cli/reference diff

cli/reference.md +415 −38

Details

~~23| `--full-auto` | `boolean` | Shortcut for low-friction local work: sets `--ask-for-approval on-request` and `--sandbox workspace-write`. |~~

27| `--oss` | `boolean` | Use the local open source model provider (equivalent to `-c model_provider="oss"`). Validates that Ollama is running. |26| `--oss` | `boolean` | Use the local open source model provider (equivalent to `-c model_provider="oss"`). Validates that Ollama is running. |

28| `--remote` | `ws://host:port | wss://host:port` | Connect the interactive TUI to a remote app-server WebSocket endpoint. Supported for `codex`, `codex resume`, and `codex fork`; other subcommands reject remote mode. |

29| `--remote-auth-token-env` | `ENV_VAR` | Read a bearer token from this environment variable and send it when connecting with `--remote`. Requires `--remote`; tokens are only sent over `wss://` URLs or `ws://` URLs whose host is `localhost`, `127.0.0.1`, or `::1`. |

116 117

117Key118Key

118 119

119`--full-auto`

~~120~~

121Type / Values

~~122~~

123`boolean`

~~124~~

125Details

~~126~~

127Shortcut for low-friction local work: sets `--ask-for-approval on-request` and `--sandbox workspace-write`.

~~128~~

129Key

~~130~~

131`--image, -i`120`--image, -i`

132 121

133Type / Values122Type / Values

148 137

149Details138Details

150 139

151Override the model set in configuration (for example `gpt-5-codex`).140Override the model set in configuration (for example `gpt-5.4`).

152 141

153Key142Key

154 143

188 177

189Key178Key

190 179

180`--remote`

181

182Type / Values

183

184`ws://host:port | wss://host:port`

185

186Details

187

188Connect the interactive TUI to a remote app-server WebSocket endpoint. Supported for `codex`, `codex resume`, and `codex fork`; other subcommands reject remote mode.

189

190Key

191

192`--remote-auth-token-env`

193

194Type / Values

195

196`ENV_VAR`

197

198Details

199

200Read a bearer token from this environment variable and send it when connecting with `--remote`. Requires `--remote`; tokens are only sent over `wss://` URLs or `ws://` URLs whose host is `localhost`, `127.0.0.1`, or `::1`.

201

202Key

203

191`--sandbox, -s`204`--sandbox, -s`

192 205

193Type / Values206Type / Values

236| Key | Maturity | Details |249| Key | Maturity | Details |

237| --- | --- | --- |250| --- | --- | --- |

238| [`codex`](https://developers.openai.com/codex/cli/reference#codex-interactive) | Stable | Launch the terminal UI. Accepts the global flags above plus an optional prompt or image attachments. |251| [`codex`](https://developers.openai.com/codex/cli/reference#codex-interactive) | Stable | Launch the terminal UI. Accepts the global flags above plus an optional prompt or image attachments. |

239| [`codex app`](https://developers.openai.com/codex/cli/reference#codex-app) | Stable | Launch the Codex desktop app on macOS, optionally opening a specific workspace path. |252| [`codex app`](https://developers.openai.com/codex/cli/reference#codex-app) | Stable | Launch the Codex desktop app on macOS or Windows. On macOS, Codex can open a workspace path; on Windows, Codex prints the path to open. |

240| [`codex app-server`](https://developers.openai.com/codex/cli/reference#codex-app-server) | Experimental | Launch the Codex app server for local development or debugging. |253| [`codex app-server`](https://developers.openai.com/codex/cli/reference#codex-app-server) | Experimental | Launch the Codex app server for local development or debugging. |

241| [`codex apply`](https://developers.openai.com/codex/cli/reference#codex-apply) | Stable | Apply the latest diff generated by a Codex Cloud task to your local working tree. Alias: `codex a`. |254| [`codex apply`](https://developers.openai.com/codex/cli/reference#codex-apply) | Stable | Apply the latest diff generated by a Codex Cloud task to your local working tree. Alias: `codex a`. |

