Use this page as a searchable reference for Codex configuration files. For conceptual guidance and examples, start with Config basics and Advanced Config.
config.toml
User-level configuration lives in ~/.codex/config.toml. You can also add project-scoped overrides in .codex/config.toml files. Codex loads project-scoped config files only when you trust the project.
For sandbox and approval keys (approval_policy, sandbox_mode, and sandbox_workspace_write.*), pair this reference with Sandbox and approvals, Protected paths in writable roots, and Network access.
| Key | Type / Values | Details |
|---|---|---|
agents.<name>.config_file | string (path) | Path to a TOML config layer for that role; relative paths resolve from the config file that declares the role. |
agents.<name>.description | string | Role guidance shown to Codex when choosing and spawning that agent type. |
agents.<name>.nickname_candidates | array<string> | Optional pool of display nicknames for spawned agents in that role. |
agents.job_max_runtime_seconds | number | Default per-worker timeout for spawn_agents_on_csv jobs. When unset, the tool falls back to 1800 seconds per worker. |
agents.max_depth | number | Maximum nesting depth allowed for spawned agent threads (root sessions start at depth 0; default: 1). |
agents.max_threads | number | Maximum number of agent threads that can be open concurrently. Defaults to 6 when unset. |
allow_login_shell | boolean | Allow shell-based tools to use login-shell semantics. Defaults to true; when false, login = true requests are rejected and omitted login defaults to non-login shells. |
analytics.enabled | boolean | Enable or disable analytics for this machine/profile. When unset, the client default applies. |
approval_policy | untrusted | on-request | never | { granular = { sandbox_approval = bool, rules = bool, mcp_elicitations = bool, request_permissions = bool, skill_approval = bool } } | Controls when Codex pauses for approval before executing commands. You can also use approval_policy = { granular = { ... } } to allow or auto-reject specific prompt categories while keeping other prompts interactive. on-failure is deprecated; use on-request for interactive runs or never for non-interactive runs. |
approval_policy.granular.mcp_elicitations | boolean | When true, MCP elicitation prompts are allowed to surface instead of being auto-rejected. |
approval_policy.granular.request_permissions | boolean | When true, prompts from the request_permissions tool are allowed to surface. |
approval_policy.granular.rules | boolean | When true, approvals triggered by execpolicy prompt rules are allowed to surface. |
approval_policy.granular.sandbox_approval | boolean | When true, sandbox escalation approval prompts are allowed to surface. |
approval_policy.granular.skill_approval | boolean | When true, skill-script approval prompts are allowed to surface. |
apps._default.destructive_enabled | boolean | Default allow/deny for app tools with destructive_hint = true. |
apps._default.enabled | boolean | Default app enabled state for all apps unless overridden per app. |
apps._default.open_world_enabled | boolean | Default allow/deny for app tools with open_world_hint = true. |
apps.<id>.default_tools_approval_mode | auto | prompt | approve | Default approval behavior for tools in this app unless a per-tool override exists. |
apps.<id>.default_tools_enabled | boolean | Default enabled state for tools in this app unless a per-tool override exists. |
apps.<id>.destructive_enabled | boolean | Allow or block tools in this app that advertise destructive_hint = true. |
apps.<id>.enabled | boolean | Enable or disable a specific app/connector by id (default: true). |
apps.<id>.open_world_enabled | boolean | Allow or block tools in this app that advertise open_world_hint = true. |
apps.<id>.tools.<tool>.approval_mode | auto | prompt | approve | Per-tool approval behavior override for a single app tool. |
apps.<id>.tools.<tool>.enabled | boolean | Per-tool enabled override for an app tool (for example repos/list). |
background_terminal_max_timeout | number | Maximum poll window in milliseconds for empty write_stdin polls (background terminal polling). Default: 300000 (5 minutes). Replaces the older background_terminal_timeout key. |
chatgpt_base_url | string | Override the base URL used during the ChatGPT login flow. |
check_for_update_on_startup | boolean | Check for Codex updates on startup (set to false only when updates are centrally managed). |
cli_auth_credentials_store | file | keyring | auto | Control where the CLI stores cached credentials (file-based auth.json vs OS keychain). |
commit_attribution | string | Override the commit co-author trailer text. Set an empty string to disable automatic attribution. |
compact_prompt | string | Inline override for the history compaction prompt. |
default_permissions | string | Name of the default permissions profile to apply to sandboxed tool calls. |
developer_instructions | string | Additional developer instructions injected into the session (optional). |
disable_paste_burst | boolean | Disable burst-paste detection in the TUI. |
experimental_compact_prompt_file | string (path) | Load the compaction prompt override from a file (experimental). |
experimental_use_unified_exec_tool | boolean | Legacy name for enabling unified exec; prefer [features].unified_exec or codex --enable unified_exec. |
features.apps | boolean | Enable ChatGPT Apps/connectors support (experimental). |
features.enable_request_compression | boolean | Compress streaming request bodies with zstd when supported (stable; on by default). |
features.fast_mode | boolean | Enable Fast mode selection and the service_tier = "fast" path (stable; on by default). |
features.multi_agent | boolean | Enable multi-agent collaboration tools ( spawn_agent, send_input, resume_agent, wait_agent, and close_agent) (stable; on by default). |
features.personality | boolean | Enable personality selection controls (stable; on by default). |
features.prevent_idle_sleep | boolean | Prevent the machine from sleeping while a turn is actively running (experimental; off by default). |
features.shell_snapshot | boolean | Snapshot shell environment to speed up repeated commands (stable; on by default). |
features.shell_tool | boolean | Enable the default shell tool for running commands (stable; on by default). |
features.skill_mcp_dependency_install | boolean | Allow prompting and installing missing MCP dependencies for skills (stable; on by default). |
features.smart_approvals | boolean | Route eligible approval requests through the guardian reviewer subagent (experimental; off by default). |
features.undo | boolean | Enable undo support (stable; off by default). |
features.unified_exec | boolean | Use the unified PTY-backed exec tool (stable; enabled by default except on Windows). |
features.web_search | boolean | Deprecated legacy toggle; prefer the top-level web_search setting. |
features.web_search_cached | boolean | Deprecated legacy toggle. When web_search is unset, true maps to web_search = "cached". |
features.web_search_request | boolean | Deprecated legacy toggle. When web_search is unset, true maps to web_search = "live". |
feedback.enabled | boolean | Enable feedback submission via /feedback across Codex surfaces (default: true). |
file_opener | vscode | vscode-insiders | windsurf | cursor | none | URI scheme used to open citations from Codex output (default: vscode). |
