https://github.com/openai/codex/pull/160 introduced a call to `exec()`
that takes a format string as an argument, but it is not clear that the
expansions within the format string are escaped safely. As written, it
is possible a carefully crafted command (e.g., if `cwd` were `"; && rm
-rf` or something...) could run arbitrary code.
Moving to `spawn()` makes this a bit better, as now at least `spawn()`
itself won't run an arbitrary process, though I suppose `osascript`
itself still could if the value passed to `-e` were abused. I'm not
clear on the escaping rules for AppleScript to ensure that `safePreview`
and `cwd` are injected safely.
---
[//]: # (BEGIN SAPLING FOOTER)
Stack created with [Sapling](https://sapling-scm.com). Best reviewed
with [ReviewStack](https://reviewstack.dev/openai/codex/pull/416).
* #423
* #420
* #419
* __->__ #416
This check was lost in https://github.com/openai/codex/pull/287. Both
the root folder and `codex-cli/` have their own `pnpm format` commands
that check the formatting of different things.
Also ran `pnpm format:fix` to fix the formatting violations that got in
while this was disabled in CI.
---
[//]: # (BEGIN SAPLING FOOTER)
Stack created with [Sapling](https://sapling-scm.com). Best reviewed
with [ReviewStack](https://reviewstack.dev/openai/codex/pull/417).
* #420
* #419
* #416
* __->__ #417
Add interactive slash‑command autocomplete & navigation in chat input
Description
This PR enhances the chat input component by adding first‑class support
for slash commands (/help, /clear, /compact, etc.)
with:
* **Live filtering:** As soon as the user types leading `/`, a list of
matching commands is shown below the prompt.
* **Arrow‑key navigation:** Up/Down arrows cycle through suggestions.
* **Enter to autocomplete:** Pressing Enter on a partial command will
fill it (without submitting) so you can add
arguments or simply press Enter again to execute.
* **Type‑safe registry:** A new `slash‑commands.ts` file declares all
supported commands in one place, along with
TypeScript types to prevent drift.
* **Validation:** Only registered commands will ever autocomplete or be
suggested; unknown single‑word slash inputs still
show an “Invalid command” system message.
* **Automated tests:**
* Unit tests for the command registry and prefix filtering
* Existing tests continue passing with no regressions
Motivation
Slash commands provide a quick, discoverable way to control the agent
(clearing history, compacting context, opening overlays,
etc.). Before, users had to memorize the exact command or rely on the
generic /help list—autocomplete makes them far more
accessible and reduces typos.
Changes
* `src/utils/slash‑commands.ts` – defines `SlashCommand` and exports a
flat list of supported commands + descriptions
* `terminal‑chat‑input.tsx`
* Import and type the command registry
* Render filtered suggestions under the prompt when input starts with
`/`
* Hook into `useInput` to handle Up/Down and Enter for selection & fill
* Flag to swallow the first Enter (autocomplete) and only submit on the
next
* Updated tests in `tests/slash‑commands.test.ts` to cover registry
contents and filtering logic
* Removed old JS version and fixed stray `@ts‑expect‑error`
How to test locally
1. Type `/` in the prompt—you should see matching commands.
2. Use arrows to move the highlight, press Enter to fill, then Enter
again to execute.
3. Run the full test suite (`npm test`) to verify no regressions.
Notes
* Future work could include fuzzy matching, paging long lists, or more
visual styling.
* This change is purely additive and does not affect non‑slash inputs or
existing slash handlers.
---------
Co-authored-by: Fouad Matin <169186268+fouad-openai@users.noreply.github.com>
Co-authored-by: Thibault Sottiaux <tibo@openai.com>
This PR implements support for reading the approvalMode setting from the
user's config file (`~/.codex/config.json` or `~/.codex/config.yaml`),
allowing users to set a persistent default approval mode without needing
to specify command-line flags for each session.
