Skip to main content

Codex CLI

Vectimus governs Codex CLI through its native PreToolUse hook system. Codex only exposes Bash shell commands to hooks today, so Vectimus cannot intercept file reads, writes or MCP calls made by Codex. That limit comes from the Codex CLI hook API, not Vectimus. Coverage will expand as OpenAI’s hook surface grows.

Support is experimental. Windows is unsupported upstream (Codex hooks are disabled on Windows).

Setup

vectimus init

If the codex binary is on your PATH, vectimus init detects it and writes two files in your project directory:

  • .codex/hooks.json — the hook configuration
  • .codex/config.toml — instructs Codex to read hooks from the project

The generated .codex/hooks.json:

{
  "hooks": {
    "PreToolUse": [
      {
        "command": "vectimus hook --source codex",
        "matcher": "Bash"
      }
    ]
  }
}

If you already have hooks in .codex/hooks.json, Vectimus merges its hook with your existing ones. Your custom hooks are preserved.

How it works

  1. Codex CLI fires the PreToolUse hook before every Bash shell call
  2. The hook sends the tool name and command to vectimus hook via stdin
  3. Vectimus normalises the payload, evaluates it against Cedar policies and returns a decision
  4. On deny, Vectimus exits with code 2 and writes the rejection reason to stderr
  5. Codex CLI reads the rejection and blocks the command

Non-Bash tool calls (file reads, writes, MCP) are not intercepted by Codex hooks today. Vectimus allows those through without evaluation.

What is covered

Codex CLI actionVectimus coverage
Bash shell commandsGoverned (classified to shell_command, git_operation, infrastructure, package_operation etc.)
File reads/writesNot intercepted by Codex hooks
MCP tool callsNot intercepted by Codex hooks

The same Cedar policies that govern Claude Code and Cursor apply to Codex Bash commands. No policy changes needed.

Trusted projects

Codex only reads .codex/config.toml in projects you have explicitly trusted. If your hooks are not firing, confirm the project is trusted in Codex.

Observe mode

To trial Vectimus without blocking:

vectimus observe on

All decisions are logged to ~/.vectimus/logs/ but tool calls proceed normally. Review the audit log, then switch to enforcement:

vectimus observe off

Remove hooks

vectimus remove

This strips Vectimus entries from .codex/hooks.json and .codex/config.toml while preserving your other hooks.