forced_chatgpt_workspace_id | string (uuid) | Limit ChatGPT logins to a specific workspace identifier. |
forced_login_method | chatgpt | api | Restrict Codex to a specific authentication method. |
hide_agent_reasoning | boolean | Suppress reasoning events in both the TUI and codex exec output. |
history.max_bytes | number | If set, caps the history file size in bytes by dropping oldest entries. |
history.persistence | save-all | none | Control whether Codex saves session transcripts to history.jsonl. |
instructions | string | Reserved for future use; prefer model_instructions_file or AGENTS.md. |
log_dir | string (path) | Directory where Codex writes log files (for example codex-tui.log); defaults to $CODEX_HOME/log. |
mcp_oauth_callback_port | integer | Optional fixed port for the local HTTP callback server used during MCP OAuth login. When unset, Codex binds to an ephemeral port chosen by the OS. |
mcp_oauth_callback_url | string | Optional redirect URI override for MCP OAuth login (for example, a devbox ingress URL). mcp_oauth_callback_port still controls the callback listener port. |
mcp_oauth_credentials_store | auto | file | keyring | Preferred store for MCP OAuth credentials. |
mcp_servers.<id>.args | array<string> | Arguments passed to the MCP stdio server command. |
mcp_servers.<id>.bearer_token_env_var | string | Environment variable sourcing the bearer token for an MCP HTTP server. |
mcp_servers.<id>.command | string | Launcher command for an MCP stdio server. |
mcp_servers.<id>.cwd | string | Working directory for the MCP stdio server process. |
mcp_servers.<id>.disabled_tools | array<string> | Deny list applied after enabled_tools for the MCP server. |
mcp_servers.<id>.enabled | boolean | Disable an MCP server without removing its configuration. |
mcp_servers.<id>.enabled_tools | array<string> | Allow list of tool names exposed by the MCP server. |
mcp_servers.<id>.env | map<string,string> | Environment variables forwarded to the MCP stdio server. |
mcp_servers.<id>.env_http_headers | map<string,string> | HTTP headers populated from environment variables for an MCP HTTP server. |
mcp_servers.<id>.env_vars | array<string> | Additional environment variables to whitelist for an MCP stdio server. |
mcp_servers.<id>.http_headers | map<string,string> | Static HTTP headers included with each MCP HTTP request. |
mcp_servers.<id>.oauth_resource | string | Optional RFC 8707 OAuth resource parameter to include during MCP login. |
mcp_servers.<id>.required | boolean | When true, fail startup/resume if this enabled MCP server cannot initialize. |
mcp_servers.<id>.scopes | array<string> | OAuth scopes to request when authenticating to that MCP server. |
mcp_servers.<id>.startup_timeout_ms | number | Alias for startup_timeout_sec in milliseconds. |
mcp_servers.<id>.startup_timeout_sec | number | Override the default 10s startup timeout for an MCP server. |
mcp_servers.<id>.tool_timeout_sec | number | Override the default 60s per-tool timeout for an MCP server. |
mcp_servers.<id>.url | string | Endpoint for an MCP streamable HTTP server. |
model | string | Model to use (e.g., gpt-5-codex). |
model_auto_compact_token_limit | number | Token threshold that triggers automatic history compaction (unset uses model defaults). |
model_catalog_json | string (path) | Optional path to a JSON model catalog loaded on startup. Profile-level profiles.<name>.model_catalog_json can override this per profile. |
model_context_window | number | Context window tokens available to the active model. |
model_instructions_file | string (path) | Replacement for built-in instructions instead of AGENTS.md. |
model_provider | string | Provider id from model_providers (default: openai). |
model_providers.<id>.base_url | string | API base URL for the model provider. |
model_providers.<id>.env_http_headers | map<string,string> | HTTP headers populated from environment variables when present. |
model_providers.<id>.env_key | string | Environment variable supplying the provider API key. |
model_providers.<id>.env_key_instructions | string | Optional setup guidance for the provider API key. |
model_providers.<id>.experimental_bearer_token | string | Direct bearer token for the provider (discouraged; use env_key). |
model_providers.<id>.http_headers | map<string,string> | Static HTTP headers added to provider requests. |
model_providers.<id>.name | string | Display name for a custom model provider. |
model_providers.<id>.query_params | map<string,string> | Extra query parameters appended to provider requests. |
model_providers.<id>.request_max_retries | number | Retry count for HTTP requests to the provider (default: 4). |
model_providers.<id>.requires_openai_auth | boolean | The provider uses OpenAI authentication (defaults to false). |
model_providers.<id>.stream_idle_timeout_ms | number | Idle timeout for SSE streams in milliseconds (default: 300000). |
model_providers.<id>.stream_max_retries | number | Retry count for SSE streaming interruptions (default: 5). |
model_providers.<id>.supports_websockets | boolean | Whether that provider supports the Responses API WebSocket transport. |
model_providers.<id>.wire_api | responses | Protocol used by the provider. responses is the only supported value, and it is the default when omitted. |
model_reasoning_effort | minimal | low | medium | high | xhigh | Adjust reasoning effort for supported models (Responses API only; xhigh is model-dependent). |
model_reasoning_summary | auto | concise | detailed | none | Select reasoning summary detail or disable summaries entirely. |
model_supports_reasoning_summaries | boolean | Force Codex to send or not send reasoning metadata. |
model_verbosity | low | medium | high | Optional GPT-5 Responses API verbosity override; when unset, the selected model/preset default is used. |
notice.hide_full_access_warning | boolean | Track acknowledgement of the full access warning prompt. |
notice.hide_gpt-5.1-codex-max_migration_prompt | boolean | Track acknowledgement of the gpt-5.1-codex-max migration prompt. |
notice.hide_gpt5_1_migration_prompt | boolean | Track acknowledgement of the GPT-5.1 migration prompt. |
notice.hide_rate_limit_model_nudge | boolean | Track opt-out of the rate limit model switch reminder. |
notice.hide_world_writable_warning | boolean | Track acknowledgement of the Windows world-writable directories warning. |
notice.model_migrations | map<string,string> | Track acknowledged model migrations as old->new mappings. |
notify | array<string> | Command invoked for notifications; receives a JSON payload from Codex. |
openai_base_url | string | Base URL override for the built-in openai model provider. |
oss_provider | lmstudio | ollama | Default local provider used when running with --oss (defaults to prompting if unset). |
otel.environment | string | Environment tag applied to emitted OpenTelemetry events (default: dev). |
otel.exporter | none | otlp-http | otlp-grpc | Select the OpenTelemetry exporter and provide any endpoint metadata. |
otel.exporter.<id>.endpoint | string | Exporter endpoint for OTEL logs. |
otel.exporter.<id>.headers | map<string,string> | Static headers included with OTEL exporter requests. |
otel.exporter.<id>.protocol | binary | json | Protocol used by the OTLP/HTTP exporter. |
otel.exporter.<id>.tls.ca-certificate | string | CA certificate path for OTEL exporter TLS. |
otel.exporter.<id>.tls.client-certificate | string | Client certificate path for OTEL exporter TLS. |
