config-sample.md +127 −31
27# Core Model Selection27# Core Model Selection
28################################################################################28################################################################################
29 29
3030# Primary model used by Codex. Recommended example for most users: "gpt-5.4".# Primary model used by Codex. Recommended example for most users: "gpt-5.5".
3131model = "gpt-5.4"model = "gpt-5.5"
32 32
33# Communication style for supported models. Allowed values: none | friendly | pragmatic33# Communication style for supported models. Allowed values: none | friendly | pragmatic
34# personality = "pragmatic"34# personality = "pragmatic"
35 35
36# Optional model override for /review. Default: unset (uses current session model).36# Optional model override for /review. Default: unset (uses current session model).
3737# review_model = "gpt-5.4"# review_model = "gpt-5.5"
38 38
39# Provider id selected from [model_providers]. Default: "openai".39# Provider id selected from [model_providers]. Default: "openai".
40model_provider = "openai"40model_provider = "openai"
83# Inline override for the history compaction prompt. Default: unset.83# Inline override for the history compaction prompt. Default: unset.
84# compact_prompt = ""84# compact_prompt = ""
85 85
8686# Override the default commit co-author trailer. Set to "" to disable it.# Override the default commit co-author trailer. This only takes effect when
87# [features].codex_git_commit is enabled. When enabled and unset, Codex uses
88# "Codex <noreply@openai.com>". Set to "" to disable it.
87# commit_attribution = "Jane Doe <jane@example.com>"89# commit_attribution = "Jane Doe <jane@example.com>"
88 90
89# Override built-in base instructions with a file path. Default: unset.91# Override built-in base instructions with a file path. Default: unset.
107# - untrusted: only known-safe read-only commands auto-run; others prompt109# - untrusted: only known-safe read-only commands auto-run; others prompt
108# - on-request: model decides when to ask (default)110# - on-request: model decides when to ask (default)
109# - never: never prompt (risky)111# - never: never prompt (risky)
110112# - { reject = { ... } }: auto-reject selected prompt categories# - { granular = { ... } }: allow or auto-reject selected prompt categories
111approval_policy = "on-request"113approval_policy = "on-request"
112114# Example granular auto-reject policy:# Who reviews eligible approval prompts: user (default) | auto_review
113115# approval_policy = { reject = { sandbox_approval = true, rules = false, mcp_elicitations = false } }# approvals_reviewer = "user"
116
117# Example granular policy:
118# approval_policy = { granular = {
119# sandbox_approval = true,
120# rules = true,
121# mcp_elicitations = true,
122# request_permissions = false,
123# skill_approval = false
124# } }
114 125
115# Allow login-shell semantics for shell-based tools when they request `login = true`.126# Allow login-shell semantics for shell-based tools when they request `login = true`.
116# Default: true. Set false to force non-login shells and reject explicit login-shell requests.127# Default: true. Set false to force non-login shells and reject explicit login-shell requests.
121# - workspace-write132# - workspace-write
122# - danger-full-access (no sandbox; extremely risky)133# - danger-full-access (no sandbox; extremely risky)
123sandbox_mode = "read-only"134sandbox_mode = "read-only"
135# Named permissions profile to apply by default. Built-ins:
136# :read-only | :workspace | :danger-no-sandbox
137# Use a custom name such as "workspace" only when you also define [permissions.workspace].
138# default_permissions = ":workspace"
139
140# Example filesystem profile. Use `"none"` to deny reads for exact paths or
141# glob patterns. On platforms that need pre-expanded glob matches, set
142# glob_scan_max_depth when using unbounded patterns such as `**`.
143# [permissions.workspace.filesystem]
144# glob_scan_max_depth = 3
145# ":project_roots" = { "." = "write", "**/*.env" = "none" }
146# "/absolute/path/to/secrets" = "none"
124 147
125################################################################################148################################################################################
126# Authentication & Login149# Authentication & Login
132# Base URL for ChatGPT auth flow (not OpenAI API).155# Base URL for ChatGPT auth flow (not OpenAI API).
133chatgpt_base_url = "https://chatgpt.com/backend-api/"156chatgpt_base_url = "https://chatgpt.com/backend-api/"
134 157
158# Optional base URL override for the built-in OpenAI provider.
159# openai_base_url = "https://us.api.openai.com/v1"
160
135# Restrict ChatGPT login to a specific workspace id. Default: unset.161# Restrict ChatGPT login to a specific workspace id. Default: unset.
136# forced_chatgpt_workspace_id = "00000000-0000-0000-0000-000000000000"162# forced_chatgpt_workspace_id = "00000000-0000-0000-0000-000000000000"
137 163
265# Managed network proxy settings291# Managed network proxy settings
266################################################################################292################################################################################
267 293
268294[permissions.network]# Set `default_permissions = "workspace"` before enabling this profile.