242| [`codex cloud`](https://developers.openai.com/codex/cli/reference#codex-cloud) | Experimental | Browse or execute Codex Cloud tasks from the terminal without opening the TUI. Alias: `codex cloud-tasks`. |255| [`codex cloud`](https://developers.openai.com/codex/cli/reference#codex-cloud) | Experimental | Browse or execute Codex Cloud tasks from the terminal without opening the TUI. Alias: `codex cloud-tasks`. |

243| [`codex completion`](https://developers.openai.com/codex/cli/reference#codex-completion) | Stable | Generate shell completion scripts for Bash, Zsh, Fish, or PowerShell. |256| [`codex completion`](https://developers.openai.com/codex/cli/reference#codex-completion) | Stable | Generate shell completion scripts for Bash, Zsh, Fish, or PowerShell. |

244| [`codex debug app-server send-message-v2`](https://developers.openai.com/codex/cli/reference#codex-debug-app-server-send-message-v2) | Experimental | Debug app-server by sending a single V2 message through the built-in test client. |257| [`codex debug app-server send-message-v2`](https://developers.openai.com/codex/cli/reference#codex-debug-app-server-send-message-v2) | Experimental | Debug app-server by sending a single V2 message through the built-in test client. |

258| [`codex debug models`](https://developers.openai.com/codex/cli/reference#codex-debug-models) | Experimental | Print the raw model catalog Codex sees, including an option to inspect only the bundled catalog. |

245| [`codex exec`](https://developers.openai.com/codex/cli/reference#codex-exec) | Stable | Run Codex non-interactively. Alias: `codex e`. Stream results to stdout or JSONL and optionally resume previous sessions. |259| [`codex exec`](https://developers.openai.com/codex/cli/reference#codex-exec) | Stable | Run Codex non-interactively. Alias: `codex e`. Stream results to stdout or JSONL and optionally resume previous sessions. |

246| [`codex execpolicy`](https://developers.openai.com/codex/cli/reference#codex-execpolicy) | Experimental | Evaluate execpolicy rule files and see whether a command would be allowed, prompted, or blocked. |260| [`codex execpolicy`](https://developers.openai.com/codex/cli/reference#codex-execpolicy) | Experimental | Evaluate execpolicy rule files and see whether a command would be allowed, prompted, or blocked. |

247| [`codex features`](https://developers.openai.com/codex/cli/reference#codex-features) | Stable | List feature flags and persistently enable or disable them in `config.toml`. |261| [`codex features`](https://developers.openai.com/codex/cli/reference#codex-features) | Stable | List feature flags and persistently enable or disable them in `config.toml`. |

251| [`codex mcp`](https://developers.openai.com/codex/cli/reference#codex-mcp) | Experimental | Manage Model Context Protocol servers (list, add, remove, authenticate). |265| [`codex mcp`](https://developers.openai.com/codex/cli/reference#codex-mcp) | Experimental | Manage Model Context Protocol servers (list, add, remove, authenticate). |

252| [`codex mcp-server`](https://developers.openai.com/codex/cli/reference#codex-mcp-server) | Experimental | Run Codex itself as an MCP server over stdio. Useful when another agent consumes Codex. |266| [`codex mcp-server`](https://developers.openai.com/codex/cli/reference#codex-mcp-server) | Experimental | Run Codex itself as an MCP server over stdio. Useful when another agent consumes Codex. |

267| [`codex plugin marketplace`](https://developers.openai.com/codex/cli/reference#codex-plugin-marketplace) | Experimental | Add, upgrade, or remove plugin marketplaces from Git or local sources. |

253| [`codex resume`](https://developers.openai.com/codex/cli/reference#codex-resume) | Stable | Continue a previous interactive session by ID or resume the most recent conversation. |268| [`codex resume`](https://developers.openai.com/codex/cli/reference#codex-resume) | Stable | Continue a previous interactive session by ID or resume the most recent conversation. |