otel.exporter.<id>.tls.client-private-key | string | Client private key path for OTEL exporter TLS. |
otel.log_user_prompt | boolean | Opt in to exporting raw user prompts with OpenTelemetry logs. |
otel.metrics_exporter | none | statsig | otlp-http | otlp-grpc | Select the OpenTelemetry metrics exporter (defaults to statsig). |
otel.trace_exporter | none | otlp-http | otlp-grpc | Select the OpenTelemetry trace exporter and provide any endpoint metadata. |
otel.trace_exporter.<id>.endpoint | string | Trace exporter endpoint for OTEL logs. |
otel.trace_exporter.<id>.headers | map<string,string> | Static headers included with OTEL trace exporter requests. |
otel.trace_exporter.<id>.protocol | binary | json | Protocol used by the OTLP/HTTP trace exporter. |
otel.trace_exporter.<id>.tls.ca-certificate | string | CA certificate path for OTEL trace exporter TLS. |
otel.trace_exporter.<id>.tls.client-certificate | string | Client certificate path for OTEL trace exporter TLS. |
otel.trace_exporter.<id>.tls.client-private-key | string | Client private key path for OTEL trace exporter TLS. |
permissions.<name>.filesystem | table | Named filesystem permission profile. Each key is an absolute path or special token such as :minimal or :project_roots. |
permissions.<name>.filesystem.":project_roots".<subpath> | "read" | "write" | "none" | Scoped filesystem access relative to the detected project roots. Use "." for the root itself. |
permissions.<name>.filesystem.<path> | "read" | "write" | "none" | table | Grant direct access for a path or special token, or scope nested entries under that root. |
permissions.<name>.network.allow_local_binding | boolean | Permit local bind/listen operations through the managed proxy. |
permissions.<name>.network.allow_unix_sockets | array<string> | Allowlist of Unix socket paths permitted through the managed proxy. |
permissions.<name>.network.allow_upstream_proxy | boolean | Allow the managed proxy to chain to another upstream proxy. |
permissions.<name>.network.allowed_domains | array<string> | Allowlist of domains permitted through the managed proxy. |
permissions.<name>.network.dangerously_allow_all_unix_sockets | boolean | Allow the proxy to use arbitrary Unix sockets instead of the default restricted set. |
permissions.<name>.network.dangerously_allow_non_loopback_proxy | boolean | Permit non-loopback bind addresses for the managed proxy listener. |
permissions.<name>.network.denied_domains | array<string> | Denylist of domains blocked by the managed proxy. |
permissions.<name>.network.enable_socks5 | boolean | Expose a SOCKS5 listener when this permissions profile enables the managed network proxy. |
permissions.<name>.network.enable_socks5_udp | boolean | Allow UDP over the SOCKS5 listener when enabled. |
permissions.<name>.network.enabled | boolean | Enable network access for this named permissions profile. |
permissions.<name>.network.mode | limited | full | Network proxy mode used for subprocess traffic. |
permissions.<name>.network.proxy_url | string | HTTP proxy endpoint used when this permissions profile enables the managed network proxy. |
permissions.<name>.network.socks_url | string | SOCKS5 proxy endpoint used by this permissions profile. |
personality | none | friendly | pragmatic | Default communication style for models that advertise supportsPersonality; can be overridden per thread/turn or via /personality. |
plan_mode_reasoning_effort | none | minimal | low | medium | high | xhigh | Plan-mode-specific reasoning override. When unset, Plan mode uses its built-in preset default. |
profile | string | Default profile applied at startup (equivalent to --profile). |
profiles.<name>.* | various | Profile-scoped overrides for any of the supported configuration keys. |
profiles.<name>.analytics.enabled | boolean | Profile-scoped analytics enablement override. |
profiles.<name>.experimental_use_unified_exec_tool | boolean | Legacy name for enabling unified exec; prefer [features].unified_exec. |
profiles.<name>.model_catalog_json | string (path) | Profile-scoped model catalog JSON path override (applied on startup only; overrides the top-level model_catalog_json for that profile). |
profiles.<name>.model_instructions_file | string (path) | Profile-scoped replacement for the built-in instruction file. |
profiles.<name>.oss_provider | lmstudio | ollama | Profile-scoped OSS provider for --oss sessions. |
profiles.<name>.personality | none | friendly | pragmatic | Profile-scoped communication style override for supported models. |
profiles.<name>.plan_mode_reasoning_effort | none | minimal | low | medium | high | xhigh | Profile-scoped Plan-mode reasoning override. |
profiles.<name>.service_tier | flex | fast | Profile-scoped service tier preference for new turns. |
profiles.<name>.tools_view_image | boolean | Enable or disable the view_image tool in that profile. |
profiles.<name>.web_search | disabled | cached | live | Profile-scoped web search mode override (default: "cached"). |
profiles.<name>.windows.sandbox | unelevated | elevated | Profile-scoped Windows sandbox mode override. |
project_doc_fallback_filenames | array<string> | Additional filenames to try when AGENTS.md is missing. |
project_doc_max_bytes | number | Maximum bytes read from AGENTS.md when building project instructions. |
project_root_markers | array<string> | List of project root marker filenames; used when searching parent directories for the project root. |
projects.<path>.trust_level | string | Mark a project or worktree as trusted or untrusted ( "trusted" | "untrusted"). Untrusted projects skip project-scoped .codex/ layers. |
review_model | string | Optional model override used by /review (defaults to the current session model). |
sandbox_mode | read-only | workspace-write | danger-full-access | Sandbox policy for filesystem and network access during command execution. |
sandbox_workspace_write.exclude_slash_tmp | boolean | Exclude /tmp from writable roots in workspace-write mode. |
sandbox_workspace_write.exclude_tmpdir_env_var | boolean | Exclude $TMPDIR from writable roots in workspace-write mode. |
sandbox_workspace_write.network_access | boolean | Allow outbound network access inside the workspace-write sandbox. |
sandbox_workspace_write.writable_roots | array<string> | Additional writable roots when sandbox_mode = "workspace-write". |
service_tier | flex | fast | Preferred service tier for new turns. |
shell_environment_policy.exclude | array<string> | Glob patterns for removing environment variables after the defaults. |
shell_environment_policy.experimental_use_profile | boolean | Use the user shell profile when spawning subprocesses. |
shell_environment_policy.ignore_default_excludes | boolean | Keep variables containing KEY/SECRET/TOKEN before other filters run. |
shell_environment_policy.include_only | array<string> | Whitelist of patterns; when set only matching variables are kept. |
shell_environment_policy.inherit | all | core | none | Baseline environment inheritance when spawning subprocesses. |
shell_environment_policy.set | map<string,string> | Explicit environment overrides injected into every subprocess. |
show_raw_agent_reasoning | boolean | Surface raw reasoning content when the active model emits it. |
skills.config | array<object> | Per-skill enablement overrides stored in config.toml. |
skills.config.<index>.enabled | boolean | Enable or disable the referenced skill. |
skills.config.<index>.path | string (path) | Path to a skill folder containing SKILL.md. |