Changes:
- Added approvalMode to the AppConfig type in config.ts
- Updated loadConfig() to read the approval mode from the config file
- Modified saveConfig() to persist the approval mode setting
- Updated CLI logic to respect the config-defined approval mode (while
maintaining CLI flag priority)
- Added comprehensive tests for approval mode config functionality
- Updated README to document the new config option in both YAML and JSON
formats
- additions to `.gitignore` for other CLI tools
Motivation:
As a user who regularly works with CLI-tools, I found it odd to have to
alias this with the command flags I wanted when `approvalMode` simply
wasn't being parsed even though it was an optional prop in `config.ts`.
This change allows me (and other users) to set the preference once in
the config file, streamlining daily usage while maintaining the ability
to override via command-line flags when needed.
Testing:
I've added a new test case loads and saves approvalMode correctly that
verifies:
- Reading the approvalMode from the config file works correctly
- Saving the approvalMode to the config file works as expected
- The value persists through load/save operations
All tests related to the implementation are passing.
Implements https://github.com/openai/codex/issues/392
When the user is in suggest or auto-edit mode and gets an approval
request, they now have an option in the `Shell Command` dialog to:
`Switch approval mode (v)`
That option brings up the standard `Switch approval mode` dialog,
allowing the user to switch into the desired mode, then drops them back
to the `Shell Command` dialog's `Allow command?` prompt, allowing them
to approve the current command and let the agent continue doing the rest
of what it was doing without interruption.
```
╭────────────────────────────────────────────────────────
│Shell Command
│
│$ apply_patch << 'PATCH'
│*** Begin Patch
│*** Update File: foo.txt
│@@ -1 +1 @@
│-foo
│+bar
│*** End Patch
│PATCH
│
│
│Allow command?
│
│ Yes (y)
│ Explain this command (x)
│ Edit or give feedback (e)
│ Switch approval mode (v)
│ No, and keep going (n)
│ No, and stop for now (esc)
╰────────────────────────────────────────────────────────╭────────────────────────────────────────────────────────
│ Switch approval mode
│ Current mode: suggest
│
│
│
│ ❯ suggest
│ auto-edit
│ full-auto
│ type to search · enter to confirm · esc to cancel
╰────────────────────────────────────────────────────────
```
# Improve Developer Experience with Husky and lint-staged for pnpm
Monorepo
## Summary
This PR enhances the developer experience by configuring Husky and
lint-staged to work properly with our pnpm monorepo structure. It
centralizes Git hooks at the root level and ensures consistent code
quality across the project.
## Changes
- Centralized Husky and lint-staged configuration at the monorepo root
- Added pre-commit hook that runs lint-staged to enforce code quality
- Configured lint-staged to:
- Format JSON, MD, and YAML files with Prettier
- Lint and typecheck TypeScript files before commits
- Fixed release script in codex-cli package.json (changed "pmpm" to "npm
publish")
- Removed duplicate Husky and lint-staged configurations from codex-cli
package.json
## Benefits
- **Consistent Code Quality**: Ensures all committed code meets project
standards
- **Automated Formatting**: Automatically formats code during commits
- **Early Error Detection**: Catches type errors and lint issues before
they're committed
- **Centralized Configuration**: Easier to maintain and update in one
place
- **Improved Collaboration**: Ensures consistent code style across the
team
## Future Improvements
We could further enhance this setup by
**Commit Message Validation**: Add commitlint to enforce conventional
commit messages
---------
Co-authored-by: Thibault Sottiaux <tibo@openai.com>
# What?
* When a prompt references an image path that doesn’t exist, replace it
with
```[missing image: <path>]``` instead of throwing an ENOENT.
* Adds a few unit tests for input-utils as there weren't any beforehand.
# Why?
Right now if you enter an invalid image path (e.g. it doesn't exist),
codex immediately crashes with a ENOENT error like so:
```
Error: ENOENT: no such file or directory, open 'test.png'
...
{
errno: -2,
code: 'ENOENT',
syscall: 'open',
path: 'test.png'
}
```
This aborts the entire session. A soft fallback lets the rest of the
input continue.
# How?
Wraps the image encoding + inputItem content pushing in a try-catch.
This is a minimal patch to avoid completely crashing — future work could
surface a warning to the user when this happens, or something to that
effect.