254| [`codex sandbox`](https://developers.openai.com/codex/cli/reference#codex-sandbox) | Experimental | Run arbitrary commands inside Codex-provided macOS seatbelt or Linux sandboxes (Landlock by default, optional bubblewrap pipeline). |269| [`codex sandbox`](https://developers.openai.com/codex/cli/reference#codex-sandbox) | Experimental | Run arbitrary commands inside Codex-provided macOS, Linux, or Windows sandboxes. |

270| [`codex update`](https://developers.openai.com/codex/cli/reference#codex-update) | Stable | Check for and apply a Codex CLI update when the installed release supports self-update. |

255 271

256Key272Key

257 273

275 291

276Details292Details

277 293

278Launch the Codex desktop app on macOS, optionally opening a specific workspace path.294Launch the Codex desktop app on macOS or Windows. On macOS, Codex can open a workspace path; on Windows, Codex prints the path to open.

279 295

280Key296Key

281 297

339 355

340Key356Key

341 357

358[`codex debug models`](https://developers.openai.com/codex/cli/reference#codex-debug-models)

359

360Maturity

361

362Experimental

363

364Details

365

366Print the raw model catalog Codex sees, including an option to inspect only the bundled catalog.

367

368Key

369

342[`codex exec`](https://developers.openai.com/codex/cli/reference#codex-exec)370[`codex exec`](https://developers.openai.com/codex/cli/reference#codex-exec)

343 371

344Maturity372Maturity

435 463

436Key464Key

437 465

466[`codex plugin marketplace`](https://developers.openai.com/codex/cli/reference#codex-plugin-marketplace)

467

468Maturity

469

470Experimental

471

472Details

473

474Add, upgrade, or remove plugin marketplaces from Git or local sources.

475

476Key

477

438[`codex resume`](https://developers.openai.com/codex/cli/reference#codex-resume)478[`codex resume`](https://developers.openai.com/codex/cli/reference#codex-resume)

439 479

440Maturity480Maturity

455 495

456Details496Details

457 497

458Run arbitrary commands inside Codex-provided macOS seatbelt or Linux sandboxes (Landlock by default, optional bubblewrap pipeline).498Run arbitrary commands inside Codex-provided macOS, Linux, or Windows sandboxes.

499

500Key

501

502[`codex update`](https://developers.openai.com/codex/cli/reference#codex-update)

503

504Maturity

505

506Stable

507

508Details

509

510Check for and apply a Codex CLI update when the installed release supports self-update.

459 511

460Expand to view all512Expand to view all

461 513

463 515

464### `codex` (interactive)516### `codex` (interactive)

465 517

466Running `codex` with no subcommand launches the interactive terminal UI (TUI). The agent accepts the global flags above plus image attachments. Web search defaults to cached mode; use `--search` to switch to live browsing and `--full-auto` to let Codex run most commands without prompts.518Running `codex` with no subcommand launches the interactive terminal UI (TUI). The agent accepts the global flags above plus image attachments. Web search defaults to cached mode; use `--search` to switch to live browsing. For low-friction local work, use `--sandbox workspace-write --ask-for-approval on-request`.

519

520Use `--remote ws://host:port` or `--remote wss://host:port` to connect the TUI to an app server started with `codex app-server --listen ws://IP:PORT`. Add `--remote-auth-token-env <ENV_VAR>` when the server requires a bearer token for WebSocket authentication. See [Codex CLI features](https://developers.openai.com/codex/cli/features#connect-the-tui-to-a-remote-app-server) for setup examples and authentication guidance.

