AI Coding Tool Setup and Reference (5/7) — Codex CLI Advanced Config: config.toml

4월 24, 2026

Per official Config Reference — real snippets, profiles, Windows native, safe rollout path

핵심 요약

Audience: You have Codex installed (install guide) and now want to shape approval / sandbox / models / MCP via ~/.codex/config.toml.
What you'll get: Eight frequently-used categories of snippets per the official Config Reference — three approval modes plus granular, workspace-write internals, multi-provider (OpenAI / Azure / Ollama), MCP server registration, profiles, Windows native option.
Prerequisite: Codex installed, AGENTS.md basics.

1. Where `config.toml` lives and how it layers

Official paths:

User-level: ~/.codex/config.toml (macOS/Linux) or %USERPROFILE%\.codex\config.toml (Windows)
Project-level: .codex/config.toml (project root, optional)
Admin enforcement: ~/.codex/requirements.toml (organizational policy)

Layering: project > user > default. requirements.toml hard-constrains user settings (users can't weaken).

~/.codex/ may not auto-create on first run. Create with mkdir -p ~/.codex.

2. Minimum useful config — starter

~/.codex/config.toml:

model = "gpt-5-codex"
model_provider = "openai"

approval_policy = "on-request"

sandbox_mode = "workspace-write"

model_reasoning_effort = "medium"

web_search = "cached"

These six lines are enough for day-to-day work. Borrow from below as needed.

3. Three approval policies + granular

approval_policy decides when Codex pauses for user approval.

Value	Behavior
`untrusted`	Only known-safe read-only commands auto-run; others always prompt
`on-request` (default)	Model decides when to request
`never`	Never prompt (automation only; risky)

3.1 Granular — per-category control

approval_policy = { granular = {
  sandbox_approval = true,
  rules = true,
  mcp_elicitations = true,
  request_permissions = false,
  skill_approval = false
} }

sandbox_approval — ask when leaving the sandbox
rules — ask when a prefix rule (execpolicy) triggers
mcp_elicitations — when an MCP server asks for input
request_permissions — permission-change requests
skill_approval — skill approvals

Granular is best when you want "only prompt where human judgment is required; automate the rest."

3.2 Approvals Reviewer

approvals_reviewer = "user"  # user (default) | auto_review

auto_review delegates approval decisions to a reviewer model (enterprise use).

4. Three sandbox modes + workspace-write internals

Mode	Read	Write	Network
`read-only`	✅	❌	❌
`workspace-write`	✅	✅ (within cwd)	❌ (default)
`danger-full-access`	✅	✅ unrestricted	✅

4.1 `workspace-write` details

sandbox_mode = "workspace-write"

[sandbox_workspace_write]
writable_roots = ["/tmp/build", "/var/log/myapp"]

network_access = false

exclude_tmpdir_env_var = false

exclude_slash_tmp = false

Enable network_access = true only when builds need to fetch dependencies. Leaving it on weakens the sandbox.

4.2 Fine-grained with Permissions Profile

default_permissions = "workspace"

[permissions.workspace.filesystem]
glob_scan_max_depth = 3
":project_roots" = { "." = "write", "**/*.env" = "none" }
"/absolute/path/to/secrets" = "none"

:project_roots is the project-relative token. **/*.env blocks even reading any env file anywhere in the project.

5. Reasoning & response control

5.1 Effort levels

model_reasoning_effort = "medium"

plan_mode_reasoning_effort = "high"

model_reasoning_summary = "auto"

model_verbosity = "medium"

5.2 Context & token caps



tool_output_token_limit = 12000

If you frequently read long logs, 8,000–20,000 is a reasonable range for tool_output_token_limit.

6. Multiple model providers

Built-in IDs: openai, ollama, lmstudio (reserved, can't override). Register custom providers under a different ID.

6.1 OpenAI Data Residency

[model_providers.openaidr]
name = "OpenAI Data Residency"
base_url = "https://us.api.openai.com/v1"
wire_api = "responses"

6.2 Azure OpenAI

[model_providers.azure]
name = "Azure"
base_url = "https://YOUR_PROJECT_NAME.openai.azure.com/openai"
wire_api = "responses"
query_params = { api-version = "2025-04-01-preview" }
env_key = "AZURE_OPENAI_API_KEY"
env_key_instructions = "Set AZURE_OPENAI_API_KEY in your environment"

6.3 Local Ollama (OSS models)

[model_providers.local_ollama]
name = "Ollama"
base_url = "http://localhost:11434/v1"
wire_api = "responses"

Switch inside a session:

/model gpt-oss-120b@local_ollama

6.4 Command-backed bearer token

For proxies or short-lived tokens:

[model_providers.proxy]
name = "OpenAI via LLM proxy"
base_url = "https://proxy.example.com/v1"
wire_api = "responses"

[model_providers.proxy.auth]
command = "/usr/local/bin/fetch-codex-token"
args = ["--audience", "codex"]
timeout_ms = 5000
refresh_interval_ms = 300000

The command prints a JWT to stdout; Codex injects it as a bearer header and refreshes every 5 minutes.