sqlite_home | string (path) | Directory where Codex stores the SQLite-backed state DB used by agent jobs and other resumable runtime state. |
suppress_unstable_features_warning | boolean | Suppress the warning that appears when under-development feature flags are enabled. |
tool_output_token_limit | number | Token budget for storing individual tool/function outputs in history. |
tools.view_image | boolean | Enable the local-image attachment tool view_image. |
tools.web_search | boolean | { context_size = "low|medium|high", allowed_domains = [string], location = { country, region, city, timezone } } | Optional web search tool configuration. The legacy boolean form is still accepted, but the object form lets you set search context size, allowed domains, and approximate user location. |
tui | table | TUI-specific options such as enabling inline desktop notifications. |
tui.alternate_screen | auto | always | never | Control alternate screen usage for the TUI (default: auto; auto skips it in Zellij to preserve scrollback). |
tui.animations | boolean | Enable terminal animations (welcome screen, shimmer, spinner) (default: true). |
tui.model_availability_nux.<model> | integer | Internal startup-tooltip state keyed by model slug. |
tui.notification_method | auto | osc9 | bel | Notification method for unfocused terminal notifications (default: auto). |
tui.notifications | boolean | array<string> | Enable TUI notifications; optionally restrict to specific event types. |
tui.show_tooltips | boolean | Show onboarding tooltips in the TUI welcome screen (default: true). |
tui.status_line | array<string> | null | Ordered list of TUI footer status-line item identifiers. null disables the status line. |
tui.theme | string | Syntax-highlighting theme override (kebab-case theme name). |
web_search | disabled | cached | live | Web search mode (default: "cached"; cached uses an OpenAI-maintained index and does not fetch live pages; if you use --yolo or another full access sandbox setting, it defaults to "live"). Use "live" to fetch the most recent data from the web, or "disabled" to remove the tool. |
windows_wsl_setup_acknowledged | boolean | Track Windows onboarding acknowledgement (Windows only). |
windows.sandbox | unelevated | elevated | Windows-only native sandbox mode when running Codex natively on Windows. |
windows.sandbox_private_desktop | boolean | Run the final sandboxed child process on a private desktop by default on native Windows. Set false only for compatibility with the older Winsta0\\Default behavior. |
Key
agents.<name>.config_fileType / Values
string (path)Details
Path to a TOML config layer for that role; relative paths resolve from the config file that declares the role.
Key
agents.<name>.descriptionType / Values
stringDetails
Role guidance shown to Codex when choosing and spawning that agent type.
Key
agents.<name>.nickname_candidatesType / Values
array<string>Details
Optional pool of display nicknames for spawned agents in that role.
Key
agents.job_max_runtime_secondsType / Values
numberDetails
Default per-worker timeout for
spawn_agents_on_csv jobs. When unset, the tool falls back to 1800 seconds per worker.Key
agents.max_depthType / Values
numberDetails
Maximum nesting depth allowed for spawned agent threads (root sessions start at depth 0; default: 1).
Key
agents.max_threadsType / Values
numberDetails
Maximum number of agent threads that can be open concurrently. Defaults to
6 when unset.Key
allow_login_shellType / Values
booleanDetails
Allow shell-based tools to use login-shell semantics. Defaults to
true; when false, login = true requests are rejected and omitted login defaults to non-login shells.Key
analytics.enabledType / Values
booleanDetails
Enable or disable analytics for this machine/profile. When unset, the client default applies.
Key
approval_policyType / Values
untrusted | on-request | never | { granular = { sandbox_approval = bool, rules = bool, mcp_elicitations = bool, request_permissions = bool, skill_approval = bool } }Details
Controls when Codex pauses for approval before executing commands. You can also use
approval_policy = { granular = { ... } } to allow or auto-reject specific prompt categories while keeping other prompts interactive. on-failure is deprecated; use on-request for interactive runs or never for non-interactive runs.Key
approval_policy.granular.mcp_elicitationsType / Values
booleanDetails
When
true, MCP elicitation prompts are allowed to surface instead of being auto-rejected.Key
approval_policy.granular.request_permissionsType / Values
booleanDetails
When
true, prompts from the request_permissions tool are allowed to surface.Key
approval_policy.granular.rulesType / Values
booleanDetails
When
true, approvals triggered by execpolicy prompt rules are allowed to surface.Key
approval_policy.granular.sandbox_approvalType / Values
booleanDetails
When
true, sandbox escalation approval prompts are allowed to surface.Key
approval_policy.granular.skill_approvalType / Values
booleanDetails
When
true, skill-script approval prompts are allowed to surface.Key
apps._default.destructive_enabledType / Values
booleanDetails
Default allow/deny for app tools with
destructive_hint = true.Key
apps._default.enabledType / Values
booleanDetails
Default app enabled state for all apps unless overridden per app.
Key
apps._default.open_world_enabledType / Values
booleanDetails
Default allow/deny for app tools with
open_world_hint = true.Key
apps.<id>.default_tools_approval_modeType / Values
auto | prompt | approveDetails
Default approval behavior for tools in this app unless a per-tool override exists.
Key
apps.<id>.default_tools_enabledType / Values
booleanDetails
Default enabled state for tools in this app unless a per-tool override exists.
Key
apps.<id>.destructive_enabledType / Values
booleanDetails
Allow or block tools in this app that advertise
destructive_hint = true.Key
apps.<id>.enabledType / Values
booleanDetails
Enable or disable a specific app/connector by id (default: true).
Key
apps.<id>.open_world_enabledType / Values
booleanDetails
Allow or block tools in this app that advertise
open_world_hint = true.Key
apps.<id>.tools.<tool>.approval_modeType / Values
auto | prompt | approveDetails
Per-tool approval behavior override for a single app tool.
Key
apps.<id>.tools.<tool>.enabledType / Values
booleanDetails
Per-tool enabled override for an app tool (for example
repos/list).Key
background_terminal_max_timeoutType / Values
numberDetails
Maximum poll window in milliseconds for empty
write_stdin polls (background terminal polling). Default: 300000 (5 minutes). Replaces the older background_terminal_timeout key.Key
chatgpt_base_urlType / Values
stringDetails
Override the base URL used during the ChatGPT login flow.
Key
check_for_update_on_startupType / Values
booleanDetails
Check for Codex updates on startup (set to false only when updates are centrally managed).
Key
cli_auth_credentials_storeType / Values
file | keyring | autoDetails
Control where the CLI stores cached credentials (file-based auth.json vs OS keychain).
Key
commit_attributionType / Values
stringDetails
Override the commit co-author trailer text. Set an empty string to disable automatic attribution.
Key
compact_promptType / Values
stringDetails
Inline override for the history compaction prompt.
Key
default_permissionsType / Values
stringDetails
Name of the default permissions profile to apply to sandboxed tool calls.
