config-advanced.md +141 −19
230 230
231You can also use a granular approval policy (`approval_policy = { granular = { ... } }`) to allow or auto-reject individual prompt categories. This is useful when you want normal interactive approvals for some cases but want others, such as `request_permissions` or skill-script prompts, to fail closed automatically.231You can also use a granular approval policy (`approval_policy = { granular = { ... } }`) to allow or auto-reject individual prompt categories. This is useful when you want normal interactive approvals for some cases but want others, such as `request_permissions` or skill-script prompts, to fail closed automatically.
232 232
233233```Set `approvals_reviewer = "auto_review"` to route eligible interactive approval
234requests through automatic review. This changes the reviewer, not the sandbox
235boundary.
236
237Use `[auto_review].policy` for local reviewer policy instructions. Managed
238`guardian_policy_config` takes precedence.
239
240```toml
234approval_policy = "untrusted" # Other options: on-request, never, or { granular = { ... } }241approval_policy = "untrusted" # Other options: on-request, never, or { granular = { ... } }
242approvals_reviewer = "user" # Or "auto_review" for automatic review
235sandbox_mode = "workspace-write"243sandbox_mode = "workspace-write"
236allow_login_shell = false # Optional hardening: disallow login shells for shell tools244allow_login_shell = false # Optional hardening: disallow login shells for shell tools
237 245
249exclude_slash_tmp = false # Allow /tmp257exclude_slash_tmp = false # Allow /tmp
250writable_roots = ["/Users/YOU/.pyenv/shims"]258writable_roots = ["/Users/YOU/.pyenv/shims"]
251network_access = false # Opt in to outbound network259network_access = false # Opt in to outbound network
260
261[auto_review]
262policy = """
263Use your organization's automatic review policy.
264"""
252```265```
253 266
254Need the complete key list (including profile-scoped overrides and requirements constraints)? See [Configuration Reference](https://developers.openai.com/codex/config-reference) and [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration).267Need the complete key list (including profile-scoped overrides and requirements constraints)? See [Configuration Reference](https://developers.openai.com/codex/config-reference) and [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration).
370 383
371#### Metrics catalog384#### Metrics catalog
372 385
373386Each metric includes the required fields plus the default context fields above. Every metric is prefixed by `codex.`.Each metric includes the required fields plus the default context fields above. Metric names below omit the `codex.` prefix.
387Most metric names are centralized in `codex-rs/otel/src/metrics/names.rs`; feature-specific metrics emitted outside that file are included here too.
374If a metric includes the `tool` field, it reflects the internal tool used (for example, `apply_patch` or `shell`) and doesn't contain the actual shell command or patch `codex` is trying to apply.388If a metric includes the `tool` field, it reflects the internal tool used (for example, `apply_patch` or `shell`) and doesn't contain the actual shell command or patch `codex` is trying to apply.
375 389
390#### Runtime and model transport
391
392| Metric | Type | Fields | Description |
393| --- | --- | --- | --- |
394| `api_request` | counter | `status`, `success` | API request count by HTTP status and success/failure. |
395| `api_request.duration_ms` | histogram | `status`, `success` | API request duration in milliseconds. |
396| `sse_event` | counter | `kind`, `success` | SSE event count by event kind and success/failure. |
397| `sse_event.duration_ms` | histogram | `kind`, `success` | SSE event processing duration in milliseconds. |
398| `websocket.request` | counter | `success` | WebSocket request count by success/failure. |
399| `websocket.request.duration_ms` | histogram | `success` | WebSocket request duration in milliseconds. |
400| `websocket.event` | counter | `kind`, `success` | WebSocket message/event count by type and success/failure. |
401| `websocket.event.duration_ms` | histogram | `kind`, `success` | WebSocket message/event processing duration in milliseconds. |
402| `responses_api_overhead.duration_ms` | histogram | | Responses API overhead timing from websocket responses. |
403| `responses_api_inference_time.duration_ms` | histogram | | Responses API inference timing from websocket responses. |
404| `responses_api_engine_iapi_ttft.duration_ms` | histogram | | Responses API engine IAPI time-to-first-token timing. |
405| `responses_api_engine_service_ttft.duration_ms` | histogram | | Responses API engine service time-to-first-token timing. |
406| `responses_api_engine_iapi_tbt.duration_ms` | histogram | | Responses API engine IAPI time-between-token timing. |
407| `responses_api_engine_service_tbt.duration_ms` | histogram | | Responses API engine service time-between-token timing. |
408| `transport.fallback_to_http` | counter | `from_wire_api` | WebSocket-to-HTTP fallback count. |
409| `remote_models.fetch_update.duration_ms` | histogram | | Time to fetch remote model definitions. |
410| `remote_models.load_cache.duration_ms` | histogram | | Time to load the remote model cache. |
411| `startup_prewarm.duration_ms` | histogram | `status` | Startup prewarm duration by outcome. |
412| `startup_prewarm.age_at_first_turn_ms` | histogram | `status` | Startup prewarm age when the first real turn resolves it. |
413| `cloud_requirements.fetch.duration_ms` | histogram | | Workspace-managed cloud requirements fetch duration. |
414| `cloud_requirements.fetch_attempt` | counter | See note | Workspace-managed cloud requirements fetch attempts. |
415| `cloud_requirements.fetch_final` | counter | See note | Final workspace-managed cloud requirements fetch outcome. |
416| `cloud_requirements.load` | counter | `trigger`, `outcome` | Workspace-managed cloud requirements load outcome. |
417
418The `cloud_requirements.fetch_attempt` metric includes `trigger`, `attempt`, `outcome`, and `status_code` fields. The `cloud_requirements.fetch_final` metric includes `trigger`, `outcome`, `reason`, `attempt_count`, and `status_code` fields.