295# [permissions.workspace.network]
269# enabled = true296# enabled = true
270# proxy_url = "http://127.0.0.1:43128"297# proxy_url = "http://127.0.0.1:43128"
271# admin_url = "http://127.0.0.1:43129"298# admin_url = "http://127.0.0.1:43129"
277# dangerously_allow_non_loopback_admin = false304# dangerously_allow_non_loopback_admin = false
278# dangerously_allow_all_unix_sockets = false305# dangerously_allow_all_unix_sockets = false
279# mode = "limited" # limited | full306# mode = "limited" # limited | full
280# allowed_domains = ["api.openai.com"]
281# denied_domains = ["example.com"]
282# allow_unix_sockets = ["/var/run/docker.sock"]
283# allow_local_binding = false307# allow_local_binding = false
308#
309# [permissions.workspace.network.domains]
310# "api.openai.com" = "allow"
311# "example.com" = "deny"
312#
313# [permissions.workspace.network.unix_sockets]
314# "/var/run/docker.sock" = "allow"
284 315
285################################################################################316################################################################################
286# History (table)317# History (table)
304# Notification mechanism for terminal alerts: auto | osc9 | bel. Default: "auto"335# Notification mechanism for terminal alerts: auto | osc9 | bel. Default: "auto"
305# notification_method = "auto"336# notification_method = "auto"
306 337
338# When notifications fire: unfocused (default) | always
339# notification_condition = "unfocused"
340
307# Enables welcome/status/spinner animations. Default: true341# Enables welcome/status/spinner animations. Default: true
308animations = true342animations = true
309 343
318# Set to [] to hide the footer.352# Set to [] to hide the footer.
319# status_line = ["model", "context-remaining", "git-branch"]353# status_line = ["model", "context-remaining", "git-branch"]
320 354
355# Ordered list of terminal window/tab title item IDs. When unset, Codex uses:
356# ["spinner", "project"]. Set to [] to clear the title.
357# Available IDs include app-name, project, spinner, status, thread, git-branch, model,
358# and task-progress.
359# terminal_title = ["spinner", "project"]
360
321# Syntax-highlighting theme (kebab-case). Use /theme in the TUI to preview and save.361# Syntax-highlighting theme (kebab-case). Use /theme in the TUI to preview and save.
322# You can also add custom .tmTheme files under $CODEX_HOME/themes.362# You can also add custom .tmTheme files under $CODEX_HOME/themes.
323# theme = "catppuccin-mocha"363# theme = "catppuccin-mocha"
324 364
365# Custom key bindings. Context-specific bindings override [tui.keymap.global].
366# Use [] to unbind an action.
367# [tui.keymap.global]
368# open_transcript = "ctrl-t"
369# open_external_editor = []
370#
371# [tui.keymap.composer]
372# submit = ["enter", "ctrl-m"]
373
325# Internal tooltip state keyed by model slug. Usually managed by Codex.374# Internal tooltip state keyed by model slug. Usually managed by Codex.
326# [tui.model_availability_nux]375# [tui.model_availability_nux]
327# "gpt-5.4" = 1376# "gpt-5.4" = 1
341# hide_rate_limit_model_nudge = true390# hide_rate_limit_model_nudge = true
342# hide_gpt5_1_migration_prompt = true391# hide_gpt5_1_migration_prompt = true
343# "hide_gpt-5.1-codex-max_migration_prompt" = true392# "hide_gpt-5.1-codex-max_migration_prompt" = true
344393# model_migrations = { "gpt-4.1" = "gpt-5.1" }# model_migrations = { "gpt-5.3-codex" = "gpt-5.4" }
345 394
346################################################################################395################################################################################
347# Centralized Feature Flags (preferred)396# Centralized Feature Flags (preferred)
351# Leave this table empty to accept defaults. Set explicit booleans to opt in/out.400# Leave this table empty to accept defaults. Set explicit booleans to opt in/out.
352# shell_tool = true401# shell_tool = true
353# apps = false402# apps = false
354403# apps_mcp_gateway = false# codex_git_commit = false
355404# unified_exec = false# codex_hooks = false
356405# shell_snapshot = false# unified_exec = true
357406# multi_agent = false# shell_snapshot = true
407# multi_agent = true
358# personality = true408# personality = true
359# use_linux_sandbox_bwrap = false
360# runtime_metrics = true
361# powershell_utf8 = true
362# child_agents_md = false
363# sqlite = true
364# fast_mode = true409# fast_mode = true
365# enable_request_compression = true410# enable_request_compression = true
366# image_generation = false
367# skill_mcp_dependency_install = true411# skill_mcp_dependency_install = true
368# skill_env_var_dependency_prompt = false
369# default_mode_request_user_input = false
370# artifact = false
371# prevent_idle_sleep = false412# prevent_idle_sleep = false
372413# responses_websockets = false
373414# responses_websockets_v2 = false################################################################################
374415# image_detail_original = false# Memories (table)
416################################################################################
417
418# Enable memories with [features].memories, then tune memory behavior here.
419# [memories]
420# generate_memories = true
421# use_memories = true
422# disable_on_external_context = false # legacy alias: no_memories_if_mcp_or_web_search
423
424################################################################################
425# Lifecycle hooks can be configured here inline or in a sibling hooks.json.