Key
developer_instructionsType / Values
stringDetails
Additional developer instructions injected into the session (optional).
Key
disable_paste_burstType / Values
booleanDetails
Disable burst-paste detection in the TUI.
Key
experimental_compact_prompt_fileType / Values
string (path)Details
Load the compaction prompt override from a file (experimental).
Key
experimental_use_unified_exec_toolType / Values
booleanDetails
Legacy name for enabling unified exec; prefer
[features].unified_exec or codex --enable unified_exec.Key
features.appsType / Values
booleanDetails
Enable ChatGPT Apps/connectors support (experimental).
Key
features.enable_request_compressionType / Values
booleanDetails
Compress streaming request bodies with zstd when supported (stable; on by default).
Key
features.fast_modeType / Values
booleanDetails
Enable Fast mode selection and the
service_tier = "fast" path (stable; on by default).Key
features.multi_agentType / Values
booleanDetails
Enable multi-agent collaboration tools (
spawn_agent, send_input, resume_agent, wait_agent, and close_agent) (stable; on by default).Key
features.personalityType / Values
booleanDetails
Enable personality selection controls (stable; on by default).
Key
features.prevent_idle_sleepType / Values
booleanDetails
Prevent the machine from sleeping while a turn is actively running (experimental; off by default).
Key
features.shell_snapshotType / Values
booleanDetails
Snapshot shell environment to speed up repeated commands (stable; on by default).
Key
features.shell_toolType / Values
booleanDetails
Enable the default
shell tool for running commands (stable; on by default).Key
features.skill_mcp_dependency_installType / Values
booleanDetails
Allow prompting and installing missing MCP dependencies for skills (stable; on by default).
Key
features.smart_approvalsType / Values
booleanDetails
Route eligible approval requests through the guardian reviewer subagent (experimental; off by default).
Key
features.undoType / Values
booleanDetails
Enable undo support (stable; off by default).
Key
features.unified_execType / Values
booleanDetails
Use the unified PTY-backed exec tool (stable; enabled by default except on Windows).
Key
features.web_searchType / Values
booleanDetails
Deprecated legacy toggle; prefer the top-level
web_search setting.Key
features.web_search_cachedType / Values
booleanDetails
Deprecated legacy toggle. When
web_search is unset, true maps to web_search = "cached".Key
features.web_search_requestType / Values
booleanDetails
Deprecated legacy toggle. When
web_search is unset, true maps to web_search = "live".Key
feedback.enabledType / Values
booleanDetails
Enable feedback submission via
/feedback across Codex surfaces (default: true).Key
file_openerType / Values
vscode | vscode-insiders | windsurf | cursor | noneDetails
URI scheme used to open citations from Codex output (default:
vscode).Key
forced_chatgpt_workspace_idType / Values
string (uuid)Details
Limit ChatGPT logins to a specific workspace identifier.
Key
forced_login_methodType / Values
chatgpt | apiDetails
Restrict Codex to a specific authentication method.
Key
hide_agent_reasoningType / Values
booleanDetails
Suppress reasoning events in both the TUI and
codex exec output.Key
history.max_bytesType / Values
numberDetails
If set, caps the history file size in bytes by dropping oldest entries.
Key
history.persistenceType / Values
save-all | noneDetails
Control whether Codex saves session transcripts to history.jsonl.
Key
instructionsType / Values
stringDetails
Reserved for future use; prefer
model_instructions_file or AGENTS.md.Key
log_dirType / Values
string (path)Details
Directory where Codex writes log files (for example
codex-tui.log); defaults to $CODEX_HOME/log.Key
mcp_oauth_callback_portType / Values
integerDetails
Optional fixed port for the local HTTP callback server used during MCP OAuth login. When unset, Codex binds to an ephemeral port chosen by the OS.
Key
mcp_oauth_callback_urlType / Values
stringDetails
Optional redirect URI override for MCP OAuth login (for example, a devbox ingress URL).
mcp_oauth_callback_port still controls the callback listener port.Key
mcp_oauth_credentials_storeType / Values
auto | file | keyringDetails
Preferred store for MCP OAuth credentials.
Key
mcp_servers.<id>.argsType / Values
array<string>Details
Arguments passed to the MCP stdio server command.
Key
mcp_servers.<id>.bearer_token_env_varType / Values
stringDetails
Environment variable sourcing the bearer token for an MCP HTTP server.
Key
mcp_servers.<id>.commandType / Values
stringDetails
Launcher command for an MCP stdio server.
Key
mcp_servers.<id>.cwdType / Values
stringDetails
Working directory for the MCP stdio server process.
Key
mcp_servers.<id>.disabled_toolsType / Values
array<string>Details
Deny list applied after
enabled_tools for the MCP server.Key
mcp_servers.<id>.enabledType / Values
booleanDetails
Disable an MCP server without removing its configuration.
Key
mcp_servers.<id>.enabled_toolsType / Values
array<string>Details
Allow list of tool names exposed by the MCP server.
Key
mcp_servers.<id>.envType / Values
map<string,string>Details
Environment variables forwarded to the MCP stdio server.
Key
mcp_servers.<id>.env_http_headersType / Values
map<string,string>Details
HTTP headers populated from environment variables for an MCP HTTP server.
Key
mcp_servers.<id>.env_varsType / Values
array<string>Details
Additional environment variables to whitelist for an MCP stdio server.
Key
mcp_servers.<id>.http_headersType / Values
map<string,string>Details
Static HTTP headers included with each MCP HTTP request.
Key
mcp_servers.<id>.oauth_resourceType / Values
stringDetails
Optional RFC 8707 OAuth resource parameter to include during MCP login.
Key
mcp_servers.<id>.requiredType / Values
booleanDetails
When true, fail startup/resume if this enabled MCP server cannot initialize.
Key
mcp_servers.<id>.scopesType / Values
array<string>Details
OAuth scopes to request when authenticating to that MCP server.
Key
mcp_servers.<id>.startup_timeout_msType / Values
numberDetails
Alias for
startup_timeout_sec in milliseconds.Key
mcp_servers.<id>.startup_timeout_secType / Values
numberDetails
Override the default 10s startup timeout for an MCP server.
Key
mcp_servers.<id>.tool_timeout_secType / Values
numberDetails
Override the default 60s per-tool timeout for an MCP server.
Key
mcp_servers.<id>.urlType / Values
stringDetails
Endpoint for an MCP streamable HTTP server.
Key
modelType / Values
stringDetails
Model to use (e.g.,
gpt-5-codex).Key
model_auto_compact_token_limitType / Values
numberDetails
Token threshold that triggers automatic history compaction (unset uses model defaults).
Key
model_catalog_jsonType / Values
string (path)Details
Optional path to a JSON model catalog loaded on startup. Profile-level
profiles.<name>.model_catalog_json can override this per profile.Key
model_context_windowType / Values
numberDetails
Context window tokens available to the active model.
