config-advanced diff

config-advanced.md +104 −20

Details

84 84

85In addition to your user config, Codex reads project-scoped overrides from `.codex/config.toml` files inside your repo. Codex walks from the project root to your current working directory and loads every `.codex/config.toml` it finds. If multiple files define the same key, the closest file to your working directory wins.85In addition to your user config, Codex reads project-scoped overrides from `.codex/config.toml` files inside your repo. Codex walks from the project root to your current working directory and loads every `.codex/config.toml` it finds. If multiple files define the same key, the closest file to your working directory wins.

86 86

~~87For security, Codex loads project-scoped config files only when the project is trusted. If the project is untrusted, Codex ignores `.codex/config.toml` files in the project.~~87For security, Codex loads project-scoped config files only when the project is trusted. If the project is untrusted, Codex ignores project `.codex/` layers, including `.codex/config.toml`, project-local hooks, and project-local rules. User and system layers remain separate and still load.

88 88

89Relative paths inside a project config (for example, `model_instructions_file`) are resolved relative to the `.codex/` folder that contains the `config.toml`.89Relative paths inside a project config (for example, `model_instructions_file`) are resolved relative to the `.codex/` folder that contains the `config.toml`.

90 90

~~91## Hooks (experimental)~~91Project config files can't override settings that redirect credentials, change

92provider auth, or run machine-local notification/telemetry commands.

93Codex ignores the following keys in project-local `.codex/config.toml` and

94prints a startup warning when it sees them: `openai_base_url`,

95`chatgpt_base_url`, `model_provider`, `model_providers`, `notify`, `profile`,

96`profiles`, `experimental_realtime_ws_base_url`, and `otel`. Set those keys in

97your user-level `~/.codex/config.toml` instead.

92 98

~~93Codex can also load lifecycle hooks from `hooks.json` files that sit next to~~99## Hooks

~~94active config layers.~~

95 100

~~96In practice, the two most useful locations are:~~101Codex can also load lifecycle hooks from either `hooks.json` files or inline

102`[hooks]` tables in `config.toml` files that sit next to active config layers.

103

104In practice, the four most useful locations are:

97 105

98- `~/.codex/hooks.json`106- `~/.codex/hooks.json`

107- `~/.codex/config.toml`

99- `<repo>/.codex/hooks.json`108- `<repo>/.codex/hooks.json`

109- `<repo>/.codex/config.toml`

110

111Project-local hooks load only when the project `.codex/` layer is trusted.

112User-level hooks remain independent of project trust.

100 113

101Turn hooks on with:114Inline TOML hooks use the same event structure as `hooks.json`:

102 115

103```toml116```toml

104[features]117[[hooks.PreToolUse]]

105codex_hooks = true118matcher = "^Bash$"

119

120[[hooks.PreToolUse.hooks]]

121type = "command"

122command = '/usr/bin/python3 "$(git rev-parse --show-toplevel)/.codex/hooks/pre_tool_use_policy.py"'

123timeout = 30

124statusMessage = "Checking Bash command"

106```125```

107 126

127If a single layer contains both `hooks.json` and inline `[hooks]`, Codex loads

128both and warns. Prefer one representation per layer.

129

108For the current event list, input fields, output behavior, and limitations, see130For the current event list, input fields, output behavior, and limitations, see

109[Hooks](https://developers.openai.com/codex/hooks).131[Hooks](https://developers.openai.com/codex/hooks).

110 132

175 197

176The auth command receives no `stdin` and must print the token to stdout. Codex trims surrounding whitespace, treats an empty token as an error, and refreshes proactively at `refresh_interval_ms`; set `refresh_interval_ms = 0` to refresh only after an authentication retry. Don't combine `[model_providers.<id>.auth]` with `env_key`, `experimental_bearer_token`, or `requires_openai_auth`.198The auth command receives no `stdin` and must print the token to stdout. Codex trims surrounding whitespace, treats an empty token as an error, and refreshes proactively at `refresh_interval_ms`; set `refresh_interval_ms = 0` to refresh only after an authentication retry. Don't combine `[model_providers.<id>.auth]` with `env_key`, `experimental_bearer_token`, or `requires_openai_auth`.

177 199

200### Amazon Bedrock provider

201

202Codex includes a built-in `amazon-bedrock` model provider. Set it directly as

203`model_provider`; unlike custom providers, this built-in provider supports only

204the nested AWS profile and region overrides.

205

206```toml

207model_provider = "amazon-bedrock"

208model = "<bedrock-model-id>"

209

210[model_providers.amazon-bedrock.aws]

211profile = "default"

212region = "eu-central-1"

213```

214

215If you omit `profile`, Codex uses the standard AWS credential chain. Set

216`region` to the supported Bedrock region that should handle requests.

217

178## OSS mode (local providers)218## OSS mode (local providers)

179 219

180Codex can run against a local "open source" provider (for example, Ollama or LM Studio) when you pass `--oss`. If you pass `--oss` without specifying a provider, Codex uses `oss_provider` as the default.220Codex can run against a local "open source" provider (for example, Ollama or LM Studio) when you pass `--oss`. If you pass `--oss` without specifying a provider, Codex uses `oss_provider` as the default.