419
420#### Turn and tool activity
421
422| Metric | Type | Fields | Description |
423| --- | --- | --- | --- |
424| `turn.e2e_duration_ms` | histogram | | End-to-end time for a full turn. |
425| `turn.ttft.duration_ms` | histogram | | Time to first token for a turn. |
426| `turn.ttfm.duration_ms` | histogram | | Time to first model output item for a turn. |
427| `turn.network_proxy` | counter | `active`, `tmp_mem_enabled` | Whether the managed network proxy was active for the turn. |
428| `turn.memory` | counter | `read_allowed`, `feature_enabled`, `config_use_memories`, `has_citations` | Per-turn memory read availability and memory citation usage. |
429| `turn.tool.call` | histogram | `tmp_mem_enabled` | Number of tool calls in the turn. |
430| `turn.token_usage` | histogram | `token_type`, `tmp_mem_enabled` | Per-turn token usage by token type (`total`, `input`, `cached_input`, `output`, or `reasoning_output`). |
431| `tool.call` | counter | `tool`, `success` | Tool invocation count by tool name and success/failure. |
432| `tool.call.duration_ms` | histogram | `tool`, `success` | Tool execution duration in milliseconds by tool name and outcome. |
433| `tool.unified_exec` | counter | `tty` | Unified exec tool calls by TTY mode. |
434| `approval.requested` | counter | `tool`, `approved` | Tool approval request result (`approved`, `approved_with_amendment`, `approved_for_session`, `denied`, `abort`). |
435| `mcp.call` | counter | See note | MCP tool invocation result. |
436| `mcp.call.duration_ms` | histogram | See note | MCP tool invocation duration. |
437| `mcp.tools.list.duration_ms` | histogram | `cache` | MCP tool-list duration, including cache hit/miss state. |
438| `mcp.tools.fetch_uncached.duration_ms` | histogram | | Duration of uncached MCP tool fetches. |
439| `mcp.tools.cache_write.duration_ms` | histogram | | Duration of Codex Apps MCP tool-cache writes. |
440| `hooks.run` | counter | `hook_name`, `source`, `status` | Hook run count by hook name, source, and status. |
441| `hooks.run.duration_ms` | histogram | `hook_name`, `source`, `status` | Hook run duration in milliseconds. |
442
443The `mcp.call` and `mcp.call.duration_ms` metrics include `status`; normal tool-call emissions also include `tool`, plus `connector_id` and `connector_name` when available. Blocked Codex Apps MCP calls may emit `mcp.call` with only `status`.
