clone/codex
1
0
Fork 0
mirror of https://github.com/openai/codex.git synced 2026-04-24 14:45:27 +00:00
Code Issues Packages Projects Releases Wiki Activity
2,127 Commits 2,457 Branches 904 Tags
c6f68c9df8d966c3f91889180fd66cec9bf582f3
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Michael Bolin c6f68c9df8 feat: declare server capability in shell-tool-mcp (#7112) 
This introduces a new feature to Codex when it operates as an MCP
_client_ where if an MCP _server_ replies that it has an entry named
`"codex/sandbox-state"` in its _server capabilities_, then Codex will
send it an MCP notification with the following structure:

```json
{
  "method": "codex/sandbox-state/update",
  "params": {
    "sandboxPolicy": {
      "type": "workspace-write",
      "network-access": false,
      "exclude-tmpdir-env-var": false
      "exclude-slash-tmp": false
    },
    "codexLinuxSandboxExe": null,
    "sandboxCwd": "/Users/mbolin/code/codex2"
  }
}
```

or with whatever values are appropriate for the initial `sandboxPolicy`.

**NOTE:** Codex _should_ continue to send the MCP server notifications
of the same format if these things change over the lifetime of the
thread, but that isn't wired up yet.

The result is that `shell-tool-mcp` can consume these values so that
when it calls `codex_core::exec::process_exec_tool_call()` in
`codex-rs/exec-server/src/posix/escalate_server.rs`, it is now sure to
call it with the correct values (whereas previously we relied on
hardcoded values).

While I would argue this is a supported use case within the MCP
protocol, the `rmcp` crate that we are using today does not support
custom notifications. As such, I had to patch it and I submitted it for
review, so hopefully it will be accepted in some form:

https://github.com/modelcontextprotocol/rust-sdk/pull/556

To test out this change from end-to-end:

- I ran `cargo build` in `~/code/codex2/codex-rs/exec-server`
- I built the fork of Bash in `~/code/bash/bash`
- I added the following to my `~/.codex/config.toml`:

```toml
# Use with `codex --disable shell_tool`.
[mcp_servers.execshell]
args = ["--bash", "/Users/mbolin/code/bash/bash"]
command = "/Users/mbolin/code/codex2/codex-rs/target/debug/codex-exec-mcp-server"
```

- From `~/code/codex2/codex-rs`, I ran `just codex --disable shell_tool`
- When the TUI started up, I verified that the sandbox mode is
`workspace-write`
- I ran `/mcp` to verify that the shell tool from the MCP is there:

<img width="1387" height="1400" alt="image"
src="https://github.com/user-attachments/assets/1a8addcc-5005-4e16-b59f-95cfd06fd4ab"
/>

- Then I asked it:

> what is the output of `gh issue list`

because this should be auto-approved with our existing dummy policy:


af63e6eccc/codex-rs/exec-server/src/posix.rs (L157-L164)

And it worked:

<img width="1387" height="1400" alt="image"
src="https://github.com/user-attachments/assets/7568d2f7-80da-4d68-86d0-c265a6f5e6c1"
/>
2025-11-21 16:11:01 -08:00
.devcontainer
chore: install an extension for TOML syntax highlighting in the devcontainer (#1650)
2025-07-22 10:58:09 -07:00
.github
fix: start publishing @openai/codex-shell-tool-mcp to npm (#7123)
2025-11-21 15:03:50 -08:00
.vscode
Move rust analyzer target dir (#5328)
2025-10-18 17:31:46 -07:00
codex-cli
detect Bun installs in CLI update banner (#5074)
2025-10-14 17:49:44 +00:00
codex-rs
feat: declare server capability in shell-tool-mcp (#7112)
2025-11-21 16:11:01 -08:00
docs
Windows: flag some invocations that launch browsers/URLs as dangerous (#7111)
2025-11-21 13:36:17 -08:00
scripts
fix: ToC so it doesn’t include itself or duplicate the end marker (#4388)
2025-11-05 14:52:51 -08:00
sdk/typescript
feat(ts-sdk): allow overriding CLI environment (#6648)
2025-11-14 19:44:19 +00:00
shell-tool-mcp
feat: codex-shell-tool-mcp (#7005)
2025-11-21 08:16:36 -08:00
.codespellignore
feat: make it possible to toggle mouse mode in the Rust TUI (#971)
2025-05-16 16:16:50 -07:00
.codespellrc
TypeScript SDK scaffold (#4455)
2025-09-29 13:27:13 -07:00
.gitignore
nit: personal git ignore (#6787)
2025-11-17 17:45:52 +00:00
.npmrc
chore: migrate to pnpm for improved monorepo management (#287)
2025-04-18 16:25:15 -07:00
.prettierignore
[apply-patch] Clean up apply-patch tool definitions (#2539)
2025-08-21 20:07:41 -07:00
.prettierrc.toml
Initial commit
2025-04-16 12:56:08 -04:00
AGENTS.md
tests: replace mount_sse_once_match with mount_sse_once for SSE mocking (#6640)
2025-11-13 18:04:05 -08:00
CHANGELOG.md
Documentation improvement: add missing period (#3754)
2025-10-30 13:01:33 -07:00
cliff.toml
docs(changelog): update install command to @openai/codex@<version> (#2073)
2025-10-18 11:02:22 -07:00
flake.lock
Fix nix build (#4048)
2025-10-17 12:19:08 -07:00
flake.nix
Fix nix build (#4048)
2025-10-17 12:19:08 -07:00
LICENSE
Initial commit
2025-04-16 12:56:08 -04:00
NOTICE
resizable viewport (#1732)
2025-07-31 00:06:55 +00:00
package.json
chore: subject docs/*.md to Prettier checks (#4645)
2025-10-03 11:35:48 -07:00
pnpm-lock.yaml
feat: codex-shell-tool-mcp (#7005)
2025-11-21 08:16:36 -08:00
pnpm-workspace.yaml
feat: codex-shell-tool-mcp (#7005)
2025-11-21 08:16:36 -08:00
PNPM.md
fix: include pnpm lock file (#377)
2025-04-18 17:01:11 -07:00
README.md
execpolicycheck command in codex cli (#7012)
2025-11-20 16:44:31 -05:00

