OpenAI Codex
CLIIDE extensionappweb
OpenAI Codex is strongest on nested filesystem scoping and policy-enforced local clients. It builds an instruction chain from global scope in `~/.codex` down to the current working directory, supporting `AGENTS.override.md`, nested directory overrides, and load-order precedence. Memories carry useful context forward from prior work (off by default, not available in EEA/UK/Switzerland). Rules are a separate experimental concept controlling which commands can escape the sandbox using Starlark-based `.rules` files. Configuration and requirements form the strongest formal control layer, with admin-enforced `requirements.toml` that users cannot override, cloud-managed requirements for Business/Enterprise with group-based assignment, and MDM support for macOS. Skills are the authoring format with six scope tiers; plugins are the installable distribution unit with three marketplace tiers. Custom agents are defined as TOML files with built-in agents (default, worker, explorer) and experimental CSV batch processing.
AGENTS.md Instructions
InstructionsVendor Terms AGENTS.md, AGENTS.override.md, custom instructions, project_doc_fallback_filenames
Interfaces CLI, IDE extension
Scopes
User / HomeProject / Repo RootSubdirectory / Folder
Availability current (explicit)
Trust Model Prompt-time guidance loaded at run start; more specific files override by concatenation order rather than hard policy
Notes Discovery chain: global (~/.codex) reads AGENTS.override.md first then AGENTS.md; project scope walks from root to CWD checking override then standard per directory; combined size capped at 32 KiB (configurable via project_doc_max_bytes); fallback filenames configurable; CODEX_HOME env var overrides home directory
Memories
InstructionsVendor Terms memories, learned context, /memories
Interfaces CLI, IDE extension, app
Scopes
User / Home
Availability current (explicit)
Trust Model Context carried forward from prior sessions; not user-authored instructions but agent-learned knowledge
Notes Off by default; not available in EEA/UK/Switzerland; stored under ~/.codex/memories/; /memories slash command for per-thread control; background processing after threads go idle; secret redaction applied; configurable via memories.generate_memories, memories.use_memories, memories.extract_model, memories.consolidation_model
Skills
SkillsVendor Terms agent skills, SKILL.md, skill folders, .agents/skills, agents/openai.yaml, $skill-creator, $skill-installer
Interfaces CLI, IDE extension, app
Scopes
Subdirectory / FolderProject / Repo RootUser / HomeMachine / Admin
Availability current (explicit)
Trust Model Reusable workflows and domain expertise; skills are the authoring format, plugins are the distribution unit; allow_implicit_invocation policy controls auto-activation
Notes Progressive disclosure: metadata loaded at start, full content on selection. Six scope tiers: REPO (CWD, parent dirs, root via .agents/skills/), USER (~/.agents/skills/), ADMIN (/etc/codex/skills), SYSTEM (bundled). Two invocation modes: explicit ($-mention or /skills) and implicit (auto-matched by description). Built-in $skill-creator and $skill-installer. Builds on open Agent Skills standard (agentskills.io). Distributable via plugins.
Custom Prompts (deprecated)
PromptsVendor Terms custom prompts, slash commands, reusable prompts, prompts directory
Interfaces CLI, IDE extension
Scopes
User / Home
Availability deprecated (explicit)
Trust Model User-local reusable prompt templates with argument placeholders; not shared through repositories
Notes Explicitly deprecated in favor of skills. Still functional but no longer recommended. Markdown files in ~/.codex/prompts/ invoked as /prompts:name. Supports YAML frontmatter (description, argument-hint) and placeholder arguments ($1-$9, named $KEY=value). Requires restart after edits.
