Agent stack guide
Best CLI Tools for Codex
Pair Codex with deterministic local tools and add remote CLIs only when the sandbox and approval policy allow the task.
Codex command policy preview
Start with one recommended CLI and a read-only policy. Review command prefixes, the target environment, and approval boundaries before saving it.
# Codex execution policy for GitHub CLI
# Install as a .rules file under an active Codex rules/ directory.
# Generated mode: read-only
# Mode boundary: R0 exact commands may be used; R1, R2, and R3 commands are forbidden.
# Evidence: verified; checked 2026-07-10; tested version: 2.86.0.
# Prefix rules match trailing arguments. CLI Finder prompts unless a command is explicitly audited as suffix-safe.
# Rules are experimental. Review prefixes, then test with codex execpolicy check.
prefix_rule(
pattern = ["gh","pr","list","--state","open","--json","number,title,reviewDecision,url"],
decision = "prompt",
justification = "R0: Read pull request status and review fields without changing repository state.",
match = ["gh pr list --state open --json number,title,reviewDecision,url"],
)
prefix_rule(
pattern = ["gh","pr","merge"],
decision = "forbidden",
justification = "R2: Merges code into the target branch and needs explicit approval.",
match = ["gh pr merge 123 --squash"],
)
prefix_rule(
pattern = ["gh","repo","delete"],
decision = "forbidden",
justification = "R3: Deletes remote repository data and is destructive.",
match = ["gh repo delete owner/repo"],
)
Evidence boundary
Compatibility is not a test result: current data does not attribute independent CLI execution to a particular agent.
Treat generated content as a reviewable starting point. Remote writes, deletion, production actions, and any confirmation-marked command must still stop for explicit approval.
Outcome, inputs, and outputs
Define the result and evidence before the agent selects a command.
Best CLI Tools for Codex: safe workflow
Run each step inside its stated boundary and verify the output before continuing.
Approval points and rollback
Pause at the listed decision points and keep recovery instructions beside the action.
CLI, MCP, or API?
Choose the interface by execution location, identity, output contract, and permission boundary.
Recommended approach
Use CLI for repository work; use MCP or a narrow API when it improves remote permission control.
Official evidence and references
Use these primary or upstream sources to verify current command behavior before acting.