---------
Co-authored-by: Thibault Sottiaux <tibo@openai.com>
## Changes
- Added a `requiresShell` function to detect when a command contains
shell operators
- In the `exec` function, enabled the `shell: true` option if shell
operators are present
## Why This Is Necessary
See the discussion in this issue comment:
https://github.com/openai/codex/issues/320#issuecomment-2816528014
## Code Explanation
The `requiresShell` function parses the command arguments and checks for
any shell‑specific operators. If it finds shell operators, it adds the
`shell: true` option when running the command so that it’s executed
through a shell interpreter.
This pull request adds a feature that allows users to configure
auto-approved commands via a `safeCommands` array in the configuration
file.
## Related Issue
#380
## Changes
- Added loading and validation of the `safeCommands` array in
`src/utils/config.ts`
- Implemented auto-approval logic for commands matching `safeCommands`
prefixes in `src/approvals.ts`
- Added test cases in `src/tests/approvals.test.ts` to verify
`safeCommands` behavior
- Updated documentation with examples and explanations of the
configuration
Since we migrated to `pnpm` in #287, this updates the README to reflect
that change.
Just a small cleanup to align the commands with the current setup.
Adding in an option to turn on flex processing mode to reduce costs when
running the agent.
Bumped the openai typescript version to add the new feature.
---------
Co-authored-by: Thibault Sottiaux <tibo@openai.com>
**Summary**
This change introduces a new startup check that notifies users if a
newer `@openai/codex` version is available. To avoid spamming, it writes
a small state file recording the last check time and will only re‑check
once every 24 hours.
**What’s Changed**
- **New file** `src/utils/check-updates.ts`
- Runs `npm outdated --global @openai/codex`
- Reads/writes `codex-state.json` under `CONFIG_DIR`
- Limits checks to once per day (`UPDATE_CHECK_FREQUENCY = 24h`)
- Uses `boxen` for a styled alert and `which` to locate the npm binary
- **Hooked into** `src/cli.tsx` entrypoint:
```ts
import { checkForUpdates } from "./utils/check-updates";
// …
// after loading config
await checkForUpdates().catch();
```
- **Dependencies**
- Added `boxen@^8.0.1`, `which@^5.0.0`, `@types/which@^3.0.4`
- **Tests**
- Vitest suite under `tests/check-updates.test.ts`
- Snapshot in `__snapshots__/check-updates.test.ts.snap`
**Motivation**
Addresses issue #244. Users running a stale global install will now see
a friendly reminder—at most once per day—to upgrade and enjoy the latest
features.
**Test Plan**
- `getNPMCommandPath()` resolves npm correctly
- `checkOutdated()` parses `npm outdated` JSON
- State file prevents repeat alerts within 24h
- Boxen snapshot matches expected output
- No console output when state indicates a recent check
**Related Issue**
try resolves#244
**Preview**
Prompt a pnpm‑style alert when outdated
Let me know if you’d tweak any of the messaging, throttle frequency,
placement in the startup flow, or anything else.
---------
Co-authored-by: Thibault Sottiaux <tibo@openai.com>
- Docker container name based on work directory
- Centralize container removal logic
- Improve quoting for command arguments
- Ensure workdir is always set and normalized
Resolves: #371
Signed-off-by: BadPirate <badpirate@gmail.com>
Signed-off-by: BadPirate <badpirate@gmail.com>
# Migrate to pnpm for improved monorepo management
## Summary
This PR migrates the Codex repository from npm to pnpm, providing faster
dependency installation, better disk space usage, and improved monorepo
management.
## Changes
- Added `pnpm-workspace.yaml` to define workspace packages
- Added `.npmrc` with optimal pnpm configuration
- Updated root package.json with workspace scripts
- Moved resolutions and overrides to the root package.json
- Updated scripts to use pnpm instead of npm
- Added documentation for the migration
- Updated GitHub Actions workflow for pnpm
## Benefits
- **Faster installations**: pnpm is significantly faster than npm
- **Disk space savings**: pnpm's content-addressable store avoids
duplication
- **Strict dependency management**: prevents phantom dependencies
- **Simplified monorepo management**: better workspace coordination
- **Preparation for Turborepo**: as discussed, this is the first step
before adding Turborepo
## Testing
- Verified that `pnpm install` works correctly
- Verified that `pnpm run build` completes successfully
- Ensured all existing functionality is preserved
## Documentation
Added a detailed migration guide in `PNPM_MIGRATION.md` explaining:
- Why we're migrating to pnpm
- How to use pnpm with this repository
- Common commands and workspace-specific commands
- Monorepo structure and configuration
## Next Steps
As discussed, once this change is stable, we can consider adding
Turborepo as a follow-up enhancement.
