config-reference.md +561 −54
24| `approval_policy.granular.rules` | `boolean` | When `true`, approvals triggered by execpolicy `prompt` rules are allowed to surface. |24| `approval_policy.granular.rules` | `boolean` | When `true`, approvals triggered by execpolicy `prompt` rules are allowed to surface. |
25| `approval_policy.granular.sandbox_approval` | `boolean` | When `true`, sandbox escalation approval prompts are allowed to surface. |25| `approval_policy.granular.sandbox_approval` | `boolean` | When `true`, sandbox escalation approval prompts are allowed to surface. |
26| `approval_policy.granular.skill_approval` | `boolean` | When `true`, skill-script approval prompts are allowed to surface. |26| `approval_policy.granular.skill_approval` | `boolean` | When `true`, skill-script approval prompts are allowed to surface. |
27| `approvals_reviewer` | `user | auto_review` | Who reviews eligible approval prompts under `on-request` or granular approval policies. Defaults to `user`; `auto_review` uses the reviewer subagent. This setting doesn't change sandboxing or review actions already allowed inside the sandbox. |
27| `apps._default.destructive_enabled` | `boolean` | Default allow/deny for app tools with `destructive_hint = true`. |28| `apps._default.destructive_enabled` | `boolean` | Default allow/deny for app tools with `destructive_hint = true`. |
28| `apps._default.enabled` | `boolean` | Default app enabled state for all apps unless overridden per app. |29| `apps._default.enabled` | `boolean` | Default app enabled state for all apps unless overridden per app. |
29| `apps._default.open_world_enabled` | `boolean` | Default allow/deny for app tools with `open_world_hint = true`. |30| `apps._default.open_world_enabled` | `boolean` | Default allow/deny for app tools with `open_world_hint = true`. |
34| `apps.<id>.open_world_enabled` | `boolean` | Allow or block tools in this app that advertise `open_world_hint = true`. |35| `apps.<id>.open_world_enabled` | `boolean` | Allow or block tools in this app that advertise `open_world_hint = true`. |
35| `apps.<id>.tools.<tool>.approval_mode` | `auto | prompt | approve` | Per-tool approval behavior override for a single app tool. |36| `apps.<id>.tools.<tool>.approval_mode` | `auto | prompt | approve` | Per-tool approval behavior override for a single app tool. |
36| `apps.<id>.tools.<tool>.enabled` | `boolean` | Per-tool enabled override for an app tool (for example `repos/list`). |37| `apps.<id>.tools.<tool>.enabled` | `boolean` | Per-tool enabled override for an app tool (for example `repos/list`). |
38| `auto_review.policy` | `string` | Local Markdown policy instructions for automatic review. Managed `guardian_policy_config` takes precedence. Blank values are ignored. |
37| `background_terminal_max_timeout` | `number` | Maximum poll window in milliseconds for empty `write_stdin` polls (background terminal polling). Default: `300000` (5 minutes). Replaces the older `background_terminal_timeout` key. |39| `background_terminal_max_timeout` | `number` | Maximum poll window in milliseconds for empty `write_stdin` polls (background terminal polling). Default: `300000` (5 minutes). Replaces the older `background_terminal_timeout` key. |
38| `chatgpt_base_url` | `string` | Override the base URL used during the ChatGPT login flow. |40| `chatgpt_base_url` | `string` | Override the base URL used during the ChatGPT login flow. |
39| `check_for_update_on_startup` | `boolean` | Check for Codex updates on startup (set to false only when updates are centrally managed). |41| `check_for_update_on_startup` | `boolean` | Check for Codex updates on startup (set to false only when updates are centrally managed). |
46| `experimental_compact_prompt_file` | `string (path)` | Load the compaction prompt override from a file (experimental). |48| `experimental_compact_prompt_file` | `string (path)` | Load the compaction prompt override from a file (experimental). |
47| `experimental_use_unified_exec_tool` | `boolean` | Legacy name for enabling unified exec; prefer `[features].unified_exec` or `codex --enable unified_exec`. |49| `experimental_use_unified_exec_tool` | `boolean` | Legacy name for enabling unified exec; prefer `[features].unified_exec` or `codex --enable unified_exec`. |
48| `features.apps` | `boolean` | Enable ChatGPT Apps/connectors support (experimental). |50| `features.apps` | `boolean` | Enable ChatGPT Apps/connectors support (experimental). |
4951| `features.codex_hooks` | `boolean` | Enable lifecycle hooks loaded from `hooks.json` (under development; off by default). || `features.codex_hooks` | `boolean` | Enable lifecycle hooks loaded from `hooks.json` or inline `[hooks]` config. |
50| `features.enable_request_compression` | `boolean` | Compress streaming request bodies with zstd when supported (stable; on by default). |52| `features.enable_request_compression` | `boolean` | Compress streaming request bodies with zstd when supported (stable; on by default). |
51| `features.fast_mode` | `boolean` | Enable Fast mode selection and the `service_tier = "fast"` path (stable; on by default). |53| `features.fast_mode` | `boolean` | Enable Fast mode selection and the `service_tier = "fast"` path (stable; on by default). |
54| `features.memories` | `boolean` | Enable [Memories](https://developers.openai.com/codex/memories) (off by default). |
52| `features.multi_agent` | `boolean` | Enable multi-agent collaboration tools (`spawn_agent`, `send_input`, `resume_agent`, `wait_agent`, and `close_agent`) (stable; on by default). |55| `features.multi_agent` | `boolean` | Enable multi-agent collaboration tools (`spawn_agent`, `send_input`, `resume_agent`, `wait_agent`, and `close_agent`) (stable; on by default). |
53| `features.personality` | `boolean` | Enable personality selection controls (stable; on by default). |56| `features.personality` | `boolean` | Enable personality selection controls (stable; on by default). |
54| `features.prevent_idle_sleep` | `boolean` | Prevent the machine from sleeping while a turn is actively running (experimental; off by default). |57| `features.prevent_idle_sleep` | `boolean` | Prevent the machine from sleeping while a turn is actively running (experimental; off by default). |
55| `features.shell_snapshot` | `boolean` | Snapshot shell environment to speed up repeated commands (stable; on by default). |58| `features.shell_snapshot` | `boolean` | Snapshot shell environment to speed up repeated commands (stable; on by default). |
56| `features.shell_tool` | `boolean` | Enable the default `shell` tool for running commands (stable; on by default). |59| `features.shell_tool` | `boolean` | Enable the default `shell` tool for running commands (stable; on by default). |
