Agent stack guide

Best CLI Tools for Codex

Pair Codex with deterministic local tools and add remote CLIs only when the sandbox and approval policy allow the task.

Coding agentsLocal write

Codex command policy preview

Start with one recommended CLI and a read-only policy. Review command prefixes, the target environment, and approval boundaries before saving it.

Codex command policyverified · 2026-07-10
codex-policy.rules
# Codex execution policy for GitHub CLI
# Install as a .rules file under an active Codex rules/ directory.
# Generated mode: read-only
# Mode boundary: R0 exact commands may be used; R1, R2, and R3 commands are forbidden.
# Evidence: verified; checked 2026-07-10; tested version: 2.86.0.
# Prefix rules match trailing arguments. CLI Finder prompts unless a command is explicitly audited as suffix-safe.
# Rules are experimental. Review prefixes, then test with codex execpolicy check.

prefix_rule(
    pattern = ["gh","pr","list","--state","open","--json","number,title,reviewDecision,url"],
    decision = "prompt",
    justification = "R0: Read pull request status and review fields without changing repository state.",
    match = ["gh pr list --state open --json number,title,reviewDecision,url"],
)

prefix_rule(
    pattern = ["gh","pr","merge"],
    decision = "forbidden",
    justification = "R2: Merges code into the target branch and needs explicit approval.",
    match = ["gh pr merge 123 --squash"],
)

prefix_rule(
    pattern = ["gh","repo","delete"],
    decision = "forbidden",
    justification = "R3: Deletes remote repository data and is destructive.",
    match = ["gh repo delete owner/repo"],
)

Evidence boundary

Compatibility is not a test result: current data does not attribute independent CLI execution to a particular agent.

Treat generated content as a reviewable starting point. Remote writes, deletion, production actions, and any confirmation-marked command must still stop for explicit approval.

Outcome, inputs, and outputs

Define the result and evidence before the agent selects a command.

Goal

Let Codex inspect, implement, and verify work while keeping external state changes visible and reviewable.

Required inputs

  • AGENTS.md rules
  • sandbox and approval profile
  • repository toolchain
  • scoped remote credentials

Expected outputs

  • Base and task CLI list
  • safe command policy
  • approval boundaries
  • verification checklist

Best CLI Tools for Codex: safe workflow

Run each step inside its stated boundary and verify the output before continuing.

Step 1Read only

Confirm the execution boundary

Read repository rules and identify filesystem, network, and command restrictions.
Input
Workspace instructions and runtime profile
Output
Allowed execution surface
Step 2Read only

Configure deterministic tools

Prefer ripgrep for search, jq for JSON, and native project commands for tests and builds.
Input
Repository toolchain
Output
Repeatable local workflow
$ Configure deterministic tools
rg --files && jq --version
Step 3Local write

Gate remote tools

Assign explicit read and write rules to GitHub, Cloudflare, and database CLIs before supplying credentials.
Input
Task and remote identity
Output
Scoped task policy

Approval points and rollback

Pause at the listed decision points and keep recovery instructions beside the action.

Ask before these actions

  • Any remote write not already authorized by the task
  • Credential escalation, sandbox bypass, or production target change
  • Destructive local commands and irreversible migrations

Recovery plan

  • Use version control for local changes
  • Keep previous deployment and migration artifacts
  • Revoke task credentials and document any external action taken

CLI, MCP, or API?

Choose the interface by execution location, identity, output contract, and permission boundary.

CLI

Strong for workspace-native implementation, inspection, testing, and transparent remote commands.

MCP

Use for services whose operations should be typed and centrally mediated.

API

Choose for purpose-built automation where a direct CLI would expose too broad a surface.

Recommended approach

Use CLI for repository work; use MCP or a narrow API when it improves remote permission control.

Official evidence and references

Use these primary or upstream sources to verify current command behavior before acting.

Codex CLI documentation

Official Codex CLI guidance for terminal workflows and execution controls.

GitHub CLI manual

Official command, authentication, JSON field, and workflow documentation.

Cloudflare Wrangler documentation

Official Wrangler command and configuration documentation for Workers.

PostgreSQL psql documentation

Official psql options, variables, output formats, and execution behavior.

Questions before you run it

Should Codex receive production credentials by default?

No. Supply credentials only for the active task and prefer read-only or environment-specific scope.

What output works best?

Prefer JSON, CSV, SARIF, explicit exit codes, file paths, IDs, and URLs over colorized prose.

Related tools and guides

Browse sibling guides and choose the next page that best matches the active task.

Continue with tool evidence, a workflow, or a decision guide related to this task.

Continue with tool evidence, a workflow, or a decision guide related to this task.

Continue with tool evidence, a workflow, or a decision guide related to this task.

Inspect installation, authentication, structured output, command risk, and official evidence.

Inspect installation, authentication, structured output, command risk, and official evidence.

Inspect installation, authentication, structured output, command risk, and official evidence.