Codex CLI is an experimental, open-source command-line interface tool designed as a lightweight coding agent that integrates AI reasoning with the ability to execute code, manipulate files, and iterate directly within the terminal, under version control. It aims to provide "chat-driven development" by understanding and executing tasks within a repository context.

The core methodology revolves around an AI agent, typically powered by OpenAI's models (defaulting to o4-mini), that can perform actions based on user prompts. A critical aspect of its operation is its security model and sandboxing mechanisms, which dictate the agent's autonomy and interaction with the host system. The user can configure the agent's permission level via the --approval-mode flag or interactive prompts:

• Suggest (default): The agent can read any file in the repository but requires explicit user approval for all file writes/patches and any arbitrary shell commands.
• Auto Edit: The agent can read files and automatically apply patch writes to files, but still requires approval for shell commands.
• Full Auto: The agent can read and write files, and execute shell commands without explicit per-command approval.

To mitigate risks, particularly in Full Auto mode, Codex employs robust platform-specific sandboxing:

• macOS 12+: Utilizes Apple Seatbelt (sandbox-exec). Commands are wrapped such that the process environment is largely a read-only jail, with limited writable roots confined to the current working directory (__INLINE_FORMULA_0__TMPDIR), and the user's Codex configuration directory (~/.codex). Crucially, all outbound network access is *fully blocked* by default, preventing unauthorized external communication.
• Linux: While no default OS-level sandboxing is present, the recommended approach is Docker containerization. Codex launches itself within a minimal container image, mounting the user's repository read/write at the same path. Network egress from the container is strictly controlled by a custom iptables/ipset firewall script, which denies all outbound traffic *except* for communication with the OpenAI API. This ensures deterministic and isolated execution without requiring root privileges on the host.
• Windows: Supported via Windows Subsystem for Linux 2 (WSL2), leveraging Linux sandboxing.

The agent leverages project documentation and memory by processing AGENTS.md files found in ~/.codex/, the repository root, and the current working directory, merging them top-down to provide contextual guidance and custom instructions (e.g., "Always respond with emojis"). For non-interactive or CI/CD environments, a quiet mode (--quiet or $CODEX_QUIET_MODE=1$) is available, allowing headless operation with specified approval modes. Configuration parameters such as the AI model (--model or model: in config), approval mode, error handling in full auto mode, and desktop notifications can be set via YAML or JSON configuration files in ~/.codex/. It supports custom AI providers by allowing users to define baseURL and envKey for various API endpoints (e.g., OpenAI, Azure, OpenRouter, Ollama). The system is designed to scaffold files, run them in the sandbox, install missing dependencies, and display live results for user approval.