README.md

npm i -g @openai/codex
or brew install --cask codex

Codex CLI is a coding agent from OpenAI that runs locally on your computer.

If you want Codex in your code editor (VS Code, Cursor, Windsurf), install in your IDE
If you are looking for the cloud-based agent from OpenAI, Codex Web, go to chatgpt.com/codex

Codex CLI splash

Quickstart

Installing and running Codex CLI

Install globally with your preferred package manager. If you use npm:

npm install -g @openai/codex

Alternatively, if you use Homebrew:

brew install --cask codex

Then simply run codex to get started:

codex

If you're running into upgrade issues with Homebrew, see the FAQ entry on brew upgrade codex.

You can also go to the latest GitHub Release and download the appropriate binary for your platform.

Each GitHub Release contains many executables, but in practice, you likely want one of these:

  • macOS
    • Apple Silicon/arm64: codex-aarch64-apple-darwin.tar.gz
    • x86_64 (older Mac hardware): codex-x86_64-apple-darwin.tar.gz
  • Linux
    • x86_64: codex-x86_64-unknown-linux-musl.tar.gz
    • arm64: codex-aarch64-unknown-linux-musl.tar.gz

Each archive contains a single entry with the platform baked into the name (e.g., codex-x86_64-unknown-linux-musl), so you likely want to rename it to codex after extracting it.

Using Codex with your ChatGPT plan

Codex CLI login

Run codex and select Sign in with ChatGPT. We recommend signing into your ChatGPT account to use Codex as part of your Plus, Pro, Team, Edu, or Enterprise plan. Learn more about what's included in your ChatGPT plan.

You can also use Codex with an API key, but this requires additional setup. If you previously used an API key for usage-based billing, see the migration steps. If you're having trouble with login, please comment on this issue.

Model Context Protocol (MCP)

Codex can access MCP servers. To configure them, refer to the config docs.

Configuration

Codex CLI supports a rich set of configuration options, with preferences stored in ~/.codex/config.toml. For full configuration options, see Configuration.

Execpolicy Quickstart

Codex can enforce your own rules-based execution policy before it runs shell commands.

  1. Create a policy directory: mkdir -p ~/.codex/policy.
  2. Create one or more .codexpolicy files in that folder. Codex automatically loads every .codexpolicy file in there on startup.
  3. Write prefix_rule entries to describe the commands you want to allow, prompt, or block:
prefix_rule(
    pattern = ["git", ["push", "fetch"]],
    decision = "prompt",  # allow | prompt | forbidden
    match = [["git", "push", "origin", "main"]],  # examples that must match
    not_match = [["git", "status"]],              # examples that must not match
)
  • pattern is a list of shell tokens, evaluated from left to right; wrap tokens in a nested list to express alternatives (e.g., match both push and fetch).
  • decision sets the severity; Codex picks the strictest decision when multiple rules match (forbidden > prompt > allow).
  • match and not_match act as (optional) unit tests. Codex validates them when it loads your policy, so you get feedback if an example has unexpected behavior.

In this example rule, if Codex wants to run commands with the prefix git push or git fetch, it will first ask for user approval.

Use the codex execpolicy check subcommand to preview decisions before you save a rule (see the codex-execpolicy README for syntax details):

codex execpolicy check --policy ~/.codex/policy/default.codexpolicy git push origin main

Pass multiple --policy flags to test how several files combine, and use --pretty for formatted JSON output. See the codex-rs/execpolicy README for a more detailed walkthrough of the available syntax.

Note: execpolicy commands are still in preview. The API may have breaking changes in the future.

Docs & FAQ

License

This repository is licensed under the Apache-2.0 License.

Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme Apache-2.0 1.3 GiB
Languages
Rust 96.1%
Python 2.6%
TypeScript 0.3%
JavaScript 0.2%
Starlark 0.2%
Other 0.4%