467 521

468### `codex app-server`522### `codex app-server`

469 523

471 525

472| Key | Type / Values | Details |526| Key | Type / Values | Details |

473| --- | --- | --- |527| --- | --- | --- |

529| `--ws-audience` | `string` | Expected `aud` claim for signed bearer tokens. Requires `--ws-auth signed-bearer-token`. |

531| `--ws-issuer` | `string` | Expected `iss` claim for signed bearer tokens. Requires `--ws-auth signed-bearer-token`. |

532| `--ws-max-clock-skew-seconds` | `number` | Clock skew allowance when validating signed bearer token `exp` and `nbf` claims. Requires `--ws-auth signed-bearer-token`. |

533| `--ws-shared-secret-file` | `absolute path` | File containing the HMAC shared secret used to validate signed JWT bearer tokens. Required with `--ws-auth signed-bearer-token`. |

534| `--ws-token-file` | `absolute path` | File containing the shared capability token. Required with `--ws-auth capability-token`. |

475 535

476Key536Key

477 537

483 543

484Details544Details

485 545

486Transport listener URL. `ws://` is experimental and intended for development/testing.546Transport listener URL. Use `ws://IP:PORT` to expose a WebSocket endpoint for remote clients.

547

548Key

549

550`--ws-audience`

551

552Type / Values

553

554`string`

555

556Details

557

558Expected `aud` claim for signed bearer tokens. Requires `--ws-auth signed-bearer-token`.

559

560Key

561

562`--ws-auth`

563

564Type / Values

565

566`capability-token | signed-bearer-token`

567

568Details

569

570Authentication mode for app-server WebSocket clients. If omitted, WebSocket auth is disabled; non-local listeners warn during startup.

571

572Key

573

574`--ws-issuer`

575

576Type / Values

577

578`string`

579

580Details

581

582Expected `iss` claim for signed bearer tokens. Requires `--ws-auth signed-bearer-token`.

583

584Key

585

586`--ws-max-clock-skew-seconds`

587

588Type / Values

589

590`number`

591

592Details

593

594Clock skew allowance when validating signed bearer token `exp` and `nbf` claims. Requires `--ws-auth signed-bearer-token`.

595

596Key

597

598`--ws-shared-secret-file`

599

600Type / Values

601

602`absolute path`

603

604Details

605

606File containing the HMAC shared secret used to validate signed JWT bearer tokens. Required with `--ws-auth signed-bearer-token`.

607

608Key

609

610`--ws-token-file`

611

612Type / Values

487 613

488`codex app-server --listen stdio://` keeps the default JSONL-over-stdio behavior. `--listen ws://IP:PORT` enables WebSocket transport (experimental). If you generate schemas for client bindings, add `--experimental` to include gated fields and methods.614`absolute path`

615

616Details

617

618File containing the shared capability token. Required with `--ws-auth capability-token`.

619

620`codex app-server --listen stdio://` keeps the default JSONL-over-stdio behavior. `--listen ws://IP:PORT` enables WebSocket transport for app-server clients. The server accepts `ws://` listen URLs; use TLS termination or a secure proxy when clients connect with `wss://`. If you generate schemas for client bindings, add `--experimental` to include gated fields and methods.

489 621

490### `codex app`622### `codex app`

491 623

492Launch Codex Desktop from the terminal on macOS and optionally open a specific workspace path.624Launch Codex Desktop from the terminal on macOS or Windows. On macOS, Codex can open a specific workspace path; on Windows, Codex prints the path to open.

493 625

494| Key | Type / Values | Details |626| Key | Type / Values | Details |

495| --- | --- | --- |627| --- | --- | --- |

496| `--download-url` | `url` | Advanced override for the Codex desktop DMG download URL used during install. |628| `--download-url` | `url` | Advanced override for the Codex desktop installer URL used during install. |

498 630

499Key631Key

500 632

506 638

507Details639Details

508 640

509Advanced override for the Codex desktop DMG download URL used during install.641Advanced override for the Codex desktop installer URL used during install.