230 270

231You can also use a granular approval policy (`approval_policy = { granular = { ... } }`) to allow or auto-reject individual prompt categories. This is useful when you want normal interactive approvals for some cases but want others, such as `request_permissions` or skill-script prompts, to fail closed automatically.271You can also use a granular approval policy (`approval_policy = { granular = { ... } }`) to allow or auto-reject individual prompt categories. This is useful when you want normal interactive approvals for some cases but want others, such as `request_permissions` or skill-script prompts, to fail closed automatically.

232 272

233```273Set `approvals_reviewer = "auto_review"` to route eligible interactive approval

274requests through automatic review. This changes the reviewer, not the sandbox

275boundary.

276

277Use `[auto_review].policy` for local reviewer policy instructions. Managed

278`guardian_policy_config` takes precedence.

279

280```toml

234approval_policy = "untrusted" # Other options: on-request, never, or { granular = { ... } }281approval_policy = "untrusted" # Other options: on-request, never, or { granular = { ... } }

282approvals_reviewer = "user" # Or "auto_review" for automatic review

235sandbox_mode = "workspace-write"283sandbox_mode = "workspace-write"

236allow_login_shell = false # Optional hardening: disallow login shells for shell tools284allow_login_shell = false # Optional hardening: disallow login shells for shell tools

237 285

249exclude_slash_tmp = false # Allow /tmp297exclude_slash_tmp = false # Allow /tmp

250writable_roots = ["/Users/YOU/.pyenv/shims"]298writable_roots = ["/Users/YOU/.pyenv/shims"]

251network_access = false # Opt in to outbound network299network_access = false # Opt in to outbound network

300

301[auto_review]

302policy = """

303Use your organization's automatic review policy.

304"""

305```

306

307### Named permission profiles

308

309Set `default_permissions` to reuse a sandbox profile by name. Codex includes

310the built-in profiles `:read-only`, `:workspace`, and `:danger-no-sandbox`:

311

312```toml

313default_permissions = ":workspace"

314```

315

316For custom profiles, point `default_permissions` at a name you define under

317`[permissions.<name>]`:

318

319```toml

320default_permissions = "workspace"

321

322[permissions.workspace.filesystem]

323":project_roots" = { "." = "write", "**/*.env" = "none" }

324glob_scan_max_depth = 3

325

326[permissions.workspace.network]

327enabled = true

328mode = "limited"

329

330[permissions.workspace.network.domains]

331"api.openai.com" = "allow"

252```332```

253 333

334Use built-in names with a leading colon. Custom names don't use a leading

335colon and must have matching `permissions` tables.

336

254Need the complete key list (including profile-scoped overrides and requirements constraints)? See [Configuration Reference](https://developers.openai.com/codex/config-reference) and [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration).337Need the complete key list (including profile-scoped overrides and requirements constraints)? See [Configuration Reference](https://developers.openai.com/codex/config-reference) and [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration).

255 338

256In workspace-write mode, some environments keep `.git/` and `.codex/`339In workspace-write mode, some environments keep `.git/` and `.codex/`

257 read-only even when the rest of the workspace is writable. This is why340 read-only even when the rest of the workspace is writable. This is why

258 commands like `git commit` may still require approval to run outside the341 commands like `git commit` may still require approval to run outside the

259sandbox. If you want Codex to skip specific commands (for example, block `git commit` outside the sandbox), use342 sandbox. If you want Codex to skip specific commands (for example, block `git

260[rules](https://developers.openai.com/codex/rules).343 commit` outside the sandbox), use

344 <a href="/codex/rules">rules</a>.

261 345

262Disable sandboxing entirely (use only if your environment already isolates processes):346Disable sandboxing entirely (use only if your environment already isolates processes):

263 347

335Each metric below also includes default metadata tags: `auth_mode`, `originator`, `session_source`, `model`, and `app.version`.419Each metric below also includes default metadata tags: `auth_mode`, `originator`, `session_source`, `model`, and `app.version`.

336 420

338| --- | --- | --- | --- |422| ------------------------------------- | --------- | ------------------- | ----------------------------------------------------------------- |

377#### Runtime and model transport461#### Runtime and model transport

378 462

380| --- | --- | --- | --- |464| ----------------------------------------------- | --------- | -------------------- | ------------------------------------------------------------ |

407#### Turn and tool activity491#### Turn and tool activity

408 492

410| --- | --- | --- | --- |494| -------------------------------------- | --------- | ------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------- |

432#### Threads, tasks, and features516#### Threads, tasks, and features

433 517

435| --- | --- | --- | --- |519| --------------------------------- | --------- | --------------------- | -------------------------------------------------------------------------------- |

462#### Memory and local state546#### Memory and local state

463 547

465| --- | --- | --- | --- |549| ------------------------------ | --------- | ------------------------- | --------------------------------------------------------- |

483#### Windows sandbox567#### Windows sandbox

484 568

486| --- | --- | --- | --- |570| ------------------------------------------------ | --------- | ----------------------------------------- | ----------------------------------------------------- |

config-advanced.md Codex Docs, 2026-04-21 18:29 UTC → 2026-05-18 22:01 UTC