required. Requirements rules can only prompt or forbid (not allow).",
2193 },
2194 {
2195 key: "rules.prefix_rules[].justification",
2196 type: "string",
2197 description:
2198 "Optional non-empty rationale surfaced in approval prompts or rejection messages.",
2199 },
2200 ]}
2201 client:load
2202/>