MCP Servers
MCP & ToolsVendor Terms MCP servers, STDIO transport, streamable HTTP transport, OAuth authentication, bearer token authentication, enabled_tools, disabled_tools
Interfaces CLI, IDE extension, app
Scopes
User / HomeProject / Repo Root
Availability current (explicit)
Trust Model Destructive MCP tool calls always require approval; side-effect calls can elicit approval; granular mcp_elicitations approval toggle; enterprise allowlist via requirements.toml; Guardian subagent can review MCP approvals
Notes CLI, IDE extension, and app share MCP configuration via config.toml; STDIO and streamable HTTP transports; OAuth via codex mcp login; per-server enabled_tools/disabled_tools filtering; enterprise allowlist enforcement via requirements.toml (name + identity matching)
Subagents
AgentsVendor Terms subagents, custom agents, parallel delegated workflows, agent threads, spawn_agents_on_csv
Interfaces app, CLI
Scopes
User / HomeProject / Repo RootCloud / Web Session
Availability current (explicit)
Trust Model Subagents inherit parent sandbox policy; approval requests surface from inactive threads; runtime overrides reapplied to children; custom agents can override sandbox mode; max_depth defaults to 1
Notes Enabled by default; IDE visibility coming soon. Ships with 3 built-in agents (default, worker, explorer). Custom agents defined as TOML files at user (~/.codex/agents/) or project (.codex/agents/) scope. Experimental spawn_agents_on_csv for CSV batch processing. Max 6 concurrent threads by default; max nesting depth of 1.
Hooks
HooksVendor Terms hooks, command hooks, hook events, hooks.json
Interfaces CLI, IDE extension
Scopes
User / HomeProject / Repo Root
Availability experimental (explicit)
Trust Model Deterministic scripts in the agent loop; hooks run as local shell commands receiving JSON on stdin; PreToolUse can deny commands but enforcement is incomplete (model can write scripts to disk); PostToolUse cannot undo side effects
Notes Experimental, behind codex_hooks = true feature flag. Windows support temporarily disabled. 5 hook events: SessionStart, PreToolUse, PostToolUse, UserPromptSubmit, Stop. PreToolUse/PostToolUse only intercept Bash tool calls (not MCP, Write, WebSearch, or unified_exec streaming). Multiple hooks run concurrently. Default timeout 600s.
Plugins
Plugins & DistributionVendor Terms plugins, installable distribution unit, marketplace, plugin directory, $plugin-creator, plugin manifest
Interfaces app, CLI
Scopes
Project / Repo RootUser / Home
Availability current (explicit)
Trust Model Existing approval settings apply; bundled apps subject to their own auth/privacy policies; enable/disable via config.toml; marketplace policy fields control install behavior
Notes Plugins bundle skills, app integrations, and MCP servers. Three marketplace tiers: official curated directory, repo-scoped (.agents/plugins/marketplace.json), and personal (~/.agents/plugins/marketplace.json). Official public plugin publishing coming soon. Built-in $plugin-creator for scaffolding.
Configuration, Rules, and Requirements
Settings & PolicyVendor Terms config.toml, requirements.toml, managed configuration, rules, .rules files, profiles, feature flags, managed_config.toml, cloud-managed requirements, prefix_rule, permissions profiles, granular approval policy, enforce_residency
Interfaces CLI, IDE extension, app
Scopes
User / HomeProject / Repo RootSubdirectory / FolderMachine / AdminCloud / Web SessionOrganization / Enterprise
Availability current (explicit)
Trust Model Layered trust: requirements (admin-enforced, can't override) > managed defaults (admin-set starting values) > user config. Cloud-managed requirements use signed cache with expiry. Project-scoped config only loaded for trusted projects. Protected paths (.git, .codex, .agents) read-only even in workspace-write. OS-level sandbox (macOS Seatbelt, Linux bwrap+seccomp).
Notes Config, requirements, and managed configuration are current. Rules (.codex/rules/ with Starlark-based prefix_rule) and profiles are experimental. Cloud-managed requirements support group-based assignment for Business/Enterprise plans. MDM support for macOS. Precedence: CLI flags > Profile > Project config > User config > System config > Defaults. Requirements are admin-enforced and cannot be overridden.