# Fix CLI launcher on Windows by replacing `sh`-based entrypoint with
cross-platform Node script
## What's changed
* This PR attempts to replace the sh-based entry point with a node
script that works on all platforms including Windows Powershell and CMD
## Why
* Previously, when installing Codex globally via `npm i -g
@openai/codex`, Windows resulted in a broken CLI issue due to the `ps1`
launcher trying to execute `sh.exe`.
* If users don't have Unix-style shell, running the command will fail as
seen below since `sh.exe` can't be found
* Output:
```
& : The term 'sh.exe' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the
spelling of the name, or if a path was included, verify that the path is
correct and try again.
At C:\Users\{user}\AppData\Roaming\npm\codex.ps1:24 char:7
+ & "sh$exe" "$basedir/node_modules/@openai/codex/bin/codex" $args
+ ~~~~~~~~
+ CategoryInfo : ObjectNotFound: (sh.exe:String) [],
CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
```
## How
* By using a Node based entry point that resolves the path to the compiled ESM bundle and dynamically loads it using native ESM
* Removed dependency on platform-specific launchers allowing a single entrypoint to work everywhere Node.js runs.
## Result
Codex CLI now supports cross-platform and launches correctly via:
* macOS / Linux
* Windows PowerShell
* GitBash
* CMD
* WSL
Directly addresses #316
Fix: Shift + Enter no longer prints “[27;2;13~” in the single‑line
input. Validated as working and necessary in Ghostty on Linux.
## Key points
- src/components/vendor/ink-text-input.tsx
- Added early handler that recognises the two modifyOtherKeys
escape‑sequences
- [13;<mod>u (mode 2 / CSI‑u)
- [27;<mod>;13~ (mode 1 / legacy CSI‑~)
- If Ctrl is held (hasCtrl flag) → call onSubmit() (same as plain
Enter).
- Otherwise → insert a real newline at the caret (same as Option+Enter).
- Prevents the raw sequence from being inserted into the buffer.
- src/components/chat/multiline-editor.tsx
- Replaced non‑breaking spaces with normal spaces to satisfy eslint
no‑irregular‑whitespace rule (no behaviour change).
All unit tests (114) and ESLint now pass:
npm test ✔️
npm run lint ✔️
closes#207
I'd be lying if I said I was familiar with these particulars more than a
couple hours ago, but after investigating and testing locally, this does
fix the go issue, I prefer it over #272 which is a lot of code and a one
off fix
----
cc @bolinfest do you mind taking a look here?
1. Seatbelt compares the paths it gets from the kernal to its policies
1. Go is attempting to write to the os.tmpdir, which we have
allowlisted.
1. The kernel rewrites /var/… to /private/var/… before the sandbox
check.
1. The policy still said /var/…, so writes were denied.
Fix: canonicalise every writable root we feed into the policy
(realpathSync(...)).
We do not have to touch runtime file paths—the kernel already
canonicalises those.
### before
see that the command exited 1, and that the command was reported to be
prohibited, despite using the allowlisted tmpdir
https://github.com/user-attachments/assets/23911101-0ec0-4a59-a0a1-423be04063f0
### after
command exits 0
https://github.com/user-attachments/assets/6ab2bcd6-68bd-4f89-82bb-2c8612e39ac3
This PR introduces a Nix flake configuration to enable reproducible
development environments:
- Adds flake.nix defining a devShell with necessary dependencies.
- Updates README.md with usage instructions for `nix develop`.
- Ensures CI compatibility with Nix for consistent builds.
### What is added?
I extend the if-else blocks with an additional condition where the
commands validity is checked. This only applies for entered inputs that
start with '/' and are a single word. This isn't necessarily restrictive
from the previous behavior of the program. When an invalid command is
detected, an error message is printed with a direction to retrieve
command list.
