AI Coding Tool Setup and Reference (4/7) — Codex CLI Install: macOS, Linux, Windows, WSL2
Install paths, auth, sandbox modes, AGENTS.md, config.toml — all in one page, per official docs
ํต์ฌ ์์ฝ
- Audience: You've used Claude Code but Codex is new to you, or you plan to run both.
- What you'll get: Per official OpenAI Codex docs — install (npm/brew), per-platform verbatim commands, ChatGPT vs API key auth, AGENTS.md starter template, config.toml location, three sandbox modes.
- Prerequisite: Terminal basics. Node-based install, so you'll need Node eventually.
1. Install methods at a glance
Official docs lead with npm; Homebrew is secondary.
| Method | Platforms | When to use |
|---|---|---|
| npm (recommended) | macOS, Linux, Windows, WSL2 | Most personal dev setups |
| Homebrew | macOS, Linux | When you manage tools with Homebrew |
codex exec (non-interactive) |
All | CI / script automation |
Unlike Claude Code, Codex's npm install is not deprecated — OpenAI's docs explicitly lead with it.
2. System requirements
- OS: macOS / Linux / Windows
- Windows supports both native PowerShell (Windows sandbox) and WSL2
- Linux: x86_64, arm64
- macOS: Apple Silicon, x86_64
- Node.js: Official README doesn't pin a version. Latest LTS (Node 20+) recommended.
- Network: Required for ChatGPT or API auth.
3. Install — verbatim commands
3.1 npm (recommended)
npm i -g @openai/codex
Upgrade:
npm i -g @openai/codex@latest
Avoid sudo npm install -g for permission/security reasons. Use nvm or fnm for a user-level Node environment.
3.2 Homebrew (macOS / Linux)
brew install --cask codex
3.3 Windows — native PowerShell
npm i -g @openai/codex
Install happens in PowerShell, and subsequent runs use Windows' native sandbox. Controlled by the windows.sandbox_mode option in config.toml.
3.4 Windows — WSL2
From Ubuntu/Debian WSL2, run the Linux install.
npm i -g @openai/codex
WSL2 uses the Linux sandbox. If your project uses Linux-only toolchains (Docker, ripgrep, etc.), WSL2 is the better fit.
4. Verify the install
codex --version
If the command isn't found, check that the global npm bin is in your PATH:
npm bin -g
5. Auth — two options
Official docs specify two methods.
| Option | For | Billing | Setup |
|---|---|---|---|
| ChatGPT account (recommended) | Plus / Pro / Business / Edu / Enterprise | Subscription (Codex included) | Browser login on first run |
| API Key | Platform credits users | Usage-based | Choose "Use an API Key" at login |
ChatGPT Plus, Pro, Business, Edu, and Enterprise plans all include Codex access. The free ChatGPT plan does not.
On first codex, a prompt asks "Sign in with ChatGPT" or "Use an API Key." Credentials are then stored under ~/.codex/.
6. First session
From your project directory:
cd /path/to/your/project
codex
Interactive session starts. Essential commands:
| Command | Effect |
|---|---|
codex |
Start interactive session |
codex exec "task" |
One-off non-interactive run (CI-friendly) |
codex init |
Initialize project (generate AGENTS.md) |
codex --version |
Show version |
Slash commands inside a session (essentials):
- /model — switch model (GPT-5, GPT-5-Codex, etc.)
- /config — settings
- /exit or Ctrl+D — quit
Full list in the official CLI Reference.
7. AGENTS.md — the Codex project instructions file
Codex reads AGENTS.md before any work. The concept parallels Claude Code's CLAUDE.md, but loading rules differ.
7.1 File placement and priority
Per official docs:
- Global:
~/.codex/AGENTS.mdor~/.codex/AGENTS.override.md - Project: Walk down from the Git root to the current working directory
- Merge order: Concatenate top-down. Files closer to the current directory override earlier guidance.