510 642

511Key643Key

512 644

518 650

519Details651Details

520 652

521Workspace path to open in Codex Desktop (`codex app` is available on macOS only).653Workspace path for Codex Desktop. On macOS, Codex opens this path; on Windows, Codex prints the path.

522 654

523`codex app` installs/opens the desktop app on macOS, then opens the provided workspace path. This subcommand is macOS-only.655`codex app` opens an installed Codex Desktop app, or starts the installer when

656the app is missing. On macOS, Codex opens the provided workspace path; on

657Windows, it prints the path to open after installation.

524 658

525### `codex debug app-server send-message-v2`659### `codex debug app-server send-message-v2`

526 660

544 678

545This debug flow initializes with `experimentalApi: true`, starts a thread, sends a turn, and streams server notifications. Use it to reproduce and inspect app-server protocol behavior locally.679This debug flow initializes with `experimentalApi: true`, starts a thread, sends a turn, and streams server notifications. Use it to reproduce and inspect app-server protocol behavior locally.

546 680

681### `codex debug models`

682

683Print the raw model catalog Codex sees as JSON.

684

685| Key | Type / Values | Details |

686| --- | --- | --- |

687| `--bundled` | `boolean` | Skip refresh and print only the model catalog bundled with the current Codex binary. |

688

689Key

690

691`--bundled`

692

693Type / Values

694

695`boolean`

696

697Details

698

699Skip refresh and print only the model catalog bundled with the current Codex binary.

700

701Use `--bundled` when you want to inspect only the catalog bundled with the current binary, without refreshing from the remote models endpoint.

702

547### `codex apply`703### `codex apply`

548 704

549Apply the most recent diff from a Codex cloud task to your local repository. You must authenticate and have access to the task.705Apply the most recent diff from a Codex cloud task to your local repository. You must authenticate and have access to the task.

911| `--ignore-rules` | `boolean` | Do not load user or project execpolicy `.rules` files for this run. |

912| `--ignore-user-config` | `boolean` | Do not load `$CODEX_HOME/config.toml`. Authentication still uses `CODEX_HOME`. |

823 981

824Details982Details

825 983

826Apply the low-friction automation preset (`workspace-write` sandbox and `on-request` approvals).984Deprecated compatibility flag. Prefer `--sandbox workspace-write`; Codex prints a warning when this flag is used.

985

986Key

987

988`--ignore-rules`

989

990Type / Values

991

992`boolean`

993

994Details

995

996Do not load user or project execpolicy `.rules` files for this run.

997

998Key

999

1000`--ignore-user-config`

1001

1002Type / Values

1003

1004`boolean`

1005

1006Details

1007

1008Do not load `$CODEX_HOME/config.toml`. Authentication still uses `CODEX_HOME`.

827 1009

828Key1010Key

829 1011

1275 1457

1276OAuth actions (`login`, `logout`) only work with streamable HTTP servers (and only when the server supports OAuth).1458OAuth actions (`login`, `logout`) only work with streamable HTTP servers (and only when the server supports OAuth).

1277 1459

1460### `codex plugin marketplace`

1461

1462Manage plugin marketplace sources that Codex can browse and install from.

1463

1464| Key | Type / Values | Details |

1465| --- | --- | --- |

1466| `add <source>` | `[--ref REF] [--sparse PATH]` | Install a plugin marketplace from GitHub shorthand, a Git URL, an SSH URL, or a local marketplace root directory. `--sparse` is supported only for Git sources and can be repeated. |

1467| `remove <marketplace-name>` | | Remove a configured plugin marketplace. |

1468| `upgrade [marketplace-name]` | | Refresh one configured Git marketplace, or all configured Git marketplaces when no name is provided. |

1469

1470Key

1471

1472`add <source>`

1473

1474Type / Values

1475

1476`[--ref REF] [--sparse PATH]`

1477

1478Details

1479

1480Install a plugin marketplace from GitHub shorthand, a Git URL, an SSH URL, or a local marketplace root directory. `--sparse` is supported only for Git sources and can be repeated.