57| `features.skill_mcp_dependency_install` | `boolean` | Allow prompting and installing missing MCP dependencies for skills (stable; on by default). |60| `features.skill_mcp_dependency_install` | `boolean` | Allow prompting and installing missing MCP dependencies for skills (stable; on by default). |
58| `features.smart_approvals` | `boolean` | Route eligible approval requests through the guardian reviewer subagent (experimental; off by default). |
59| `features.undo` | `boolean` | Enable undo support (stable; off by default). |61| `features.undo` | `boolean` | Enable undo support (stable; off by default). |
60| `features.unified_exec` | `boolean` | Use the unified PTY-backed exec tool (stable; enabled by default except on Windows). |62| `features.unified_exec` | `boolean` | Use the unified PTY-backed exec tool (stable; enabled by default except on Windows). |
61| `features.web_search` | `boolean` | Deprecated legacy toggle; prefer the top-level `web_search` setting. |63| `features.web_search` | `boolean` | Deprecated legacy toggle; prefer the top-level `web_search` setting. |
68| `hide_agent_reasoning` | `boolean` | Suppress reasoning events in both the TUI and `codex exec` output. |70| `hide_agent_reasoning` | `boolean` | Suppress reasoning events in both the TUI and `codex exec` output. |
69| `history.max_bytes` | `number` | If set, caps the history file size in bytes by dropping oldest entries. |71| `history.max_bytes` | `number` | If set, caps the history file size in bytes by dropping oldest entries. |
70| `history.persistence` | `save-all | none` | Control whether Codex saves session transcripts to history.jsonl. |72| `history.persistence` | `save-all | none` | Control whether Codex saves session transcripts to history.jsonl. |
73| `hooks` | `table` | Lifecycle hooks configured inline in `config.toml`. Uses the same event schema as `hooks.json`; see the Hooks guide for examples and supported events. |
71| `instructions` | `string` | Reserved for future use; prefer `model_instructions_file` or `AGENTS.md`. |74| `instructions` | `string` | Reserved for future use; prefer `model_instructions_file` or `AGENTS.md`. |
72| `log_dir` | `string (path)` | Directory where Codex writes log files (for example `codex-tui.log`); defaults to `$CODEX_HOME/log`. |75| `log_dir` | `string (path)` | Directory where Codex writes log files (for example `codex-tui.log`); defaults to `$CODEX_HOME/log`. |
73| `mcp_oauth_callback_port` | `integer` | Optional fixed port for the local HTTP callback server used during MCP OAuth login. When unset, Codex binds to an ephemeral port chosen by the OS. |76| `mcp_oauth_callback_port` | `integer` | Optional fixed port for the local HTTP callback server used during MCP OAuth login. When unset, Codex binds to an ephemeral port chosen by the OS. |
82| `mcp_servers.<id>.enabled_tools` | `array<string>` | Allow list of tool names exposed by the MCP server. |85| `mcp_servers.<id>.enabled_tools` | `array<string>` | Allow list of tool names exposed by the MCP server. |
83| `mcp_servers.<id>.env` | `map<string,string>` | Environment variables forwarded to the MCP stdio server. |86| `mcp_servers.<id>.env` | `map<string,string>` | Environment variables forwarded to the MCP stdio server. |
84| `mcp_servers.<id>.env_http_headers` | `map<string,string>` | HTTP headers populated from environment variables for an MCP HTTP server. |87| `mcp_servers.<id>.env_http_headers` | `map<string,string>` | HTTP headers populated from environment variables for an MCP HTTP server. |
8588| `mcp_servers.<id>.env_vars` | `array<string>` | Additional environment variables to whitelist for an MCP stdio server. || `mcp_servers.<id>.env_vars` | `array<string | { name = string, source = "local" | "remote" }>` | Additional environment variables to whitelist for an MCP stdio server. String entries default to `source = "local"`; use `source = "remote"` only with executor-backed remote stdio. |
89| `mcp_servers.<id>.experimental_environment` | `local | remote` | Experimental placement for an MCP server. `remote` starts stdio servers through a remote executor environment; streamable HTTP remote placement is not implemented. |
86| `mcp_servers.<id>.http_headers` | `map<string,string>` | Static HTTP headers included with each MCP HTTP request. |90| `mcp_servers.<id>.http_headers` | `map<string,string>` | Static HTTP headers included with each MCP HTTP request. |
87| `mcp_servers.<id>.oauth_resource` | `string` | Optional RFC 8707 OAuth resource parameter to include during MCP login. |91| `mcp_servers.<id>.oauth_resource` | `string` | Optional RFC 8707 OAuth resource parameter to include during MCP login. |
88| `mcp_servers.<id>.required` | `boolean` | When true, fail startup/resume if this enabled MCP server cannot initialize. |92| `mcp_servers.<id>.required` | `boolean` | When true, fail startup/resume if this enabled MCP server cannot initialize. |
91| `mcp_servers.<id>.startup_timeout_sec` | `number` | Override the default 10s startup timeout for an MCP server. |95| `mcp_servers.<id>.startup_timeout_sec` | `number` | Override the default 10s startup timeout for an MCP server. |
92| `mcp_servers.<id>.tool_timeout_sec` | `number` | Override the default 60s per-tool timeout for an MCP server. |96| `mcp_servers.<id>.tool_timeout_sec` | `number` | Override the default 60s per-tool timeout for an MCP server. |
93| `mcp_servers.<id>.url` | `string` | Endpoint for an MCP streamable HTTP server. |97| `mcp_servers.<id>.url` | `string` | Endpoint for an MCP streamable HTTP server. |
9498| `model` | `string` | Model to use (e.g., `gpt-5-codex`). || `memories.consolidation_model` | `string` | Optional model override for global memory consolidation. |
99| `memories.disable_on_external_context` | `boolean` | When `true`, threads that use external context such as MCP tool calls, web search, or tool search are kept out of memory generation. Defaults to `false`. Legacy alias: `memories.no_memories_if_mcp_or_web_search`. |
100| `memories.extract_model` | `string` | Optional model override for per-thread memory extraction. |
101| `memories.generate_memories` | `boolean` | When `false`, newly created threads are not stored as memory-generation inputs. Defaults to `true`. |
102| `memories.max_raw_memories_for_consolidation` | `number` | Maximum recent raw memories retained for global consolidation. Defaults to `256` and is capped at `4096`. |
103| `memories.max_rollout_age_days` | `number` | Maximum age of threads considered for memory generation. Defaults to `30` and is clamped to `0`-`90`. |
104| `memories.max_rollouts_per_startup` | `number` | Maximum rollout candidates processed per startup pass. Defaults to `16` and is capped at `128`. |
105| `memories.max_unused_days` | `number` | Maximum days since a memory was last used before it becomes ineligible for consolidation. Defaults to `30` and is clamped to `0`-`365`. |
