Codex CLI Rules
Overview
Author and maintain Codex CLI .rules (Starlark) with safe defaults, clear intent, and testable boundaries. Keep policies reviewable and operationally predictable.
Workflow
- •Collect target commands from user workflow and current friction.
- •Classify each command into
allow,prompt, orforbidden. - •Draft narrow
prefix_rule(...)blocks with explicit justifications. - •Add
matchandnot_matchexamples for every rule. - •Validate rule behavior and then return final rule blocks plus rationale.
Safety Model
- •Apply least privilege first.
- •Default to
promptwhen risk or intent is unclear. - •Use
allowonly for low-risk, frequent operations. - •Use
forbiddenfor destructive, privilege-escalation, or secret-exfiltration paths. - •Resolve overlaps with strictness order:
forbidden > prompt > allow.
Command Classification
- •
allow: Read-only and low-impact operations (for examplegit status,git diff,git log,rg,ls). - •
prompt: Valid but impactful operations (for example networked writes, remote updates, deployment actions). - •
forbidden: High-risk operations without safe defaults (for example destructive deletion, raw disk operations, escalation commands, obvious secret exposure paths).
Rule Authoring Standards
- •Use exact argv prefix matching in
pattern. - •Keep one responsibility per rule.
- •Keep prefixes narrow (prefer
["git", "status"]over["git"]). - •Write concise
justificationincluding risk context. - •Add realistic
matchandnot_matchexamples for every rule. - •Prefer separate human-managed files (for example
custom.rules) over manual edits todefault.rules.
Decision Heuristics
- •Choose
promptwhen command effects touch external systems, network calls, or repository state changes. - •Choose
forbiddenwhen blast radius is large or recovery is difficult. - •If a pattern captures unrelated commands, split it into smaller rules.
- •If uncertain between
allowandprompt, chooseprompt.
Validation
- •Ensure every rule has both positive and negative examples.
- •Ensure nearby commands that must not match are listed in
not_match. - •If available in the environment, run the ExecPolicy check flow from Codex Rules docs before finalizing.
Output Contract
Return:
- •Complete
.rulesblock(s) ready to paste. - •1-3 lines describing safety boundaries and tradeoffs.
- •A focused clarification question only when ambiguity blocks safe policy selection.
See references/rules-patterns.md for templates and anti-patterns.