Key
model_instructions_fileType / Values
string (path)Details
Replacement for built-in instructions instead of
AGENTS.md.Key
model_providerType / Values
stringDetails
Provider id from
model_providers (default: openai).Key
model_providers.<id>.base_urlType / Values
stringDetails
API base URL for the model provider.
Key
model_providers.<id>.env_http_headersType / Values
map<string,string>Details
HTTP headers populated from environment variables when present.
Key
model_providers.<id>.env_keyType / Values
stringDetails
Environment variable supplying the provider API key.
Key
model_providers.<id>.env_key_instructionsType / Values
stringDetails
Optional setup guidance for the provider API key.
Key
model_providers.<id>.experimental_bearer_tokenType / Values
stringDetails
Direct bearer token for the provider (discouraged; use
env_key).Key
model_providers.<id>.http_headersType / Values
map<string,string>Details
Static HTTP headers added to provider requests.
Key
model_providers.<id>.nameType / Values
stringDetails
Display name for a custom model provider.
Key
model_providers.<id>.query_paramsType / Values
map<string,string>Details
Extra query parameters appended to provider requests.
Key
model_providers.<id>.request_max_retriesType / Values
numberDetails
Retry count for HTTP requests to the provider (default: 4).
Key
model_providers.<id>.requires_openai_authType / Values
booleanDetails
The provider uses OpenAI authentication (defaults to false).
Key
model_providers.<id>.stream_idle_timeout_msType / Values
numberDetails
Idle timeout for SSE streams in milliseconds (default: 300000).
Key
model_providers.<id>.stream_max_retriesType / Values
numberDetails
Retry count for SSE streaming interruptions (default: 5).
Key
model_providers.<id>.supports_websocketsType / Values
booleanDetails
Whether that provider supports the Responses API WebSocket transport.
Key
model_providers.<id>.wire_apiType / Values
responsesDetails
Protocol used by the provider.
responses is the only supported value, and it is the default when omitted.Key
model_reasoning_effortType / Values
minimal | low | medium | high | xhighDetails
Adjust reasoning effort for supported models (Responses API only;
xhigh is model-dependent).Key
model_reasoning_summaryType / Values
auto | concise | detailed | noneDetails
Select reasoning summary detail or disable summaries entirely.
Key
model_supports_reasoning_summariesType / Values
booleanDetails
Force Codex to send or not send reasoning metadata.
Key
model_verbosityType / Values
low | medium | highDetails
Optional GPT-5 Responses API verbosity override; when unset, the selected model/preset default is used.
Key
notice.hide_full_access_warningType / Values
booleanDetails
Track acknowledgement of the full access warning prompt.
Key
notice.hide_gpt-5.1-codex-max_migration_promptType / Values
booleanDetails
Track acknowledgement of the gpt-5.1-codex-max migration prompt.
Key
notice.hide_gpt5_1_migration_promptType / Values
booleanDetails
Track acknowledgement of the GPT-5.1 migration prompt.
Key
notice.hide_rate_limit_model_nudgeType / Values
booleanDetails
Track opt-out of the rate limit model switch reminder.
Key
notice.hide_world_writable_warningType / Values
booleanDetails
Track acknowledgement of the Windows world-writable directories warning.
Key
notice.model_migrationsType / Values
map<string,string>Details
Track acknowledged model migrations as old->new mappings.
Key
notifyType / Values
array<string>Details
Command invoked for notifications; receives a JSON payload from Codex.
Key
openai_base_urlType / Values
stringDetails
Base URL override for the built-in
openai model provider.Key
oss_providerType / Values
lmstudio | ollamaDetails
Default local provider used when running with
--oss (defaults to prompting if unset).Key
otel.environmentType / Values
stringDetails
Environment tag applied to emitted OpenTelemetry events (default:
dev).Key
otel.exporterType / Values
none | otlp-http | otlp-grpcDetails
Select the OpenTelemetry exporter and provide any endpoint metadata.
Key
otel.exporter.<id>.endpointType / Values
stringDetails
Exporter endpoint for OTEL logs.
Key
otel.exporter.<id>.headersType / Values
map<string,string>Details
Static headers included with OTEL exporter requests.
Key
otel.exporter.<id>.protocolType / Values
binary | jsonDetails
Protocol used by the OTLP/HTTP exporter.
Key
otel.exporter.<id>.tls.ca-certificateType / Values
stringDetails
CA certificate path for OTEL exporter TLS.
Key
otel.exporter.<id>.tls.client-certificateType / Values
stringDetails
Client certificate path for OTEL exporter TLS.
Key
otel.exporter.<id>.tls.client-private-keyType / Values
stringDetails
Client private key path for OTEL exporter TLS.
Key
otel.log_user_promptType / Values
booleanDetails
Opt in to exporting raw user prompts with OpenTelemetry logs.
Key
otel.metrics_exporterType / Values
none | statsig | otlp-http | otlp-grpcDetails
Select the OpenTelemetry metrics exporter (defaults to
statsig).Key
otel.trace_exporterType / Values
none | otlp-http | otlp-grpcDetails
Select the OpenTelemetry trace exporter and provide any endpoint metadata.
Key
otel.trace_exporter.<id>.endpointType / Values
stringDetails
Trace exporter endpoint for OTEL logs.
Key
otel.trace_exporter.<id>.headersType / Values
map<string,string>Details
Static headers included with OTEL trace exporter requests.
Key
otel.trace_exporter.<id>.protocolType / Values
binary | jsonDetails
Protocol used by the OTLP/HTTP trace exporter.
Key
otel.trace_exporter.<id>.tls.ca-certificateType / Values
stringDetails
CA certificate path for OTEL trace exporter TLS.
Key
otel.trace_exporter.<id>.tls.client-certificateType / Values
stringDetails
Client certificate path for OTEL trace exporter TLS.
Key
otel.trace_exporter.<id>.tls.client-private-keyType / Values
stringDetails
Client private key path for OTEL trace exporter TLS.
Key
permissions.<name>.filesystemType / Values
tableDetails
Named filesystem permission profile. Each key is an absolute path or special token such as
:minimal or :project_roots.Key
permissions.<name>.filesystem.":project_roots".<subpath>Type / Values
"read" | "write" | "none"Details
Scoped filesystem access relative to the detected project roots. Use
"." for the root itself.Key
permissions.<name>.filesystem.<path>Type / Values
"read" | "write" | "none" | tableDetails
Grant direct access for a path or special token, or scope nested entries under that root.
Key
permissions.<name>.network.allow_local_bindingType / Values
booleanDetails
Permit local bind/listen operations through the managed proxy.
Key
permissions.<name>.network.allow_unix_socketsType / Values
array<string>Details
Allowlist of Unix socket paths permitted through the managed proxy.
Key
permissions.<name>.network.allow_upstream_proxyType / Values
booleanDetails
Allow the managed proxy to chain to another upstream proxy.