1481

1482Key

1483

1484`remove <marketplace-name>`

1485

1486Details

1487

1488Remove a configured plugin marketplace.

1489

1490Key

1491

1492`upgrade [marketplace-name]`

1493

1494Details

1495

1496Refresh one configured Git marketplace, or all configured Git marketplaces when no name is provided.

1497

1498`codex plugin marketplace add` accepts GitHub shorthand such as `owner/repo` or

1499`owner/repo@ref`, HTTP or HTTPS Git URLs, SSH Git URLs, and local marketplace

1500root directories. Use `--ref` to pin a Git ref, and repeat `--sparse PATH` to

1501use a sparse checkout for Git-backed marketplace repositories.

1502

1278### `codex mcp-server`1503### `codex mcp-server`

1279 1504

1280Run Codex as an MCP server over stdio so that other tools can connect. This command inherits global configuration overrides and exits when the downstream client closes the connection.1505Run Codex as an MCP server over stdio so that other tools can connect. This command inherits global configuration overrides and exits when the downstream client closes the connection.

1379 1604

1380| Key | Type / Values | Details |1605| Key | Type / Values | Details |

1381| --- | --- | --- |1606| --- | --- | --- |

1607| `--allow-unix-socket` | `path` | Allow the sandboxed command to bind or connect Unix sockets rooted at this path. Repeat to allow multiple paths. |

1608| `--cd, -C` | `DIR` | Working directory used for profile resolution and command execution. Requires `--permissions-profile`. |

1611| `--log-denials` | `boolean` | Capture macOS sandbox denials with `log stream` while the command runs and print them after exit. |

1612| `--permissions-profile` | `NAME` | Apply a named permissions profile from the active configuration stack. |

1385 1614

1386Key1615Key

1387 1616

1617`--allow-unix-socket`

1618

1619Type / Values

1620

1621`path`

1622

1623Details

1624

1625Allow the sandboxed command to bind or connect Unix sockets rooted at this path. Repeat to allow multiple paths.

1626

1627Key

1628

1629`--cd, -C`

1630

1631Type / Values

1632

1633`DIR`

1634

1635Details

1636

1637Working directory used for profile resolution and command execution. Requires `--permissions-profile`.

1638

1639Key

1640

1388`--config, -c`1641`--config, -c`

1389 1642

1390Type / Values1643Type / Values

1397 1650

1398Key1651Key

1399 1652

1400`--full-auto`1653`--include-managed-config`

1401 1654

1402Type / Values1655Type / Values

1403 1656

1405 1658

1406Details1659Details

1407 1660

1408Grant write access to the current workspace and `/tmp` without approvals.1661Include managed requirements while resolving an explicit permissions profile. Requires `--permissions-profile`.

1662

1663Key

1664

1665`--log-denials`

1666

1667Type / Values

1668

1669`boolean`

1670

1671Details

1672

1673Capture macOS sandbox denials with `log stream` while the command runs and print them after exit.

1674

1675Key

1676

1677`--permissions-profile`

1678

1679Type / Values

1680

1681`NAME`

1682

1683Details

1684

1685Apply a named permissions profile from the active configuration stack.

1409 1686

1410Key1687Key

1411 1688

1423 1700

1424| Key | Type / Values | Details |1701| Key | Type / Values | Details |

1425| --- | --- | --- |1702| --- | --- | --- |

1703| `--cd, -C` | `DIR` | Working directory used for profile resolution and command execution. Requires `--permissions-profile`. |

1706| `--permissions-profile` | `NAME` | Apply a named permissions profile from the active configuration stack. |

1429 1708

1430Key1709Key

1431 1710

1711`--cd, -C`

1712

1713Type / Values

1714

1715`DIR`

1716

1717Details

1718

1719Working directory used for profile resolution and command execution. Requires `--permissions-profile`.