426################################################################################
427
428# [hooks]
429# [[hooks.PreToolUse]]
430# matcher = "^Bash$"
431#
432# [[hooks.PreToolUse.hooks]]
433# type = "command"
434# command = 'python3 "/absolute/path/to/pre_tool_use_policy.py"'
435# timeout = 30
436# statusMessage = "Checking Bash command"
375 437
376################################################################################438################################################################################
377# Define MCP servers under this table. Leave empty to disable.439# Define MCP servers under this table. Leave empty to disable.
386# command = "docs-server" # required448# command = "docs-server" # required
387# args = ["--port", "4000"] # optional449# args = ["--port", "4000"] # optional
388# env = { "API_KEY" = "value" } # optional key/value pairs copied as-is450# env = { "API_KEY" = "value" } # optional key/value pairs copied as-is
389451# env_vars = ["ANOTHER_SECRET"] # optional: forward these from the parent env# env_vars = ["ANOTHER_SECRET"] # optional: forward local parent env vars
452# env_vars = ["LOCAL_TOKEN", { name = "REMOTE_TOKEN", source = "remote" }]
390# cwd = "/path/to/server" # optional working directory override453# cwd = "/path/to/server" # optional working directory override
454# experimental_environment = "remote" # experimental: run stdio via a remote executor
391# startup_timeout_sec = 10.0 # optional; default 10.0 seconds455# startup_timeout_sec = 10.0 # optional; default 10.0 seconds
392# # startup_timeout_ms = 10000 # optional alias for startup timeout (milliseconds)456# # startup_timeout_ms = 10000 # optional alias for startup timeout (milliseconds)
393# tool_timeout_sec = 60.0 # optional; default 60.0 seconds457# tool_timeout_sec = 60.0 # optional; default 60.0 seconds
418# - openai482# - openai
419# - ollama483# - ollama
420# - lmstudio484# - lmstudio
485# - amazon-bedrock
486# These IDs are reserved. Use a different ID for custom providers.
421 487
422[model_providers]488[model_providers]
423 489
490# --- Example: built-in Amazon Bedrock provider options ---
491# model_provider = "amazon-bedrock"
492# model = "<bedrock-model-id>"
493# [model_providers.amazon-bedrock.aws]
494# profile = "default"
495# region = "eu-central-1"
496
424# --- Example: OpenAI data residency with explicit base URL or headers ---497# --- Example: OpenAI data residency with explicit base URL or headers ---
425# [model_providers.openaidr]498# [model_providers.openaidr]
426# name = "OpenAI Data Residency"499# name = "OpenAI Data Residency"
427# base_url = "https://us.api.openai.com/v1" # example with 'us' domain prefix500# base_url = "https://us.api.openai.com/v1" # example with 'us' domain prefix
428# wire_api = "responses" # only supported value501# wire_api = "responses" # only supported value
429502# # requires_openai_auth = true # built-in OpenAI defaults to true# # requires_openai_auth = true # use only for providers backed by OpenAI auth
430# # request_max_retries = 4 # default 4; max 100503# # request_max_retries = 4 # default 4; max 100
431# # stream_max_retries = 5 # default 5; max 100504# # stream_max_retries = 5 # default 5; max 100
432# # stream_idle_timeout_ms = 300000 # default 300_000 (5m)505# # stream_idle_timeout_ms = 300000 # default 300_000 (5m)
445# env_key_instructions = "Set AZURE_OPENAI_API_KEY in your environment"518# env_key_instructions = "Set AZURE_OPENAI_API_KEY in your environment"
446# # supports_websockets = false519# # supports_websockets = false
447 520
521# --- Example: command-backed bearer token auth ---
522# [model_providers.proxy]
523# name = "OpenAI using LLM proxy"
524# base_url = "https://proxy.example.com/v1"
525# wire_api = "responses"
526#
527# [model_providers.proxy.auth]
528# command = "/usr/local/bin/fetch-codex-token"
529# args = ["--audience", "codex"]
530# timeout_ms = 5000
531# refresh_interval_ms = 300000
532
448# --- Example: Local OSS (e.g., Ollama-compatible) ---533# --- Example: Local OSS (e.g., Ollama-compatible) ---
449534# [model_providers.ollama]# [model_providers.local_ollama]
450# name = "Ollama"535# name = "Ollama"
451# base_url = "http://localhost:11434/v1"536# base_url = "http://localhost:11434/v1"
452# wire_api = "responses"537# wire_api = "responses"
473# enabled = false558# enabled = false
474# approval_mode = "approve"559# approval_mode = "approve"
475 560
561# Optional tool suggestion allowlist for connectors or plugins Codex can offer to install.
562# [tool_suggest]
563# discoverables = [
564# { type = "connector", id = "gmail" },
565# { type = "plugin", id = "figma@openai-curated" },
566# ]
567# disabled_tools = [
568# { type = "plugin", id = "slack@openai-curated" },
569# { type = "connector", id = "connector_googlecalendar" },
570# ]
571
476################################################################################572################################################################################
477# Profiles (named presets)573# Profiles (named presets)
478################################################################################574################################################################################