Reference doc capturing codex exec --help output and annotating the flags relevant to Switchyard.
This is durable detail. Status, decisions, and design work live elsewhere (active-checklist.md, switchyard_mvp_addendum.md).
Captured 2026-04-30 from codex exec --help on the user's local install (npm @openai/codex).
Re-capture this doc whenever the CLI is upgraded. Help output is the source of truth, not this file.
--ignore-user-config— Don't load$CODEX_HOME/config.toml. Auth still usesCODEX_HOME. Suppresses user-level config only; it is not documented as anAGENTS.mdbypass.--ignore-rules— Don't load user or project execpolicy.rulesfiles.- No verified
AGENTS.mdbypass flag:codex exec --helpdoes not expose a flag that disablesAGENTS.mdloading. OpenAI's current agent-loop documentation describes global and project instruction aggregation as part of prompt construction, and the related GitHub feature request for a bypass flag is still open. - Verified discovery behavior:
codex debug prompt-inputcan render the model-visible prompt without a model call. With marker files inCODEX_HOME/AGENTS.mdand the working directory'sAGENTS.md, the rendered prompt included both markers under anAGENTS.md instructionsblock. - Verified alternate-home behavior: pointing
CODEX_HOMEat an empty harness-owned directory and running from a clean temp cwd removed theAGENTS.md instructionsblock fromcodex debug prompt-input. - Auth caveat: an empty alternate
CODEX_HOMEalso lacks Codex auth. A realcodex execsmoke reached the API path but failed with401 Unauthorized, so an isolated Switchyard Codex home would need auth material copied, linked, or established separately while omittingAGENTS.md. - Practical implication: Switchyard cannot currently count on clean Codex prompt isolation from flags alone. The adapter should either run Codex from a directory tree with no
AGENTS.mdfiles up to the effective project root and a controlledCODEX_HOME, or treat user/globalAGENTS.mdcontent as accepted ambient context. - Shadowing caveat: A deeper empty or minimal
AGENTS.mdmay override earlier guidance in model behavior, but it does not remove earlier loaded text from the prompt. Treat this as a behavior-management tactic, not true isolation.
-m, --model <MODEL>— model to use (e.g.o3, full GPT identifiers; the-c model="o3"example in the help confirms-cis also a valid override path).--oss— use open-source provider.--local-provider—lmstudioorollama. Local model routing is available out of the box.
-o, --output-last-message <FILE>— write the agent's final message directly to a file. Big win — answers the "is stdout the artifact or do we need to parse?" question for Codex. With-o, Codex writes the artifact where we tell it; stdout becomes status/narration that we can ignore. Likely the right default for the Switchyard Codex adapter.--output-schema <FILE>— JSON Schema describing the model's final response shape. Parallels Claude's--json-schema. Useful for Phase 2a+ critique steps where Switchyard wants structured decisions.--json— emit JSONL events on stdout. Useful for capturing tool-call traces if Switchyard ever wants to record full session history; for Phase 0 we want clean artifact only, so prefer-owithout--json.--color <COLOR>—always | never | auto. Set toneverfor clean captured output.
-s, --sandbox <SANDBOX_MODE>—read-only,workspace-write, ordanger-full-access. Parallels Claude's--permission-mode. For Phase 0 (and Phase 1, 2a, 2b — all planning/review),read-onlyenforces "no file edits" at the CLI level. For Phase 3 implementation,workspace-writeis the right level. Never usedanger-full-accessfrom Switchyard.--dangerously-bypass-approvals-and-sandbox— explicitly out of scope for Switchyard. Do not use.
-C, --cd <DIR>— set the agent's working root. Switchyard should set this to the target repo path, not rely on inherited cwd.--add-dir <DIR>— additional writable directories. Relevant if Switchyard's run folder is outside the target repo.--skip-git-repo-check— already used in the probe; required when running outside a git repo. For real Switchyard runs targeting a real repo, this should not be needed.
--ephemeral— don't persist session files to disk. Right default for Switchyard (the run folder is the durable record; Codex's session state is not).- The
resumesubcommand exists. Probably not relevant for Switchyard's current design — each lane invocation is independent and the run folder is the memory.
-c, --config <key=value>— override any config value (e.g.,-c model="o3",-c sandbox_permissions=["disk-full-read-access"]). Dotted paths supported. Last-resort hook for any setting not exposed as a top-level flag.-p, --profile <CONFIG_PROFILE>— named profile from config.toml. Switchyard could ship aswitchyardprofile, but--ignore-user-configmakes that less attractive — better to pass everything explicitly.