444
445#### Threads, tasks, and features
446
376| Metric | Type | Fields | Description |447| Metric | Type | Fields | Description |
377| --- | --- | --- | --- |448| --- | --- | --- | --- |
378| `feature.state` | counter | `feature`, `value` | Feature values that differ from defaults (emit one row per non-default). |449| `feature.state` | counter | `feature`, `value` | Feature values that differ from defaults (emit one row per non-default). |
379450| `thread.started` | counter | `is_git` | New thread created. || `status_line` | counter | | Session started with a configured status line. |
380451| `thread.fork` | counter | | New thread created by forking an existing thread. || `model_warning` | counter | | Warning sent to the model. |
452| `thread.started` | counter | `is_git` | New thread created, tagged by whether the working directory is in a Git repo. |
453| `conversation.turn.count` | counter | | User/assistant turns per thread, recorded at the end of the thread. |
454| `thread.fork` | counter | `source` | New thread created by forking an existing thread. |
381| `thread.rename` | counter | | Thread renamed. |455| `thread.rename` | counter | | Thread renamed. |
456| `thread.side` | counter | `source` | Side conversation created. |
457| `thread.skills.enabled_total` | histogram | | Number of skills enabled for a new thread. |
458| `thread.skills.kept_total` | histogram | | Number of enabled skills kept after prompt rendering. |
459| `thread.skills.truncated` | histogram | | Whether skill rendering truncated the enabled skills list (`1` or `0`). |
382| `task.compact` | counter | `type` | Number of compactions per type (`remote` or `local`), including manual and auto. |460| `task.compact` | counter | `type` | Number of compactions per type (`remote` or `local`), including manual and auto. |
383| `task.user_shell` | counter | | Number of user shell actions (`!` in the TUI for example). |
384| `task.review` | counter | | Number of reviews triggered. |461| `task.review` | counter | | Number of reviews triggered. |
385| `task.undo` | counter | | Number of undo actions triggered. |462| `task.undo` | counter | | Number of undo actions triggered. |
386463| `approval.requested` | counter | `tool`, `approved` | Tool approval request result (`approved`, `approved_with_amendment`, `approved_for_session`, `denied`, `abort`). || `task.user_shell` | counter | | Number of user shell actions (`!` in the TUI for example). |
387464| `conversation.turn.count` | counter | | User/assistant turns per thread, recorded at the end of the thread. || `shell_snapshot` | counter | See note | Whether taking a shell snapshot succeeded. |
388| `turn.e2e_duration_ms` | histogram | | End-to-end time for a full turn. |
389| `mcp.call` | counter | `status` | MCP tool invocation result (`ok` or error string). |
390| `model_warning` | counter | | Warning sent to the model. |
391| `tool.call` | counter | `tool`, `success` | Tool invocation result (`success`: `true` or `false`). |
392| `tool.call.duration_ms` | histogram | `tool`, `success` | Tool execution time. |
393| `remote_models.fetch_update.duration_ms` | histogram | | Time to fetch remote model definitions. |
394| `remote_models.load_cache.duration_ms` | histogram | | Time to load the remote model cache. |
395| `shell_snapshot` | counter | `success` | Whether taking a shell snapshot succeeded. |
396| `shell_snapshot.duration_ms` | histogram | `success` | Time to take a shell snapshot. |465| `shell_snapshot.duration_ms` | histogram | `success` | Time to take a shell snapshot. |
397466| `db.init` | counter | `status` | State DB initialization outcomes (`opened`, `created`, `open_error`, `init_error`). || `skill.injected` | counter | `status`, `skill` | Skill injection outcomes by skill. |
467| `plugins.startup_sync` | counter | `transport`, `status` | Curated plugin startup sync attempts. |
468| `plugins.startup_sync.final` | counter | `transport`, `status` | Final curated plugin startup sync outcome. |
469| `multi_agent.spawn` | counter | `role` | Agent spawns by role. |
470| `multi_agent.resume` | counter | | Agent resumes. |
471| `multi_agent.nickname_pool_reset` | counter | | Agent nickname pool resets. |
472
473The `shell_snapshot` metric includes `success` and, on failures, `failure_reason`.
474
475#### Memory and local state
476
477| Metric | Type | Fields | Description |
478| --- | --- | --- | --- |
479| `memory.phase1` | counter | `status` | Memory phase 1 job counts by status. |
480| `memory.phase1.e2e_ms` | histogram | | End-to-end duration for memory phase 1. |
481| `memory.phase1.output` | counter | | Memory phase 1 outputs written. |
482| `memory.phase1.token_usage` | histogram | `token_type` | Memory phase 1 token usage by token type. |
483| `memory.phase2` | counter | `status` | Memory phase 2 job counts by status. |
484| `memory.phase2.e2e_ms` | histogram | | End-to-end duration for memory phase 2. |
485| `memory.phase2.input` | counter | | Memory phase 2 input count. |
486| `memory.phase2.token_usage` | histogram | `token_type` | Memory phase 2 token usage by token type. |
487| `memories.usage` | counter | `kind`, `tool`, `success` | Memory usage by kind, tool, and success/failure. |
488| `external_agent_config.detect` | counter | See note | External agent config detections by migration item type. |
489| `external_agent_config.import` | counter | See note | External agent config imports by migration item type. |
398| `db.backfill` | counter | `status` | Initial state DB backfill results (`upserted`, `failed`). |490| `db.backfill` | counter | `status` | Initial state DB backfill results (`upserted`, `failed`). |
399491| `db.backfill.duration_ms` | histogram | `status` | Duration of the initial state DB backfill, tagged with `success`, `failed`, or `partial_failure`. || `db.backfill.duration_ms` | histogram | `status` | Duration of the initial state DB backfill. |
400492| `db.error` | counter | `stage` | Errors during state DB operations (for example, `extract_metadata_from_rollout`, `backfill_sessions`, `apply_rollout_items`). || `db.error` | counter | `stage` | Errors during state DB operations. |
401493| `db.compare_error` | counter | `stage`, `reason` | State DB discrepancies detected during reconciliation. |
494The `external_agent_config.detect` and `external_agent_config.import` metrics include `migration_type`; skills migrations also include `skills_count`.