1720

1721Key

1722

1432`--config, -c`1723`--config, -c`

1433 1724

1434Type / Values1725Type / Values

1441 1732

1442Key1733Key

1443 1734

1444`--full-auto`1735`--include-managed-config`

1445 1736

1446Type / Values1737Type / Values

1447 1738

1449 1740

1450Details1741Details

1451 1742

1452Grant write access to the current workspace and `/tmp` inside the Landlock sandbox.1743Include managed requirements while resolving an explicit permissions profile. Requires `--permissions-profile`.

1744

1745Key

1746

1747`--permissions-profile`

1748

1749Type / Values

1750

1751`NAME`

1752

1753Details

1754

1755Apply a named permissions profile from the active configuration stack.

1453 1756

1454Key1757Key

1455 1758

1463 1766

1464Command to execute under Landlock + seccomp. Provide the executable after `--`.1767Command to execute under Landlock + seccomp. Provide the executable after `--`.

1465 1768

1769#### Windows

1770

1771| Key | Type / Values | Details |

1772| --- | --- | --- |

1773| `--cd, -C` | `DIR` | Working directory used for profile resolution and command execution. Requires `--permissions-profile`. |

1774| `--config, -c` | `key=value` | Configuration overrides applied before launching the sandbox (repeatable). |

1775| `--include-managed-config` | `boolean` | Include managed requirements while resolving an explicit permissions profile. Requires `--permissions-profile`. |

1776| `--permissions-profile` | `NAME` | Apply a named permissions profile from the active configuration stack. |

1777| `COMMAND...` | `var-args` | Command to execute under the native Windows sandbox. Provide the executable after `--`. |

1778

1779Key

1780

1781`--cd, -C`

1782

1783Type / Values

1784

1785`DIR`

1786

1787Details

1788

1789Working directory used for profile resolution and command execution. Requires `--permissions-profile`.

1790

1791Key

1792

1793`--config, -c`

1794

1795Type / Values

1796

1797`key=value`

1798

1799Details

1800

1801Configuration overrides applied before launching the sandbox (repeatable).

1802

1803Key

1804

1805`--include-managed-config`

1806

1807Type / Values

1808

1809`boolean`

1810

1811Details

1812

1813Include managed requirements while resolving an explicit permissions profile. Requires `--permissions-profile`.

1814

1815Key

1816

1817`--permissions-profile`

1818

1819Type / Values

1820

1821`NAME`

1822

1823Details

1824

1825Apply a named permissions profile from the active configuration stack.

1826

1827Key

1828

1829`COMMAND...`

1830

1831Type / Values

1832

1833`var-args`

1834

1835Details

1836

1837Command to execute under the native Windows sandbox. Provide the executable after `--`.

1838

1839### `codex update`

1840

1841Check for and apply a Codex CLI update when the installed release supports self-update. Debug builds print a message telling you to install a release build instead.

1842

1466## Flag combinations and safety tips1843## Flag combinations and safety tips

1467 1844

1468- Set `--full-auto` for unattended local work, but avoid combining it with `--dangerously-bypass-approvals-and-sandbox` unless you are inside a dedicated sandbox VM.1845- Use `--sandbox workspace-write` for unattended local work that can stay inside the workspace, and avoid `--dangerously-bypass-approvals-and-sandbox` unless you are inside a dedicated sandbox VM.

1469- When you need to grant Codex write access to more directories, prefer `--add-dir` rather than forcing `--sandbox danger-full-access`.1846- When you need to grant Codex write access to more directories, prefer `--add-dir` rather than forcing `--sandbox danger-full-access`.

1470- Pair `--json` with `--output-last-message` in CI to capture machine-readable progress and a final natural-language summary.1847- Pair `--json` with `--output-last-message` in CI to capture machine-readable progress and a final natural-language summary.

1471 1848

cli/reference.md Codex Docs, 2026-02-24 06:27 UTC → 2026-04-30 18:36 UTC