106| `memories.min_rate_limit_remaining_percent` | `number` | Minimum remaining percentage required in Codex rate-limit windows before memory generation starts. Defaults to `25` and is clamped to `0`-`100`. |
107| `memories.min_rollout_idle_hours` | `number` | Minimum idle time before a thread is considered for memory generation. Defaults to `6` and is clamped to `1`-`48`. |
108| `memories.use_memories` | `boolean` | When `false`, Codex skips injecting existing memories into future sessions. Defaults to `true`. |
109| `model` | `string` | Model to use (e.g., `gpt-5.5`). |
95| `model_auto_compact_token_limit` | `number` | Token threshold that triggers automatic history compaction (unset uses model defaults). |110| `model_auto_compact_token_limit` | `number` | Token threshold that triggers automatic history compaction (unset uses model defaults). |
96| `model_catalog_json` | `string (path)` | Optional path to a JSON model catalog loaded on startup. Profile-level `profiles.<name>.model_catalog_json` can override this per profile. |111| `model_catalog_json` | `string (path)` | Optional path to a JSON model catalog loaded on startup. Profile-level `profiles.<name>.model_catalog_json` can override this per profile. |
97| `model_context_window` | `number` | Context window tokens available to the active model. |112| `model_context_window` | `number` | Context window tokens available to the active model. |
98| `model_instructions_file` | `string (path)` | Replacement for built-in instructions instead of `AGENTS.md`. |113| `model_instructions_file` | `string (path)` | Replacement for built-in instructions instead of `AGENTS.md`. |
99| `model_provider` | `string` | Provider id from `model_providers` (default: `openai`). |114| `model_provider` | `string` | Provider id from `model_providers` (default: `openai`). |
115| `model_providers.<id>` | `table` | Custom provider definition. Built-in provider IDs (`openai`, `ollama`, and `lmstudio`) are reserved and cannot be overridden. |
116| `model_providers.<id>.auth` | `table` | Command-backed bearer token configuration for a custom provider. Do not combine with `env_key`, `experimental_bearer_token`, or `requires_openai_auth`. |
117| `model_providers.<id>.auth.args` | `array<string>` | Arguments passed to the token command. |
118| `model_providers.<id>.auth.command` | `string` | Command to run when Codex needs a bearer token. The command must print the token to stdout. |
119| `model_providers.<id>.auth.cwd` | `string (path)` | Working directory for the token command. |
120| `model_providers.<id>.auth.refresh_interval_ms` | `number` | How often Codex proactively refreshes the token in milliseconds (default: 300000). Set to `0` to refresh only after an authentication retry. |
121| `model_providers.<id>.auth.timeout_ms` | `number` | Maximum token command runtime in milliseconds (default: 5000). |
100| `model_providers.<id>.base_url` | `string` | API base URL for the model provider. |122| `model_providers.<id>.base_url` | `string` | API base URL for the model provider. |
101| `model_providers.<id>.env_http_headers` | `map<string,string>` | HTTP headers populated from environment variables when present. |123| `model_providers.<id>.env_http_headers` | `map<string,string>` | HTTP headers populated from environment variables when present. |
102| `model_providers.<id>.env_key` | `string` | Environment variable supplying the provider API key. |124| `model_providers.<id>.env_key` | `string` | Environment variable supplying the provider API key. |
142| `otel.trace_exporter.<id>.tls.client-certificate` | `string` | Client certificate path for OTEL trace exporter TLS. |164| `otel.trace_exporter.<id>.tls.client-certificate` | `string` | Client certificate path for OTEL trace exporter TLS. |
143| `otel.trace_exporter.<id>.tls.client-private-key` | `string` | Client private key path for OTEL trace exporter TLS. |165| `otel.trace_exporter.<id>.tls.client-private-key` | `string` | Client private key path for OTEL trace exporter TLS. |
144| `permissions.<name>.filesystem` | `table` | Named filesystem permission profile. Each key is an absolute path or special token such as `:minimal` or `:project_roots`. |166| `permissions.<name>.filesystem` | `table` | Named filesystem permission profile. Each key is an absolute path or special token such as `:minimal` or `:project_roots`. |
145167| `permissions.<name>.filesystem.":project_roots".<subpath>` | `"read" | "write" | "none"` | Scoped filesystem access relative to the detected project roots. Use `"."` for the root itself. || `permissions.<name>.filesystem.":project_roots".<subpath-or-glob>` | `"read" | "write" | "none"` | Scoped filesystem access relative to the detected project roots. Use `"."` for the root itself; glob subpaths such as `"**/*.env"` can deny reads with `"none"`. |
146168| `permissions.<name>.filesystem.<path>` | `"read" | "write" | "none" | table` | Grant direct access for a path or special token, or scope nested entries under that root. || `permissions.<name>.filesystem.<path-or-glob>` | `"read" | "write" | "none" | table` | Grant direct access for a path, glob pattern, or special token, or scope nested entries under that root. Use `"none"` to deny reads for matching paths. |
169| `permissions.<name>.filesystem.glob_scan_max_depth` | `number` | Maximum depth for expanding deny-read glob patterns on platforms that snapshot matches before sandbox startup. Must be at least `1` when set. |
147| `permissions.<name>.network.allow_local_binding` | `boolean` | Permit local bind/listen operations through the managed proxy. |170| `permissions.<name>.network.allow_local_binding` | `boolean` | Permit local bind/listen operations through the managed proxy. |
148| `permissions.<name>.network.allow_unix_sockets` | `array<string>` | Allowlist of Unix socket paths permitted through the managed proxy. |
149| `permissions.<name>.network.allow_upstream_proxy` | `boolean` | Allow the managed proxy to chain to another upstream proxy. |171| `permissions.<name>.network.allow_upstream_proxy` | `boolean` | Allow the managed proxy to chain to another upstream proxy. |
150| `permissions.<name>.network.allowed_domains` | `array<string>` | Allowlist of domains permitted through the managed proxy. |
151| `permissions.<name>.network.dangerously_allow_all_unix_sockets` | `boolean` | Allow the proxy to use arbitrary Unix sockets instead of the default restricted set. |172| `permissions.<name>.network.dangerously_allow_all_unix_sockets` | `boolean` | Allow the proxy to use arbitrary Unix sockets instead of the default restricted set. |
152| `permissions.<name>.network.dangerously_allow_non_loopback_proxy` | `boolean` | Permit non-loopback bind addresses for the managed proxy listener. |173| `permissions.<name>.network.dangerously_allow_non_loopback_proxy` | `boolean` | Permit non-loopback bind addresses for the managed proxy listener. |