495
496#### Windows sandbox
497
498| Metric | Type | Fields | Description |
499| --- | --- | --- | --- |
500| `windows_sandbox.setup_success` | counter | `originator`, `mode` | Windows sandbox setup successes. |
501| `windows_sandbox.setup_failure` | counter | `originator`, `mode` | Windows sandbox setup failures. |
502| `windows_sandbox.setup_duration_ms` | histogram | `result`, `originator`, `mode` | Windows sandbox setup duration. |
503| `windows_sandbox.elevated_setup_success` | counter | | Elevated Windows sandbox setup successes. |
504| `windows_sandbox.elevated_setup_failure` | counter | See note | Elevated Windows sandbox setup failures. |
505| `windows_sandbox.elevated_setup_canceled` | counter | See note | Canceled elevated Windows sandbox setup attempts. |
506| `windows_sandbox.elevated_setup_duration_ms` | histogram | `result` | Elevated Windows sandbox setup duration. |
507| `windows_sandbox.elevated_prompt_shown` | counter | | Elevated sandbox setup prompt shown. |
508| `windows_sandbox.elevated_prompt_accept` | counter | | Elevated sandbox setup prompt accepted. |
509| `windows_sandbox.elevated_prompt_use_legacy` | counter | | User chose legacy sandbox from the elevated prompt. |
510| `windows_sandbox.elevated_prompt_quit` | counter | | User quit from the elevated prompt. |
511| `windows_sandbox.fallback_prompt_shown` | counter | | Fallback sandbox prompt shown. |
512| `windows_sandbox.fallback_retry_elevated` | counter | | User retried elevated setup from the fallback prompt. |
513| `windows_sandbox.fallback_use_legacy` | counter | | User chose legacy sandbox from the fallback prompt. |
514| `windows_sandbox.fallback_prompt_quit` | counter | | User quit from the fallback prompt. |
515| `windows_sandbox.legacy_setup_preflight_failed` | counter | See note | Legacy Windows sandbox setup preflight failure. |
516| `windows_sandbox.setup_elevated_sandbox_command` | counter | | Elevated sandbox setup command invoked. |
517| `windows_sandbox.createprocessasuserw_failed` | counter | `error_code`, `path_kind`, `exe`, `level` | Windows `CreateProcessAsUserW` failures. |
518
519The elevated setup failure metrics include `code` and `message` when Windows setup failure details are available, and may include `originator` when emitted from the shared setup path. The `windows_sandbox.legacy_setup_preflight_failed` metric includes `originator` when emitted from the shared setup path, but fallback-prompt preflight failures may not include any fields.
402 520
403### Feedback controls521### Feedback controls
404 522
476- `notify` runs an external program (good for webhooks, desktop notifiers, CI hooks).594- `notify` runs an external program (good for webhooks, desktop notifiers, CI hooks).
477- `tui.notifications` is built in to the TUI and can optionally filter by event type (for example, `agent-turn-complete` and `approval-requested`).595- `tui.notifications` is built in to the TUI and can optionally filter by event type (for example, `agent-turn-complete` and `approval-requested`).
478- `tui.notification_method` controls how the TUI emits terminal notifications (`auto`, `osc9`, or `bel`).596- `tui.notification_method` controls how the TUI emits terminal notifications (`auto`, `osc9`, or `bel`).
597- `tui.notification_condition` controls whether TUI notifications fire only when
598 the terminal is `unfocused` or `always`.
479 599
480In `auto` mode, Codex prefers OSC 9 notifications (a terminal escape sequence some terminals interpret as a desktop notification) and falls back to BEL (`\x07`) otherwise.600In `auto` mode, Codex prefers OSC 9 notifications (a terminal escape sequence some terminals interpret as a desktop notification) and falls back to BEL (`\x07`) otherwise.
481 601
522 642
523- `tui.notifications`: enable/disable notifications (or restrict to specific types)643- `tui.notifications`: enable/disable notifications (or restrict to specific types)
524- `tui.notification_method`: choose `auto`, `osc9`, or `bel` for terminal notifications644- `tui.notification_method`: choose `auto`, `osc9`, or `bel` for terminal notifications
645- `tui.notification_condition`: choose `unfocused` or `always` for when
646 notifications fire
525- `tui.animations`: enable/disable ASCII animations and shimmer effects647- `tui.animations`: enable/disable ASCII animations and shimmer effects
526- `tui.alternate_screen`: control alternate screen usage (set to `never` to keep terminal scrollback)648- `tui.alternate_screen`: control alternate screen usage (set to `never` to keep terminal scrollback)
527- `tui.show_tooltips`: show or hide onboarding tooltips on the welcome screen649- `tui.show_tooltips`: show or hide onboarding tooltips on the welcome screen