Agent 工具栈指南
Codex CLI 工具与安全配置
用确定性本地工具配合 Codex,只在沙箱和审批规则允许时加入远程 CLI。
编程 Agent本地写入
Codex 命令策略预览
从一个推荐 CLI 开始,以只读模式生成策略;保存前检查命令前缀、目标环境和审批边界。
Codex command policyverified · 2026-07-10
codex-policy.rules
# Codex execution policy for GitHub CLI
# Install as a .rules file under an active Codex rules/ directory.
# Generated mode: read-only
# Mode boundary: R0 exact commands may be used; R1, R2, and R3 commands are forbidden.
# Evidence: verified; checked 2026-07-10; tested version: 2.86.0.
# Prefix rules match trailing arguments. CLI Finder prompts unless a command is explicitly audited as suffix-safe.
# Rules are experimental. Review prefixes, then test with codex execpolicy check.
prefix_rule(
pattern = ["gh","pr","list","--state","open","--json","number,title,reviewDecision,url"],
decision = "prompt",
justification = "R0: Read pull request status and review fields without changing repository state.",
match = ["gh pr list --state open --json number,title,reviewDecision,url"],
)
prefix_rule(
pattern = ["gh","pr","merge"],
decision = "forbidden",
justification = "R2: Merges code into the target branch and needs explicit approval.",
match = ["gh pr merge 123 --squash"],
)
prefix_rule(
pattern = ["gh","repo","delete"],
decision = "forbidden",
justification = "R3: Deletes remote repository data and is destructive.",
match = ["gh repo delete owner/repo"],
)
证据边界
兼容性不等于实测:当前数据没有把独立 CLI 执行归因到具体 Agent。
生成内容是待审查的起点。远程写入、删除、生产操作和任何需要确认的命令仍必须停下获得明确批准。
目标、输入与输出
在 Agent 选择命令前,先明确要交付的结果和证据。
Codex CLI 工具与安全配置:安全执行步骤
每一步都要在已声明的边界内执行,验证输出后再继续。
审批点与回滚
在列出的决策点停下,并让恢复方法始终紧跟操作。
选 CLI、MCP 还是 API?
根据执行位置、身份、输出合同与权限边界选接口。
建议方案
仓库工作用 CLI;若能改善远程权限控制则用 MCP 或窄 API。
官方证据与参考
执行前使用这些官方或上游来源确认当前命令行为。