153174| `permissions.<name>.network.denied_domains` | `array<string>` | Denylist of domains blocked by the managed proxy. || `permissions.<name>.network.domains` | `map<string, allow | deny>` | Domain rules for the managed proxy. Use domain names or wildcard patterns as keys, with `allow` or `deny` values. |
154| `permissions.<name>.network.enable_socks5` | `boolean` | Expose a SOCKS5 listener when this permissions profile enables the managed network proxy. |175| `permissions.<name>.network.enable_socks5` | `boolean` | Expose a SOCKS5 listener when this permissions profile enables the managed network proxy. |
155| `permissions.<name>.network.enable_socks5_udp` | `boolean` | Allow UDP over the SOCKS5 listener when enabled. |176| `permissions.<name>.network.enable_socks5_udp` | `boolean` | Allow UDP over the SOCKS5 listener when enabled. |
156| `permissions.<name>.network.enabled` | `boolean` | Enable network access for this named permissions profile. |177| `permissions.<name>.network.enabled` | `boolean` | Enable network access for this named permissions profile. |
157| `permissions.<name>.network.mode` | `limited | full` | Network proxy mode used for subprocess traffic. |178| `permissions.<name>.network.mode` | `limited | full` | Network proxy mode used for subprocess traffic. |
158| `permissions.<name>.network.proxy_url` | `string` | HTTP proxy endpoint used when this permissions profile enables the managed network proxy. |179| `permissions.<name>.network.proxy_url` | `string` | HTTP proxy endpoint used when this permissions profile enables the managed network proxy. |
159| `permissions.<name>.network.socks_url` | `string` | SOCKS5 proxy endpoint used by this permissions profile. |180| `permissions.<name>.network.socks_url` | `string` | SOCKS5 proxy endpoint used by this permissions profile. |
181| `permissions.<name>.network.unix_sockets` | `map<string, allow | none>` | Unix socket rules for the managed proxy. Use socket paths as keys, with `allow` or `none` values. |
160| `personality` | `none | friendly | pragmatic` | Default communication style for models that advertise `supportsPersonality`; can be overridden per thread/turn or via `/personality`. |182| `personality` | `none | friendly | pragmatic` | Default communication style for models that advertise `supportsPersonality`; can be overridden per thread/turn or via `/personality`. |
161| `plan_mode_reasoning_effort` | `none | minimal | low | medium | high | xhigh` | Plan-mode-specific reasoning override. When unset, Plan mode uses its built-in preset default. |183| `plan_mode_reasoning_effort` | `none | minimal | low | medium | high | xhigh` | Plan-mode-specific reasoning override. When unset, Plan mode uses its built-in preset default. |
162| `profile` | `string` | Default profile applied at startup (equivalent to `--profile`). |184| `profile` | `string` | Default profile applied at startup (equivalent to `--profile`). |
175| `project_doc_fallback_filenames` | `array<string>` | Additional filenames to try when `AGENTS.md` is missing. |197| `project_doc_fallback_filenames` | `array<string>` | Additional filenames to try when `AGENTS.md` is missing. |
176| `project_doc_max_bytes` | `number` | Maximum bytes read from `AGENTS.md` when building project instructions. |198| `project_doc_max_bytes` | `number` | Maximum bytes read from `AGENTS.md` when building project instructions. |
177| `project_root_markers` | `array<string>` | List of project root marker filenames; used when searching parent directories for the project root. |199| `project_root_markers` | `array<string>` | List of project root marker filenames; used when searching parent directories for the project root. |
178200| `projects.<path>.trust_level` | `string` | Mark a project or worktree as trusted or untrusted (`"trusted"` | `"untrusted"`). Untrusted projects skip project-scoped `.codex/` layers. || `projects.<path>.trust_level` | `string` | Mark a project or worktree as trusted or untrusted (`"trusted"` | `"untrusted"`). Untrusted projects skip project-scoped `.codex/` layers, including project-local config, hooks, and rules. |
179| `review_model` | `string` | Optional model override used by `/review` (defaults to the current session model). |201| `review_model` | `string` | Optional model override used by `/review` (defaults to the current session model). |
180| `sandbox_mode` | `read-only | workspace-write | danger-full-access` | Sandbox policy for filesystem and network access during command execution. |202| `sandbox_mode` | `read-only | workspace-write | danger-full-access` | Sandbox policy for filesystem and network access during command execution. |
181| `sandbox_workspace_write.exclude_slash_tmp` | `boolean` | Exclude `/tmp` from writable roots in workspace-write mode. |203| `sandbox_workspace_write.exclude_slash_tmp` | `boolean` | Exclude `/tmp` from writable roots in workspace-write mode. |
196| `sqlite_home` | `string (path)` | Directory where Codex stores the SQLite-backed state DB used by agent jobs and other resumable runtime state. |218| `sqlite_home` | `string (path)` | Directory where Codex stores the SQLite-backed state DB used by agent jobs and other resumable runtime state. |
197| `suppress_unstable_features_warning` | `boolean` | Suppress the warning that appears when under-development feature flags are enabled. |219| `suppress_unstable_features_warning` | `boolean` | Suppress the warning that appears when under-development feature flags are enabled. |
198| `tool_output_token_limit` | `number` | Token budget for storing individual tool/function outputs in history. |220| `tool_output_token_limit` | `number` | Token budget for storing individual tool/function outputs in history. |
221| `tool_suggest.discoverables` | `array<table>` | Allow tool suggestions for additional discoverable connectors or plugins. Each entry uses `type = "connector"` or `"plugin"` and an `id`. |
199| `tools.view_image` | `boolean` | Enable the local-image attachment tool `view_image`. |222| `tools.view_image` | `boolean` | Enable the local-image attachment tool `view_image`. |
200| `tools.web_search` | `boolean | { context_size = "low|medium|high", allowed_domains = [string], location = { country, region, city, timezone } }` | Optional web search tool configuration. The legacy boolean form is still accepted, but the object form lets you set search context size, allowed domains, and approximate user location. |223| `tools.web_search` | `boolean | { context_size = "low|medium|high", allowed_domains = [string], location = { country, region, city, timezone } }` | Optional web search tool configuration. The legacy boolean form is still accepted, but the object form lets you set search context size, allowed domains, and approximate user location. |
201| `tui` | `table` | TUI-specific options such as enabling inline desktop notifications. |224| `tui` | `table` | TUI-specific options such as enabling inline desktop notifications. |