Key
permissions.<name>.network.allowed_domainsType / Values
array<string>Details
Allowlist of domains permitted through the managed proxy.
Key
permissions.<name>.network.dangerously_allow_all_unix_socketsType / Values
booleanDetails
Allow the proxy to use arbitrary Unix sockets instead of the default restricted set.
Key
permissions.<name>.network.dangerously_allow_non_loopback_proxyType / Values
booleanDetails
Permit non-loopback bind addresses for the managed proxy listener.
Key
permissions.<name>.network.denied_domainsType / Values
array<string>Details
Denylist of domains blocked by the managed proxy.
Key
permissions.<name>.network.enable_socks5Type / Values
booleanDetails
Expose a SOCKS5 listener when this permissions profile enables the managed network proxy.
Key
permissions.<name>.network.enable_socks5_udpType / Values
booleanDetails
Allow UDP over the SOCKS5 listener when enabled.
Key
permissions.<name>.network.enabledType / Values
booleanDetails
Enable network access for this named permissions profile.
Key
permissions.<name>.network.modeType / Values
limited | fullDetails
Network proxy mode used for subprocess traffic.
Key
permissions.<name>.network.proxy_urlType / Values
stringDetails
HTTP proxy endpoint used when this permissions profile enables the managed network proxy.
Key
permissions.<name>.network.socks_urlType / Values
stringDetails
SOCKS5 proxy endpoint used by this permissions profile.
Key
personalityType / Values
none | friendly | pragmaticDetails
Default communication style for models that advertise
supportsPersonality; can be overridden per thread/turn or via /personality.Key
plan_mode_reasoning_effortType / Values
none | minimal | low | medium | high | xhighDetails
Plan-mode-specific reasoning override. When unset, Plan mode uses its built-in preset default.
Key
profileType / Values
stringDetails
Default profile applied at startup (equivalent to
--profile).Key
profiles.<name>.*Type / Values
variousDetails
Profile-scoped overrides for any of the supported configuration keys.
Key
profiles.<name>.analytics.enabledType / Values
booleanDetails
Profile-scoped analytics enablement override.
Key
profiles.<name>.experimental_use_unified_exec_toolType / Values
booleanDetails
Legacy name for enabling unified exec; prefer
[features].unified_exec.Key
profiles.<name>.model_catalog_jsonType / Values
string (path)Details
Profile-scoped model catalog JSON path override (applied on startup only; overrides the top-level
model_catalog_json for that profile).Key
profiles.<name>.model_instructions_fileType / Values
string (path)Details
Profile-scoped replacement for the built-in instruction file.
Key
profiles.<name>.oss_providerType / Values
lmstudio | ollamaDetails
Profile-scoped OSS provider for
--oss sessions.Key
profiles.<name>.personalityType / Values
none | friendly | pragmaticDetails
Profile-scoped communication style override for supported models.
Key
profiles.<name>.plan_mode_reasoning_effortType / Values
none | minimal | low | medium | high | xhighDetails
Profile-scoped Plan-mode reasoning override.
Key
profiles.<name>.service_tierType / Values
flex | fastDetails
Profile-scoped service tier preference for new turns.
Key
profiles.<name>.tools_view_imageType / Values
booleanDetails
Enable or disable the
view_image tool in that profile.Key
profiles.<name>.web_searchType / Values
disabled | cached | liveDetails
Profile-scoped web search mode override (default:
"cached").Key
profiles.<name>.windows.sandboxType / Values
unelevated | elevatedDetails
Profile-scoped Windows sandbox mode override.
Key
project_doc_fallback_filenamesType / Values
array<string>Details
Additional filenames to try when
AGENTS.md is missing.Key
project_doc_max_bytesType / Values
numberDetails
Maximum bytes read from
AGENTS.md when building project instructions.Key
project_root_markersType / Values
array<string>Details
List of project root marker filenames; used when searching parent directories for the project root.
Key
projects.<path>.trust_levelType / Values
stringDetails
Mark a project or worktree as trusted or untrusted (
"trusted" | "untrusted"). Untrusted projects skip project-scoped .codex/ layers.Key
review_modelType / Values
stringDetails
Optional model override used by
/review (defaults to the current session model).Key
sandbox_modeType / Values
read-only | workspace-write | danger-full-accessDetails
Sandbox policy for filesystem and network access during command execution.
Key
sandbox_workspace_write.exclude_slash_tmpType / Values
booleanDetails
Exclude
/tmp from writable roots in workspace-write mode.Key
sandbox_workspace_write.exclude_tmpdir_env_varType / Values
booleanDetails
Exclude
$TMPDIR from writable roots in workspace-write mode.Key
sandbox_workspace_write.network_accessType / Values
booleanDetails
Allow outbound network access inside the workspace-write sandbox.
Key
sandbox_workspace_write.writable_rootsType / Values
array<string>Details
Additional writable roots when
sandbox_mode = "workspace-write".Key
service_tierType / Values
flex | fastDetails
Preferred service tier for new turns.
Key
shell_environment_policy.excludeType / Values
array<string>Details
Glob patterns for removing environment variables after the defaults.
Key
shell_environment_policy.experimental_use_profileType / Values
booleanDetails
Use the user shell profile when spawning subprocesses.
Key
shell_environment_policy.ignore_default_excludesType / Values
booleanDetails
Keep variables containing KEY/SECRET/TOKEN before other filters run.
Key
shell_environment_policy.include_onlyType / Values
array<string>Details
Whitelist of patterns; when set only matching variables are kept.
Key
shell_environment_policy.inheritType / Values
all | core | noneDetails
Baseline environment inheritance when spawning subprocesses.
Key
shell_environment_policy.setType / Values
map<string,string>Details
Explicit environment overrides injected into every subprocess.
Key
show_raw_agent_reasoningType / Values
booleanDetails
Surface raw reasoning content when the active model emits it.
Key
skills.configType / Values
array<object>Details
Per-skill enablement overrides stored in config.toml.
Key
skills.config.<index>.enabledType / Values
booleanDetails
Enable or disable the referenced skill.
Key
skills.config.<index>.pathType / Values
string (path)Details
Path to a skill folder containing
SKILL.md.Key
sqlite_homeType / Values
string (path)Details
Directory where Codex stores the SQLite-backed state DB used by agent jobs and other resumable runtime state.
Key
suppress_unstable_features_warningType / Values
booleanDetails
Suppress the warning that appears when under-development feature flags are enabled.
Key
tool_output_token_limitType / Values
numberDetails
Token budget for storing individual tool/function outputs in history.
Key
tools.view_imageType / Values
booleanDetails
Enable the local-image attachment tool
view_image.Key
tools.web_searchType / Values
boolean | { context_size = "low|medium|high", allowed_domains = [string], location = { country, region, city, timezone } }Details
Optional web search tool configuration. The legacy boolean form is still accepted, but the object form lets you set search context size, allowed domains, and approximate user location.