### Why is it added?
There are three main reasons for this change
**1. Model Hallucination**: When invalid commands are passed as prompts
to models, models hallucinate behavior. Since there was a fall through
in invalid commands, the models took these as prompts and hallucinated
that they completed the prompted task. An example of this behavior is
below. In the case of this example, the model though they had access to
`/clearhistory` tool where in reality that isn't the case.
A before and after effect of this tool is below:
**2. Saves Users Credits and Time**: Since false commands and invalid
commands aren't processed by the model, the user doesn't spend money on
stuff that could have been mitigated much easily. The time argument is
especially applicable for reasoning models.
**3. Saves GPU Time**: GPU time is valuable, and it is not necessary to
spend it on unnecessary/invalid requests.
### Code Explanation
If no command is matched, we check if the inputValue start with `/`
which indicated the input is a command (I will address the case where it
is isn't below). If the inputValue start with `/` we enter the else if
statement. I used a nested if statement for readability and further
extendability in the future.
There are alternative ways to check besides regex, but regex is a short
code and looks clean.
**Check Conditions**: The reason why I only check single word(command)
case is that to allow prompts where the user might decide to start with
`/` and aren't commands. The nested if statements also come in handy
where in the future other contributors might want to extend this
checking.
The code passes type, lint and test checks.
Added the ability to compact. Not sure if I should switch the model over
to gpt-4.1 for longer context or if keeping the current model is fine.
Also I'm not sure if setting the compacted to system is best practice,
would love feedback 😄
Mentioned in this issue: https://github.com/openai/codex/issues/230
Probably not the most exciting PR you’ll get today, but I noticed that
every file in the repo follows kebab-case… except one brave little
underscore in `cli_singlepass.tsx`.
So I made the world a little more consistent. Just a filename rename —
no logic changes, no semicolons harmed
Didn’t touch any code, I promise. Just bringing order to the filesystem
— one hyphen at a time.
This PR adds a shell wrapper in `codex-cli/bin/codex` to detect node or
bun as the runtime.
It updates:
- `package.json` bin entry
- published files list to include bin/
- README install instructions to include `bun install -g @openai/codex`
Hi, when I tried to run the tests in the cloned repo I got an error from
vitest trying to get the vite.config.ts from the parent folder. I don't
know why this it not happening to more people but this fixed it, so
maybe it is useful for someone else.
This PR replaces all hard‑coded patch markers in apply‑patch.ts with the
corresponding constants (now) exported from parse‑apply‑patch.ts.
Changes
• Import PATCH_PREFIX, PATCH_SUFFIX, ADD_FILE_PREFIX,
DELETE_FILE_PREFIX, UPDATE_FILE_PREFIX, MOVE_FILE_TO_PREFIX,
END_OF_FILE_PREFIX, and HUNK_ADD_LINE_PREFIX from parse‑apply‑patch.ts.
• Remove duplicate string literals for patch markers in apply‑patch.ts.
• Changed is_done() to trim the input to account for the slight
difference between the variables.
Why
• DRY & Consistency: Ensures a single source of truth for patch
prefixes.
• Maintainability: Simplifies future updates to prefix values by
centralizing them.
• Readability: Makes the code more declarative and self‑documenting.
All tests are passing, lint and format was ran.
Updated the position of the cursor on the user input box to be at the
end of the text when the user uses the arrow keys to navigate through
the input history in order to better match the behavior of a terminal.
This adds support for a new flag, `-w,--writable-root`, that can be
specified multiple times to _amend_ the list of folders that should be
configured as "writable roots" by the sandbox used in `full-auto` mode.
Values that are passed as relative paths will be resolved to absolute
paths.
Incidentally, this required updating a number of the `agent*.test.ts`
files: it feels like some of the setup logic across those tests could be
consolidated.
In my testing, it seems that this might be slightly out of distribution
for the model, as I had to explicitly tell it to run `apply_patch` and
that it had the permissions to write those files (initially, it just
showed me a diff and told me to apply it myself). Nevertheless, I think
this is a good starting point.