202| `tui.alternate_screen` | `auto | always | never` | Control alternate screen usage for the TUI (default: auto; auto skips it in Zellij to preserve scrollback). |225| `tui.alternate_screen` | `auto | always | never` | Control alternate screen usage for the TUI (default: auto; auto skips it in Zellij to preserve scrollback). |
203| `tui.animations` | `boolean` | Enable terminal animations (welcome screen, shimmer, spinner) (default: true). |226| `tui.animations` | `boolean` | Enable terminal animations (welcome screen, shimmer, spinner) (default: true). |
204| `tui.model_availability_nux.<model>` | `integer` | Internal startup-tooltip state keyed by model slug. |227| `tui.model_availability_nux.<model>` | `integer` | Internal startup-tooltip state keyed by model slug. |
205228| `tui.notification_method` | `auto | osc9 | bel` | Notification method for unfocused terminal notifications (default: auto). || `tui.notification_condition` | `unfocused | always` | Control whether TUI notifications fire only when the terminal is unfocused or regardless of focus. Defaults to `unfocused`. |
229| `tui.notification_method` | `auto | osc9 | bel` | Notification method for terminal notifications (default: auto). |
206| `tui.notifications` | `boolean | array<string>` | Enable TUI notifications; optionally restrict to specific event types. |230| `tui.notifications` | `boolean | array<string>` | Enable TUI notifications; optionally restrict to specific event types. |
207| `tui.show_tooltips` | `boolean` | Show onboarding tooltips in the TUI welcome screen (default: true). |231| `tui.show_tooltips` | `boolean` | Show onboarding tooltips in the TUI welcome screen (default: true). |
208| `tui.status_line` | `array<string> | null` | Ordered list of TUI footer status-line item identifiers. `null` disables the status line. |232| `tui.status_line` | `array<string> | null` | Ordered list of TUI footer status-line item identifiers. `null` disables the status line. |
233| `tui.terminal_title` | `array<string> | null` | Ordered list of terminal window/tab title item identifiers. Defaults to `["spinner", "project"]`; `null` disables title updates. |
209| `tui.theme` | `string` | Syntax-highlighting theme override (kebab-case theme name). |234| `tui.theme` | `string` | Syntax-highlighting theme override (kebab-case theme name). |
210| `web_search` | `disabled | cached | live` | Web search mode (default: `"cached"`; cached uses an OpenAI-maintained index and does not fetch live pages; if you use `--yolo` or another full access sandbox setting, it defaults to `"live"`). Use `"live"` to fetch the most recent data from the web, or `"disabled"` to remove the tool. |235| `web_search` | `disabled | cached | live` | Web search mode (default: `"cached"`; cached uses an OpenAI-maintained index and does not fetch live pages; if you use `--yolo` or another full access sandbox setting, it defaults to `"live"`). Use `"live"` to fetch the most recent data from the web, or `"disabled"` to remove the tool. |
211| `windows_wsl_setup_acknowledged` | `boolean` | Track Windows onboarding acknowledgement (Windows only). |236| `windows_wsl_setup_acknowledged` | `boolean` | Track Windows onboarding acknowledgement (Windows only). |
382 407
383Key408Key
384 409
410`approvals_reviewer`
411
412Type / Values
413
414`user | auto_review`
415
416Details
417
418Who reviews eligible approval prompts under `on-request` or granular approval policies. Defaults to `user`; `auto_review` uses the reviewer subagent. This setting doesn't change sandboxing or review actions already allowed inside the sandbox.
419
420Key
421
385`apps._default.destructive_enabled`422`apps._default.destructive_enabled`
386 423
387Type / Values424Type / Values
502 539
503Key540Key
504 541
542`auto_review.policy`
543
544Type / Values
545
546`string`
547
548Details
549
550Local Markdown policy instructions for automatic review. Managed `guardian_policy_config` takes precedence. Blank values are ignored.
551
552Key
553
505`background_terminal_max_timeout`554`background_terminal_max_timeout`
506 555
507Type / Values556Type / Values
654 703
655Details704Details
656 705
657706Enable lifecycle hooks loaded from `hooks.json` (under development; off by default).Enable lifecycle hooks loaded from `hooks.json` or inline `[hooks]` config.
658 707
659Key708Key
660 709
682 731
683Key732Key
684 733
734`features.memories`
735
736Type / Values
737
738`boolean`
739
740Details
741
742Enable [Memories](https://developers.openai.com/codex/memories) (off by default).
743
744Key
745
685`features.multi_agent`746`features.multi_agent`
686 747
687Type / Values748Type / Values
754 815
755Key816Key
756 817
757`features.smart_approvals`
758
759Type / Values
760
761`boolean`
762
763Details
764
765Route eligible approval requests through the guardian reviewer subagent (experimental; off by default).
766
767Key
768
769`features.undo`818`features.undo`
770 819
771Type / Values820Type / Values
910 959
911Key960Key
912 961
962`hooks`
963
964Type / Values
965
966`table`
967
968Details
969
970Lifecycle hooks configured inline in `config.toml`. Uses the same event schema as `hooks.json`; see the Hooks guide for examples and supported events.
971
972Key
973
913`instructions`974`instructions`
914 975
915Type / Values976Type / Values
1082 1143
1083Type / Values1144Type / Values
1084 1145
10851146`array<string>``array<string | { name = string, source = "local" | "remote" }>`
1086 1147
1087Details1148Details
1088 1149
10891150Additional environment variables to whitelist for an MCP stdio server.Additional environment variables to whitelist for an MCP stdio server. String entries default to `source = "local"`; use `source = "remote"` only with executor-backed remote stdio.
1151
1152Key
1153
1154`mcp_servers.<id>.experimental_environment`
1155
1156Type / Values
1157
1158`local | remote`
1159
1160Details
1161
1162Experimental placement for an MCP server. `remote` starts stdio servers through a remote executor environment; streamable HTTP remote placement is not implemented.
1090 1163
1091Key1164Key
1092 1165
1186 1259
1187Key1260Key
1188 1261
1262`memories.consolidation_model`
1263
1264Type / Values
1265
1266`string`
1267
1268Details
1269
1270Optional model override for global memory consolidation.
1271
1272Key
1273
1274`memories.disable_on_external_context`
1275
1276Type / Values
1277
1278`boolean`
1279
1280Details
1281
1282When `true`, threads that use external context such as MCP tool calls, web search, or tool search are kept out of memory generation. Defaults to `false`. Legacy alias: `memories.no_memories_if_mcp_or_web_search`.
1283
1284Key
1285
1286`memories.extract_model`
1287
1288Type / Values
1289
1290`string`
1291
1292Details
1293
1294Optional model override for per-thread memory extraction.