Tentative Codex lane invocation for Switchyard (pending the Codex prompt-isolation policy decision):
codex exec \
--ignore-user-config \
--ignore-rules \
--sandbox read-only \
--ephemeral \
--color never \
-C <run-or-target-dir> \
-o <artifact-path> \
-m <selected-model> \
"<prompt>"
For Phase 0 testing in a non-repo temp directory, add --skip-git-repo-check. Real Switchyard runs against a target repo should not need that flag.
The -o output file is the key adapter choice — it gives Codex a clean place to write the artifact, separate from any stdout narration. This is structurally cleaner than what we have for Claude (where stdout is the artifact). Worth confirming in the probe whether -o writes only the final message or wraps it.
Phase 0 follow-up on 2026-05-04 verified the implemented adapter shape:
codex exec --ignore-user-config --ignore-rules --sandbox read-only --ephemeral --color never -C <target-repo> -o <artifact-path> -
The prompt is sent through stdin with codex exec -, and -o produced the
final plan artifact. With the lane prompt updated to permit targeted read-only
inspection, Codex inspected the target repository and referenced the actual
package.json script test running jest.
- Can Switchyard safely create a Codex home that has auth material but no
AGENTS.md? Answer for Phase 0: yes, copyingauth.jsoninto a managedCODEX_HOMEwas sufficient for real adapter runs while omitting managed-homeAGENTS.md. - Can project
AGENTS.mddiscovery be avoided reliably by running from a harness-owned non-repo directory while passing only explicit artifact paths, or does that break useful repo access? - Does
-ocapture only the final message, or include any wrapper / formatting? Answer for Phase 0: real adapter verification produced a clean markdown final-message artifact at01-codex-plan.md. - Does Codex's stdout in
--ephemeralmode emit narration, banners, or tool-call traces that Switchyard should ignore when-ois present? - What cheap/current models are actually available to this account? Use
codex debug modelsfor the account catalog;codex debug models --bundledonly shows the binary's bundled catalog.
Usage: codex exec [OPTIONS] [PROMPT]
codex exec [OPTIONS] <COMMAND> [ARGS]
Commands:
resume Resume a previous session by id or pick the most recent with --last
review Run a code review against the current repository
help Print this message or the help of the given subcommand(s)
Arguments:
[PROMPT]
Initial instructions for the agent. If not provided as an argument (or if `-` is used), instructions are read from stdin. If stdin is piped and a prompt is also
provided, stdin is appended as a `<stdin>` block
Options:
-c, --config <key=value>
Override a configuration value that would otherwise be loaded from `~/.codex/config.toml`. Use a dotted path (`foo.bar.baz`) to override nested values. The `value`
portion is parsed as TOML. If it fails to parse as TOML, the raw string is used as a literal.
Examples: - `-c model="o3"` - `-c 'sandbox_permissions=["disk-full-read-access"]'` - `-c shell_environment_policy.inherit=all`
--enable <FEATURE>
Enable a feature (repeatable). Equivalent to `-c features.<name>=true`
--disable <FEATURE>
Disable a feature (repeatable). Equivalent to `-c features.<name>=false`
-i, --image <FILE>...
Optional image(s) to attach to the initial prompt
-m, --model <MODEL>
Model the agent should use
--oss
Use open-source provider
--local-provider <OSS_PROVIDER>
Specify which local provider to use (lmstudio or ollama). If not specified with --oss, will use config default or show selection
-p, --profile <CONFIG_PROFILE>
Configuration profile from config.toml to specify default options
-s, --sandbox <SANDBOX_MODE>
Select the sandbox policy to use when executing model-generated shell commands
[possible values: read-only, workspace-write, danger-full-access]
--dangerously-bypass-approvals-and-sandbox
Skip all confirmation prompts and execute commands without sandboxing. EXTREMELY DANGEROUS. Intended solely for running in environments that are externally sandboxed
-C, --cd <DIR>
Tell the agent to use the specified directory as its working root
--add-dir <DIR>
Additional directories that should be writable alongside the primary workspace
--skip-git-repo-check
Allow running Codex outside a Git repository
--ephemeral
Run without persisting session files to disk
--ignore-user-config
Do not load `$CODEX_HOME/config.toml`; auth still uses `CODEX_HOME`
--ignore-rules
Do not load user or project execpolicy `.rules` files
--output-schema <FILE>
Path to a JSON Schema file describing the model's final response shape
--color <COLOR>
Specifies color settings for use in the output
[default: auto]
[possible values: always, never, auto]
--json
Print events to stdout as JSONL
-o, --output-last-message <FILE>
Specifies file where the last message from the agent should be written
-h, --help
Print help (see a summary with '-h')
-V, --version
Print version