- At most one file per directory (
AGENTS.override.mdwins overAGENTS.mdin the same dir)
7.2 Starter — ~/.codex/AGENTS.md (global)
## Testing
- Run `npm test` after modifying JavaScript files
- Run `pytest -x` after modifying Python
## Dependencies
- Prefer `pnpm` over `npm`
- Ask before adding a new production dependency
## Commits
- Conventional commits (feat:, fix:, chore:)
- One topic per PR
7.3 Project override — services/payments/AGENTS.override.md
- Use `make test-payments` (not `npm test`)
- Notify the security channel before rotating API keys
- Legal review required before collecting new PII
AGENTS.override.md replaces upstream rules (not concat).
7.4 Coexisting with Claude Code's CLAUDE.md
When both tools operate in the same repo, have CLAUDE.md import AGENTS.md to avoid duplication (Claude Code side):
@AGENTS.md
## Claude Code
Use plan mode for changes under `src/billing/`.
8. ~/.codex/config.toml basics
Shared config between CLI and IDE extension. Location: ~/.codex/config.toml.
Key categories:
model = "gpt-5-codex"
provider = "openai"
approval_policy = "on-request" # or "on-failure", "never"
sandbox_mode = "workspace-write" # read-only / workspace-write / danger-full-access
[windows]
sandbox_mode = "elevated" # native Windows sandbox option
Advanced settings: Config Reference. Start with defaults, add only as needed.
9. Three sandbox modes
Codex controls filesystem and network access per sandbox mode.
| Mode | Read | Write | Network |
|---|---|---|---|
read-only |
✅ | ❌ | ❌ |
workspace-write (default) |
✅ | ✅ (within cwd) | ❌ (default) |
danger-full-access |
✅ | ✅ (unrestricted) | ✅ |
9.1 Allow extra paths in workspace-write
Default: writes limited to cwd. For additional paths:
[sandbox]
writable_roots = ["/tmp/build", "/var/log/myapp"]
9.2 Sandbox vs approval policy
- approval_policy: when Codex pauses for approval
on-request: whenever a command leaves the sandboxon-failure: only when a sandboxed command failsnever: never asks (automation-only, risky)- sandbox_mode: what Codex is allowed to do
Orthogonal axes — workspace-write + on-request is the most common personal dev setup.
10. Native Windows vs WSL2 — decision
| Situation | Pick |
|---|---|
| Node/Python-heavy project, no Docker | Windows native |
| Linux-only toolchain (Docker, ripgrep, GNU make) | WSL2 |
| Large repo where filesystem perf matters | WSL2 (work in ext4) |
| Heavy PowerShell script ecosystem | Windows native |
WSL2 initial setup: install "Ubuntu" from Windows Store → wsl --install → run npm install inside that shell.
11. Coexistence with Claude Code
Common concerns when running both in the same repo.
| Potential conflict | Resolution |
|---|---|
.claude/ vs .codex/ |
Different directories — no conflict |
| AGENTS.md vs CLAUDE.md | Claude Code can @AGENTS.md import — single source |
| Sandbox modes have different names | Codex uses workspace-write; Claude Code uses /sandbox — independent |
/model command |
Both use the name but with their own model lists |
Concrete Codex + Claude Code parallel workflows are covered in a later post.
12. Counter-scenarios — when this guide doesn't fit
- Free ChatGPT plan only → No Codex access. Plus-or-higher, or API key, required.
- macOS 12 or older → Official support is on recent macOS. Upgrade OS first.
- You don't want a Node install → Official path is npm-centric. Homebrew is the alternative but doesn't auto-update.
- Company policy blocks writes outside
/tmp→ Start withsandbox_mode = "read-only", then approve required commands via the prompt.
13. What's next
Once installed:
~/.codex/config.tomladvanced configuration — approval / sandbox / model switching (coming soon).- Codex + Claude Code parallel workflow — role division (coming soon).
- Claude Code install complete guide — for comparison or parallel use.
References
- Official Codex CLI overview
- CLI Reference
- AGENTS.md guide
- Config Reference
- Sandbox concepts
- openai/codex on GitHub
This is post 6/15 in the "AI Coding CLI Entry Guide" series. last verified: 2026-04-25 (per official OpenAI Codex CLI docs + GitHub README).
Series overview: Series index
๋๊ธ
๋๊ธ ์ฐ๊ธฐ