1295
1296Key
1297
1298`memories.generate_memories`
1299
1300Type / Values
1301
1302`boolean`
1303
1304Details
1305
1306When `false`, newly created threads are not stored as memory-generation inputs. Defaults to `true`.
1307
1308Key
1309
1310`memories.max_raw_memories_for_consolidation`
1311
1312Type / Values
1313
1314`number`
1315
1316Details
1317
1318Maximum recent raw memories retained for global consolidation. Defaults to `256` and is capped at `4096`.
1319
1320Key
1321
1322`memories.max_rollout_age_days`
1323
1324Type / Values
1325
1326`number`
1327
1328Details
1329
1330Maximum age of threads considered for memory generation. Defaults to `30` and is clamped to `0`-`90`.
1331
1332Key
1333
1334`memories.max_rollouts_per_startup`
1335
1336Type / Values
1337
1338`number`
1339
1340Details
1341
1342Maximum rollout candidates processed per startup pass. Defaults to `16` and is capped at `128`.
1343
1344Key
1345
1346`memories.max_unused_days`
1347
1348Type / Values
1349
1350`number`
1351
1352Details
1353
1354Maximum days since a memory was last used before it becomes ineligible for consolidation. Defaults to `30` and is clamped to `0`-`365`.
1355
1356Key
1357
1358`memories.min_rate_limit_remaining_percent`
1359
1360Type / Values
1361
1362`number`
1363
1364Details
1365
1366Minimum remaining percentage required in Codex rate-limit windows before memory generation starts. Defaults to `25` and is clamped to `0`-`100`.
1367
1368Key
1369
1370`memories.min_rollout_idle_hours`
1371
1372Type / Values
1373
1374`number`
1375
1376Details
1377
1378Minimum idle time before a thread is considered for memory generation. Defaults to `6` and is clamped to `1`-`48`.
1379
1380Key
1381
1382`memories.use_memories`
1383
1384Type / Values
1385
1386`boolean`
1387
1388Details
1389
1390When `false`, Codex skips injecting existing memories into future sessions. Defaults to `true`.
1391
1392Key
1393
1189`model`1394`model`
1190 1395
1191Type / Values1396Type / Values
1194 1399
1195Details1400Details
1196 1401
11971402Model to use (e.g., `gpt-5-codex`).Model to use (e.g., `gpt-5.5`).
1198 1403
1199Key1404Key
1200 1405
1258 1463
1259Key1464Key
1260 1465
1466`model_providers.<id>`
1467
1468Type / Values
1469
1470`table`
1471
1472Details
1473
1474Custom provider definition. Built-in provider IDs (`openai`, `ollama`, and `lmstudio`) are reserved and cannot be overridden.
1475
1476Key
1477
1478`model_providers.<id>.auth`
1479
1480Type / Values
1481
1482`table`
1483
1484Details
1485
1486Command-backed bearer token configuration for a custom provider. Do not combine with `env_key`, `experimental_bearer_token`, or `requires_openai_auth`.
1487
1488Key
1489
1490`model_providers.<id>.auth.args`
1491
1492Type / Values
1493
1494`array<string>`
1495
1496Details
1497
1498Arguments passed to the token command.
1499
1500Key
1501
1502`model_providers.<id>.auth.command`
1503
1504Type / Values
1505
1506`string`
1507
1508Details
1509
1510Command to run when Codex needs a bearer token. The command must print the token to stdout.
1511
1512Key
1513
1514`model_providers.<id>.auth.cwd`
1515
1516Type / Values
1517
1518`string (path)`
1519
1520Details
1521
1522Working directory for the token command.
1523
1524Key
1525
1526`model_providers.<id>.auth.refresh_interval_ms`
1527
1528Type / Values
1529
1530`number`
1531
1532Details
1533
1534How often Codex proactively refreshes the token in milliseconds (default: 300000). Set to `0` to refresh only after an authentication retry.
1535
1536Key
1537
1538`model_providers.<id>.auth.timeout_ms`
1539
1540Type / Values
1541
1542`number`
1543
1544Details
1545
1546Maximum token command runtime in milliseconds (default: 5000).
1547
1548Key
1549
1261`model_providers.<id>.base_url`1550`model_providers.<id>.base_url`
1262 1551
1263Type / Values1552Type / Values
1798 2087
1799Key2088Key
1800 2089
18012090`permissions.<name>.filesystem.":project_roots".<subpath>``permissions.<name>.filesystem.":project_roots".<subpath-or-glob>`
1802 2091
1803Type / Values2092Type / Values
1804 2093
1806 2095
1807Details2096Details
1808 2097
18092098Scoped filesystem access relative to the detected project roots. Use `"."` for the root itself.Scoped filesystem access relative to the detected project roots. Use `"."` for the root itself; glob subpaths such as `"**/*.env"` can deny reads with `"none"`.
1810 2099
1811Key2100Key
1812 2101
18132102`permissions.<name>.filesystem.<path>``permissions.<name>.filesystem.<path-or-glob>`
1814 2103
1815Type / Values2104Type / Values
1816 2105
1818 2107
1819Details2108Details
1820 2109
18212110Grant direct access for a path or special token, or scope nested entries under that root.Grant direct access for a path, glob pattern, or special token, or scope nested entries under that root. Use `"none"` to deny reads for matching paths.
1822 2111
1823Key2112Key
1824 2113
18252114`permissions.<name>.network.allow_local_binding``permissions.<name>.filesystem.glob_scan_max_depth`
1826 2115
1827Type / Values2116Type / Values
1828 2117
18292118`boolean``number`
1830 2119
1831Details2120Details
1832 2121
18332122Permit local bind/listen operations through the managed proxy.Maximum depth for expanding deny-read glob patterns on platforms that snapshot matches before sandbox startup. Must be at least `1` when set.
1834 2123
1835Key2124Key
1836 2125
18372126`permissions.<name>.network.allow_unix_sockets``permissions.<name>.network.allow_local_binding`
1838 2127
1839Type / Values2128Type / Values
1840 2129
18412130`array<string>``boolean`
1842 2131
1843Details2132Details
1844 2133
18452134Allowlist of Unix socket paths permitted through the managed proxy.Permit local bind/listen operations through the managed proxy.
1846 2135
1847Key2136Key
1848 2137
1858 2147
1859Key2148Key
1860 2149
1861`permissions.<name>.network.allowed_domains`
1862
1863Type / Values
1864
1865`array<string>`
1866
1867Details
1868
1869Allowlist of domains permitted through the managed proxy.
