# Rules Use rules to control which commands Codex can run outside the sandbox. Rules are experimental and may change. ## Create a rules file 1. Create a `.rules` file under a `rules/` folder next to an active config layer (for example, `~/.codex/rules/default.rules`). 2. Add a rule. This example prompts before allowing `gh pr view` to run outside the sandbox. ```python # Prompt before running commands with the prefix `gh pr view` outside the sandbox. prefix_rule( # The prefix to match. pattern = ["gh", "pr", "view"], # The action to take when Codex requests to run a matching command. decision = "prompt", # Optional rationale for why this rule exists. justification = "Viewing PRs is allowed with approval", # `match` and `not_match` are optional "inline unit tests" where you can # provide examples of commands that should (or should not) match this rule. match = [ "gh pr view 7888", "gh pr view --repo openai/codex", "gh pr view 7888 --json title,body,comments", ], not_match = [ # Does not match because the `pattern` must be an exact prefix. "gh pr --repo openai/codex view 7888", ], ) ``` 3. Restart Codex. Codex scans `rules/` under every active config layer at startup, including [Team Config](https://developers.openai.com/codex/enterprise/admin-setup#team-config) locations and the user layer at `~/.codex/rules/`. Project-local rules under `/.codex/rules/` load only when the project `.codex/` layer is trusted. When you add a command to the allow list in the TUI, Codex writes to the user layer at `~/.codex/rules/default.rules` so future runs can skip the prompt. When Smart approvals are enabled (the default), Codex may propose a `prefix_rule` for you during escalation requests. Review the suggested prefix carefully before accepting it. Admins can also enforce restrictive `prefix_rule` entries from [`requirements.toml`](https://developers.openai.com/codex/enterprise/managed-configuration#admin-enforced-requirements-requirementstoml). ## Understand rule fields `prefix_rule()` supports these fields: - `pattern` **(required)**: A non-empty list that defines the command prefix to match. Each element is either: - A literal string (for example, `"pr"`). - A union of literals (for example, `["view", "list"]`) to match alternatives at that argument position. - `decision` **(defaults to `"allow"`)**: The action to take when the rule matches. Codex applies the most restrictive decision when more than one rule matches (`forbidden` > `prompt` > `allow`). - `allow`: Run the command outside the sandbox without prompting. - `prompt`: Prompt before each matching invocation. - `forbidden`: Block the request without prompting. - `justification` **(optional)**: A non-empty, human-readable reason for the rule. Codex may surface it in approval prompts or rejection messages. When you use `forbidden`, include a recommended alternative in the justification when appropriate (for example, `"Use \`rg\` instead of \`grep\`."`). - `match` and `not_match` **(defaults to `[]`)**: Examples that Codex validates when it loads your rules. Use these to catch mistakes before a rule takes effect. When Codex considers a command to run, it compares the command's argument list to `pattern`. Internally, Codex treats the command as a list of arguments (like what `execvp(3)` receives). ## Shell wrappers and compound commands Some tools wrap several shell commands into a single invocation, for example: ```text ["bash", "-lc", "git add . && rm -rf /"] ``` Because this kind of command can hide multiple actions inside one string, Codex treats `bash -lc`, `bash -c`, and their `zsh` / `sh` equivalents specially. ### When Codex can safely split the script If the shell script is a linear chain of commands made only of: - plain words (no variable expansion, no `VAR=...`, `$FOO`, `*`, etc.) - joined by safe operators (`&&`, `||`, `;`, or `|`) then Codex parses it (using tree-sitter) and splits it into individual commands before applying your rules. The script above is treated as two separate commands: - `["git", "add", "."]` - `["rm", "-rf", "/"]` Codex then evaluates each command against your rules, and the most restrictive result wins. Even if you allow `pattern=["git", "add"]`, Codex won't auto allow `git add . && rm -rf /`, because the `rm -rf /` portion is evaluated separately and prevents the whole invocation from being auto allowed. This prevents dangerous commands from being smuggled in alongside safe ones. ### When Codex does not split the script If the script uses more advanced shell features, such as: - redirection (`>`, `>>`, `<`) - substitutions (`$(...)`, `...`) - environment variables (`FOO=bar`) - wildcard patterns (`*`, `?`) - control flow (`if`, `for`, `&&` with assignments, etc.) then Codex doesn't try to interpret or split it. In those cases, the entire invocation is treated as: ```text ["bash", "-lc", ""] ``` and your rules are applied to that **single** invocation. With this handling, you get the security of per-command evaluation when it's safe to do so, and conservative behavior when it isn't. ## Test a rule file Use `codex execpolicy check` to test how your rules apply to a command: ```shell codex execpolicy check --pretty \ --rules ~/.codex/rules/default.rules \ -- gh pr view 7888 --json title,body,comments ``` The command emits JSON showing the strictest decision and any matching rules, including any `justification` values from matched rules. Use more than one `--rules` flag to combine files, and add `--pretty` to format the output. ## Understand the rules language The `.rules` file format uses `Starlark` (see the [language spec](https://github.com/bazelbuild/starlark/blob/master/spec.md)). Its syntax is like Python, but it's designed to be safe to run: the rules engine can run it without side effects (for example, touching the filesystem).