Key
tuiType / Values
tableDetails
TUI-specific options such as enabling inline desktop notifications.
Key
tui.alternate_screenType / Values
auto | always | neverDetails
Control alternate screen usage for the TUI (default: auto; auto skips it in Zellij to preserve scrollback).
Key
tui.animationsType / Values
booleanDetails
Enable terminal animations (welcome screen, shimmer, spinner) (default: true).
Key
tui.model_availability_nux.<model>Type / Values
integerDetails
Internal startup-tooltip state keyed by model slug.
Key
tui.notification_methodType / Values
auto | osc9 | belDetails
Notification method for unfocused terminal notifications (default: auto).
Key
tui.notificationsType / Values
boolean | array<string>Details
Enable TUI notifications; optionally restrict to specific event types.
Key
tui.show_tooltipsType / Values
booleanDetails
Show onboarding tooltips in the TUI welcome screen (default: true).
Key
tui.status_lineType / Values
array<string> | nullDetails
Ordered list of TUI footer status-line item identifiers.
null disables the status line.Key
tui.themeType / Values
stringDetails
Syntax-highlighting theme override (kebab-case theme name).
Key
web_searchType / Values
disabled | cached | liveDetails
Web search mode (default:
"cached"; cached uses an OpenAI-maintained index and does not fetch live pages; if you use --yolo or another full access sandbox setting, it defaults to "live"). Use "live" to fetch the most recent data from the web, or "disabled" to remove the tool.Key
windows_wsl_setup_acknowledgedType / Values
booleanDetails
Track Windows onboarding acknowledgement (Windows only).
Key
windows.sandboxType / Values
unelevated | elevatedDetails
Windows-only native sandbox mode when running Codex natively on Windows.
Key
windows.sandbox_private_desktopType / Values
booleanDetails
Run the final sandboxed child process on a private desktop by default on native Windows. Set
false only for compatibility with the older Winsta0\\Default behavior.You can find the latest JSON schema for config.toml here.
To get autocompletion and diagnostics when editing config.toml in VS Code or Cursor, you can install the Even Better TOML extension and add this line to the top of your config.toml:
#:schema https://developers.openai.com/codex/config-schema.jsonNote: Rename experimental_instructions_file to model_instructions_file. Codex deprecates the old key; update existing configs to the new name.
requirements.toml
requirements.toml is an admin-enforced configuration file that constrains security-sensitive settings users can’t override. For details, locations, and examples, see Admin-enforced requirements.
For ChatGPT Business and Enterprise users, Codex can also apply cloud-fetched requirements. See the security page for precedence details.
Use [features] in requirements.toml to pin feature flags by the same
canonical keys that config.toml uses. Omitted keys remain unconstrained.
| Key | Type / Values | Details |
|---|---|---|
allowed_approval_policies | array<string> | Allowed values for approval_policy (for example untrusted, on-request, never, and granular). |
allowed_sandbox_modes | array<string> | Allowed values for sandbox_mode. |
allowed_web_search_modes | array<string> | Allowed values for web_search (disabled, cached, live). disabled is always allowed; an empty list effectively allows only disabled. |
features | table | Pinned feature values keyed by the canonical names from config.toml's [features] table. |
features.<name> | boolean | Require a specific canonical feature key to stay enabled or disabled. |
mcp_servers | table | Allowlist of MCP servers that may be enabled. Both the server name ( <id>) and its identity must match for the MCP server to be enabled. Any configured MCP server not in the allowlist (or with a mismatched identity) is disabled. |
mcp_servers.<id>.identity | table | Identity rule for a single MCP server. Set either command (stdio) or url (streamable HTTP). |
mcp_servers.<id>.identity.command | string | Allow an MCP stdio server when its mcp_servers.<id>.command matches this command. |
mcp_servers.<id>.identity.url | string | Allow an MCP streamable HTTP server when its mcp_servers.<id>.url matches this URL. |
rules | table | Admin-enforced command rules merged with .rules files. Requirements rules must be restrictive. |
rules.prefix_rules | array<table> | List of enforced prefix rules. Each rule must include pattern and decision. |
rules.prefix_rules[].decision | prompt | forbidden | Required. Requirements rules can only prompt or forbid (not allow). |
rules.prefix_rules[].justification | string | Optional non-empty rationale surfaced in approval prompts or rejection messages. |
rules.prefix_rules[].pattern | array<table> | Command prefix expressed as pattern tokens. Each token sets either token or any_of. |
rules.prefix_rules[].pattern[].any_of | array<string> | A list of allowed alternative tokens at this position. |
rules.prefix_rules[].pattern[].token | string | A single literal token at this position. |
Key
allowed_approval_policiesType / Values
array<string>Details
Allowed values for
approval_policy (for example untrusted, on-request, never, and granular).Key
allowed_sandbox_modesType / Values
array<string>Details
Allowed values for
sandbox_mode.Key
allowed_web_search_modesType / Values
array<string>Details
Allowed values for
web_search (disabled, cached, live). disabled is always allowed; an empty list effectively allows only disabled.Key
featuresType / Values
tableDetails
Pinned feature values keyed by the canonical names from
config.toml's [features] table.Key
features.<name>Type / Values
booleanDetails
Require a specific canonical feature key to stay enabled or disabled.
Key
mcp_serversType / Values
tableDetails
Allowlist of MCP servers that may be enabled. Both the server name (
<id>) and its identity must match for the MCP server to be enabled. Any configured MCP server not in the allowlist (or with a mismatched identity) is disabled.Key
mcp_servers.<id>.identityType / Values
tableDetails
Identity rule for a single MCP server. Set either
command (stdio) or url (streamable HTTP).Key
mcp_servers.<id>.identity.commandType / Values
stringDetails
Allow an MCP stdio server when its
mcp_servers.<id>.command matches this command.Key
mcp_servers.<id>.identity.urlType / Values
stringDetails
Allow an MCP streamable HTTP server when its
mcp_servers.<id>.url matches this URL.Key
rulesType / Values
tableDetails
Admin-enforced command rules merged with
.rules files. Requirements rules must be restrictive.Key
rules.prefix_rulesType / Values
array<table>Details
List of enforced prefix rules. Each rule must include
pattern and decision.Key
rules.prefix_rules[].decisionType / Values
prompt | forbiddenDetails
Required. Requirements rules can only prompt or forbid (not allow).
Key
rules.prefix_rules[].justificationType / Values
stringDetails
Optional non-empty rationale surfaced in approval prompts or rejection messages.
Key
rules.prefix_rules[].patternType / Values
array<table>Details
Command prefix expressed as pattern tokens. Each token sets either
token or any_of.Key
rules.prefix_rules[].pattern[].any_ofType / Values
array<string>Details
A list of allowed alternative tokens at this position.
Key
rules.prefix_rules[].pattern[].tokenType / Values
stringDetails
A single literal token at this position.