1870
1871Key
1872
1873`permissions.<name>.network.dangerously_allow_all_unix_sockets`2150`permissions.<name>.network.dangerously_allow_all_unix_sockets`
1874 2151
1875Type / Values2152Type / Values
1894 2171
1895Key2172Key
1896 2173
18972174`permissions.<name>.network.denied_domains``permissions.<name>.network.domains`
1898 2175
1899Type / Values2176Type / Values
1900 2177
19012178`array<string>``map<string, allow | deny>`
1902 2179
1903Details2180Details
1904 2181
19052182Denylist of domains blocked by the managed proxy.Domain rules for the managed proxy. Use domain names or wildcard patterns as keys, with `allow` or `deny` values.
1906 2183
1907Key2184Key
1908 2185
1978 2255
1979Key2256Key
1980 2257
2258`permissions.<name>.network.unix_sockets`
2259
2260Type / Values
2261
2262`map<string, allow | none>`
2263
2264Details
2265
2266Unix socket rules for the managed proxy. Use socket paths as keys, with `allow` or `none` values.
2267
2268Key
2269
1981`personality`2270`personality`
1982 2271
1983Type / Values2272Type / Values
2202 2491
2203Details2492Details
2204 2493
22052494Mark a project or worktree as trusted or untrusted (`"trusted"` | `"untrusted"`). Untrusted projects skip project-scoped `.codex/` layers.Mark a project or worktree as trusted or untrusted (`"trusted"` | `"untrusted"`). Untrusted projects skip project-scoped `.codex/` layers, including project-local config, hooks, and rules.
2206 2495
2207Key2496Key
2208 2497
2446 2735
2447Key2736Key
2448 2737
2738`tool_suggest.discoverables`
2739
2740Type / Values
2741
2742`array<table>`
2743
2744Details
2745
2746Allow tool suggestions for additional discoverable connectors or plugins. Each entry uses `type = "connector"` or `"plugin"` and an `id`.
2747
2748Key
2749
2449`tools.view_image`2750`tools.view_image`
2450 2751
2451Type / Values2752Type / Values
2518 2819
2519Key2820Key
2520 2821
2822`tui.notification_condition`
2823
2824Type / Values
2825
2826`unfocused | always`
2827
2828Details
2829
2830Control whether TUI notifications fire only when the terminal is unfocused or regardless of focus. Defaults to `unfocused`.
2831
2832Key
2833
2521`tui.notification_method`2834`tui.notification_method`
2522 2835
2523Type / Values2836Type / Values
2526 2839
2527Details2840Details
2528 2841
25292842Notification method for unfocused terminal notifications (default: auto).Notification method for terminal notifications (default: auto).
2530 2843
2531Key2844Key
2532 2845
2566 2879
2567Key2880Key
2568 2881
2882`tui.terminal_title`
2883
2884Type / Values
2885
2886`array<string> | null`
2887
2888Details
2889
2890Ordered list of terminal window/tab title item identifiers. Defaults to `["spinner", "project"]`; `null` disables title updates.
2891
2892Key
2893
2569`tui.theme`2894`tui.theme`
2570 2895
2571Type / Values2896Type / Values
2649| Key | Type / Values | Details |2974| Key | Type / Values | Details |
2650| --- | --- | --- |2975| --- | --- | --- |
2651| `allowed_approval_policies` | `array<string>` | Allowed values for `approval_policy` (for example `untrusted`, `on-request`, `never`, and `granular`). |2976| `allowed_approval_policies` | `array<string>` | Allowed values for `approval_policy` (for example `untrusted`, `on-request`, `never`, and `granular`). |
2977| `allowed_approvals_reviewers` | `array<string>` | Allowed values for `approvals_reviewer`, such as `user` and `auto_review`. |
2652| `allowed_sandbox_modes` | `array<string>` | Allowed values for `sandbox_mode`. |2978| `allowed_sandbox_modes` | `array<string>` | Allowed values for `sandbox_mode`. |
2653| `allowed_web_search_modes` | `array<string>` | Allowed values for `web_search` (`disabled`, `cached`, `live`). `disabled` is always allowed; an empty list effectively allows only `disabled`. |2979| `allowed_web_search_modes` | `array<string>` | Allowed values for `web_search` (`disabled`, `cached`, `live`). `disabled` is always allowed; an empty list effectively allows only `disabled`. |
2654| `features` | `table` | Pinned feature values keyed by the canonical names from `config.toml`'s `[features]` table. |2980| `features` | `table` | Pinned feature values keyed by the canonical names from `config.toml`'s `[features]` table. |
2655| `features.<name>` | `boolean` | Require a specific canonical feature key to stay enabled or disabled. |2981| `features.<name>` | `boolean` | Require a specific canonical feature key to stay enabled or disabled. |
2982| `features.browser_use` | `boolean` | Set to `false` in `requirements.toml` to disable Browser Use and Browser Agent availability. |
2983| `features.computer_use` | `boolean` | Set to `false` in `requirements.toml` to disable Computer Use availability and related install or enablement flows. |
2984| `features.in_app_browser` | `boolean` | Set to `false` in `requirements.toml` to disable the in-app browser pane. |
2985| `guardian_policy_config` | `string` | Managed Markdown policy instructions for automatic review. This takes precedence over local `[auto_review].policy`. Blank values are ignored. |
2986| `hooks` | `table` | Admin-enforced managed lifecycle hooks. Requires a managed hook directory and uses the same event schema as inline `[hooks]` in `config.toml`. |
2987| `hooks.<Event>` | `array<table>` | Matcher groups for a hook event such as `PreToolUse`, `PostToolUse`, `PermissionRequest`, `SessionStart`, `UserPromptSubmit`, or `Stop`. |
2988| `hooks.<Event>[].hooks` | `array<table>` | Hook handlers for a matcher group. Command hooks are currently supported; prompt and agent hook handlers are parsed but skipped. |
2989| `hooks.managed_dir` | `string (absolute path)` | Directory containing managed hook scripts on macOS and Linux. Codex validates that it is absolute and exists before loading managed hooks. |
2990| `hooks.windows_managed_dir` | `string (absolute path)` | Directory containing managed hook scripts on Windows. Codex validates that it is absolute and exists before loading managed hooks. |
2656| `mcp_servers` | `table` | Allowlist of MCP servers that may be enabled. Both the server name (`<id>`) and its identity must match for the MCP server to be enabled. Any configured MCP server not in the allowlist (or with a mismatched identity) is disabled. |2991| `mcp_servers` | `table` | Allowlist of MCP servers that may be enabled. Both the server name (`<id>`) and its identity must match for the MCP server to be enabled. Any configured MCP server not in the allowlist (or with a mismatched identity) is disabled. |
