Skip to content

Latest commit

 

History

History
74 lines (52 loc) · 2.79 KB

execpolicy.md

File metadata and controls

74 lines (52 loc) · 2.79 KB

Execpolicy quickstart

Codexel can enforce your own rules-based execution policy before it runs shell commands. Policies live in .rules files under ~/.codexel/rules.

How to create and edit rules

TUI interactions

Codexel will present the option to whitelist commands when a command causes a prompt.

Screenshot 2025-12-04 at 9 23 54 AM

Whitelisted commands will no longer require your permission to run in current and subsequent sessions.

Under the hood, when you approve and whitelist a command, Codexel will edit ~/.codexel/rules/default.rules.

Editing .rules files

  1. Create a policy directory: mkdir -p ~/.codexel/rules.
  2. Add one or more .rules files in that folder. Codexel automatically loads every .rules file in there on startup.
  3. Write prefix_rule entries to describe the commands you want to allow, prompt, or block:
prefix_rule(
    pattern = ["git", ["push", "fetch"]],
    decision = "prompt",  # allow | prompt | forbidden
    match = [["git", "push", "origin", "main"]],  # examples that must match
    not_match = [["git", "status"]],              # examples that must not match
)
  • pattern is a list of shell tokens, evaluated from left to right; wrap tokens in a nested list to express alternatives (for example, match both push and fetch).
  • decision sets the severity; Codex picks the strictest decision when multiple rules match (forbidden > prompt > allow).
  • match and not_match act as optional unit tests. Codex validates them when it loads your policy, so you get feedback if an example has unexpected behavior.

In this example rule, if Codex wants to run commands with the prefix git push or git fetch, it will first ask for user approval.

Preview decisions

Use the codexel execpolicy check subcommand to preview decisions before you save a rule (see the codex-execpolicy README for syntax details):

codexel execpolicy check --rules ~/.codexel/rules/default.rules git push origin main

Pass multiple --rules flags to test how several files combine, and use --pretty for formatted JSON output. See the codex-rs/execpolicy README for a more detailed walkthrough of the available syntax.

Example output when a rule matches:

{
  "matchedRules": [
    {
      "prefixRuleMatch": {
        "matchedPrefix": ["git", "push"],
        "decision": "prompt"
      }
    }
  ],
  "decision": "prompt"
}

When no rules match, matchedRules is an empty array and decision is omitted.

{
  "matchedRules": []
}

Status

execpolicy commands are still in preview. The API may have breaking changes in the future.