7. Registering MCP servers

Two transports are supported.

7.1 STDIO (local process)

[mcp_servers.docs]
enabled = true
command = "docs-server"
args = ["--port", "4000"]
env = { "API_KEY" = "value" }
cwd = "/path/to/server"
startup_timeout_sec = 10
tool_timeout_sec = 60
enabled_tools = ["search", "summarize"]
disabled_tools = ["slow-tool"]

7.2 Streamable HTTP

[mcp_servers.github]
enabled = true
url = "https://github-mcp.example.com/mcp"
bearer_token_env_var = "GITHUB_TOKEN"
http_headers = { "X-Example" = "value" }
env_http_headers = { "X-Auth" = "AUTH_ENV" }
scopes = ["repo"]

bearer_token_env_var injects that env var's value as Authorization: Bearer <token>. Fits most authenticated MCP servers.

7.3 Required servers

[mcp_servers.critical]
command = "critical-server"
required = true  # Codex startup fails if this server can't initialize

For production automation that must not run without a specific MCP server.

8. Profiles — preset switching for scenarios

Keep multiple work modes in one config.toml and switch via flag.

profile = "safe"  # default profile

[profiles.safe]
sandbox_mode = "read-only"
approval_policy = "untrusted"
model_reasoning_effort = "low"

[profiles.dev]
sandbox_mode = "workspace-write"
approval_policy = "on-request"
model_reasoning_effort = "medium"

[profiles.ci]
sandbox_mode = "workspace-write"
approval_policy = "never"
model_reasoning_effort = "minimal"
web_search = "disabled"

Invoke with:

codex --profile dev
codex --profile ci exec "lint the codebase and fix issues"

Leaving safe as default and switching to dev deliberately prevents accidental destructive runs.

9. History, state, shell environment

9.1 History persistence

[history]
persistence = "save-all"  # save-all (default) | none
max_bytes = 5242880  # 5 MB

Use none for API-auth / audited environments where transcripts shouldn't persist.

9.2 Shell environment policy

Controls the env vars of shells Codex spawns:

[shell_environment_policy]
inherit = "all"

ignore_default_excludes = false

exclude = ["AWS_*", "AZURE_*"]

set = { "CI" = "true" }

include_only = []

In sensitive environments, inherit = "core" + include_only = ["PATH", "HOME"] leaks the minimum.

9.3 SQLite state location

sqlite_home = "/path/to/codex-state"  # default $CODEX_HOME
log_dir = "/path/to/codex-logs"

10. Windows native only

[windows]
sandbox = "unelevated"

elevated runs the sandbox as admin — required for rare cases like registry edits or system-folder access. Normal dev should stick with unelevated.

Non-Windows hosts silently ignore the [windows] section.

11. TUI customization (optional)

[tui]
theme = "catppuccin-mocha"

notifications = false  # true | false | ["agent-turn-complete", "approval-requested"]

animations = true

status_line = ["model", "context-remaining", "git-branch"]

terminal_title = ["spinner", "project"]

Custom .tmTheme files go in $CODEX_HOME/themes/ and appear in /theme automatically.

12. Features flags

[features]

Keep defaults and override only as needed. Listing every flag invites surprises on upgrade.

13. A safe rollout path — progressive

Recommended order when introducing Codex to a new project.

Day 1: sandbox_mode = "read-only" + approval_policy = "untrusted" + model = "gpt-5-codex". Read and analyze only.
Day 2+: Apply Codex's proposed changes by hand. Once comfortable, switch to workspace-write.
Week 2+: Move to on-request. Switch to the dev profile for longer tasks.
Automation stage: Only in isolated CI with never + workspace-write. Never use never directly against production repos.

Rule of thumb: approval and sandbox are orthogonal. Relax one at a time until you hit a felt-safe combination. Relaxing both simultaneously makes post-incident diagnosis hard.

14. Counter-scenarios — when not to touch config.toml

First time with Codex → Use defaults for a few days, collect pain points, then tune.
Team-wide shared settings → A user-home config.toml can't share. Use requirements.toml + MDM.
One-off customization → A CLI flag (codex --sandbox-mode read-only) is enough. Don't bake it into the file.
Enterprise needs hard constraints → Use requirements.toml with allowed_approval_policies, allowed_sandbox_modes, etc.

15. What's next

With advanced config in hand:

Codex + Claude Code parallel workflow — role division (coming soon).
Codex install complete guide — install / auth / AGENTS.md.
Claude Code hooks complete guide — Codex doesn't have hooks; worth comparing.

References

This is post 7/15 in the "AI Coding CLI Entry Guide" series. last verified: 2026-04-25 (per official OpenAI Codex Config Reference).