2657| `mcp_servers.<id>.identity` | `table` | Identity rule for a single MCP server. Set either `command` (stdio) or `url` (streamable HTTP). |2992| `mcp_servers.<id>.identity` | `table` | Identity rule for a single MCP server. Set either `command` (stdio) or `url` (streamable HTTP). |
2658| `mcp_servers.<id>.identity.command` | `string` | Allow an MCP stdio server when its `mcp_servers.<id>.command` matches this command. |2993| `mcp_servers.<id>.identity.command` | `string` | Allow an MCP stdio server when its `mcp_servers.<id>.command` matches this command. |
2659| `mcp_servers.<id>.identity.url` | `string` | Allow an MCP streamable HTTP server when its `mcp_servers.<id>.url` matches this URL. |2994| `mcp_servers.<id>.identity.url` | `string` | Allow an MCP streamable HTTP server when its `mcp_servers.<id>.url` matches this URL. |
2995| `permissions.filesystem.deny_read` | `array<string>` | Admin-enforced filesystem read denials. Entries can be paths or glob patterns, and users cannot weaken them with local config. |
2996| `remote_sandbox_config` | `array<table>` | Host-specific sandbox requirements. The first entry whose `hostname_patterns` match the resolved host name overrides top-level `allowed_sandbox_modes` for that requirements source. Host-specific entries currently override sandbox modes only. |
2997| `remote_sandbox_config[].allowed_sandbox_modes` | `array<string>` | Allowed sandbox modes to apply when this host-specific entry matches. |
2998| `remote_sandbox_config[].hostname_patterns` | `array<string>` | Case-insensitive host name patterns. Supports `*` for any sequence of characters and `?` for one character. |
2660| `rules` | `table` | Admin-enforced command rules merged with `.rules` files. Requirements rules must be restrictive. |2999| `rules` | `table` | Admin-enforced command rules merged with `.rules` files. Requirements rules must be restrictive. |
2661| `rules.prefix_rules` | `array<table>` | List of enforced prefix rules. Each rule must include `pattern` and `decision`. |3000| `rules.prefix_rules` | `array<table>` | List of enforced prefix rules. Each rule must include `pattern` and `decision`. |
2662| `rules.prefix_rules[].decision` | `prompt | forbidden` | Required. Requirements rules can only prompt or forbid (not allow). |3001| `rules.prefix_rules[].decision` | `prompt | forbidden` | Required. Requirements rules can only prompt or forbid (not allow). |
2679 3018
2680Key3019Key
2681 3020
3021`allowed_approvals_reviewers`
3022
3023Type / Values
3024
3025`array<string>`
3026
3027Details
3028
3029Allowed values for `approvals_reviewer`, such as `user` and `auto_review`.
3030
3031Key
3032
2682`allowed_sandbox_modes`3033`allowed_sandbox_modes`
2683 3034
2684Type / Values3035Type / Values
2727 3078
2728Key3079Key
2729 3080
3081`features.browser_use`
3082
3083Type / Values
3084
3085`boolean`
3086
3087Details
3088
3089Set to `false` in `requirements.toml` to disable Browser Use and Browser Agent availability.
3090
3091Key
3092
3093`features.computer_use`
3094
3095Type / Values
3096
3097`boolean`
3098
3099Details
3100
3101Set to `false` in `requirements.toml` to disable Computer Use availability and related install or enablement flows.
3102
3103Key
3104
3105`features.in_app_browser`
3106
3107Type / Values
3108
3109`boolean`
3110
3111Details
3112
3113Set to `false` in `requirements.toml` to disable the in-app browser pane.
3114
3115Key
3116
3117`guardian_policy_config`
3118
3119Type / Values
3120
3121`string`
3122
3123Details
3124
3125Managed Markdown policy instructions for automatic review. This takes precedence over local `[auto_review].policy`. Blank values are ignored.
3126
3127Key
3128
3129`hooks`
3130
3131Type / Values
3132
3133`table`
3134
3135Details
3136
3137Admin-enforced managed lifecycle hooks. Requires a managed hook directory and uses the same event schema as inline `[hooks]` in `config.toml`.
3138
3139Key
3140
3141`hooks.<Event>`
3142
3143Type / Values
3144
3145`array<table>`
3146
3147Details
3148
3149Matcher groups for a hook event such as `PreToolUse`, `PostToolUse`, `PermissionRequest`, `SessionStart`, `UserPromptSubmit`, or `Stop`.
3150
3151Key
3152
3153`hooks.<Event>[].hooks`
3154
3155Type / Values
3156
3157`array<table>`
3158
3159Details
3160
3161Hook handlers for a matcher group. Command hooks are currently supported; prompt and agent hook handlers are parsed but skipped.
3162
3163Key
3164
3165`hooks.managed_dir`
3166
3167Type / Values
3168
3169`string (absolute path)`
3170
3171Details
3172
3173Directory containing managed hook scripts on macOS and Linux. Codex validates that it is absolute and exists before loading managed hooks.
3174
3175Key
3176
3177`hooks.windows_managed_dir`
3178
3179Type / Values
3180
3181`string (absolute path)`
3182
3183Details
3184
3185Directory containing managed hook scripts on Windows. Codex validates that it is absolute and exists before loading managed hooks.
3186
3187Key
3188
2730`mcp_servers`3189`mcp_servers`
2731 3190
2732Type / Values3191Type / Values
2775 3234
2776Key3235Key
2777 3236
3237`permissions.filesystem.deny_read`
3238
3239Type / Values
3240
3241`array<string>`
3242
3243Details
3244
3245Admin-enforced filesystem read denials. Entries can be paths or glob patterns, and users cannot weaken them with local config.
3246
3247Key
3248
3249`remote_sandbox_config`
3250
3251Type / Values
3252
3253`array<table>`
3254
3255Details
3256
3257Host-specific sandbox requirements. The first entry whose `hostname_patterns` match the resolved host name overrides top-level `allowed_sandbox_modes` for that requirements source. Host-specific entries currently override sandbox modes only.
3258
3259Key
3260
3261`remote_sandbox_config[].allowed_sandbox_modes`
3262
3263Type / Values
3264
3265`array<string>`
3266
3267Details
3268
3269Allowed sandbox modes to apply when this host-specific entry matches.
3270
3271Key
3272
3273`remote_sandbox_config[].hostname_patterns`
3274
3275Type / Values
3276
3277`array<string>`
3278
3279Details
3280
3281Case-insensitive host name patterns. Supports `*` for any sequence of characters and `?` for one character.
3282
3283Key
3284
2778`rules`3285`rules`
2779 3286
2780Type / Values3287Type / Values