OpenAI Codex CLI
Use OpenAI's Codex command-line tool as a Cerevisor provider, ChatGPT subscription auth, sandbox modes, and the limits to know about.
The Codex CLI provider runs each agent by spawning codex exec --json as a subprocess. OpenAI's Codex owns the agentic loop, sandboxing, and auth, Cerevisor handles wave orchestration, dependency tracking, and inter-agent handoff. The main reason to use it: you have a ChatGPT Plus or Pro subscription and don't want to pay per-token for the same model when you're already paying monthly. Prerequisites Node.js (any recent LTS). Codex CLI installed: npm install -g @openai/codex . A ChatGPT Plus / Pro subscription (or an OpenAI API key; both auth modes are supported, but the subscription path is the typical case). Setup wizard Settings → Providers → + Add provider → Codex CLI. The wizard runs six steps: 1. Detect Cerevisor runs codex --version to confirm Codex is installed and reachable. On Windows, it auto-resolves the .cmd shim that npm install -g creates. 2. Auth status Runs codex login status to check whether you're already signed in. If you are, skip ahead. If not: 3. Device auth Click Start device auth . Cerevisor invokes codex login --device-auth . A URL and code appear; copy the code and open the URL in a browser, sign in to ChatGPT, paste the code. The wizard polls codex login status every 2 seconds and advances when sign-in completes. 4. Keyring config (optional) On supported platforms, the wizard offers to write Codex's auth into your OS keyring instead of the plain text file. Recommended. 5. Smoke test Cerevisor runs codex exec --json with a trivial prompt to confirm everything works end-to-end. The smoke test result is shown. 6. Save The provider becomes available. What Codex CLI runs When an agent uses the Codex CLI provider, Cerevisor invokes: codex exec --json \ --ephemeral \ --skip-git-repo-check \ --cd <project-folder> \ -c sandbox_mode=<read-only|workspace-write|danger-full-access> \ -c approval_policy=<untrusted|on-failure|on-request|never> \ --output-last-message <temp-file> \ - The prompt is piped via stdin (the - positional). --ephemeral disables Codex's session-rollout writer (so two Cerevisor agents using Codex don't conflict). Sandbox modes Cerevisor translates your workflow's permissions to Codex's sandbox_mode : Cerevisor permissions Codex sandbox_mode All filesystem set to Allow + execution set to Allow danger-full-access Workspace writes Allow, outside workspace blocked workspace-write Everything read-only read-only Approval policies Cerevisor derives approval_policy from the same WorkflowPermissions (file write + bash execution + web access), not from a single trust-profile selector. The common patterns: Cerevisor permissions Codex approval_policy File write + bash + web all Allow never File write Allow, bash blocked or web blocked on-failure Most categories Ask on-request Read-only across the board untrusted When in doubt, set the workflow permissions you actually want and let Cerevisor compute the matching Codex flags. Known v1 limitations These are the trade-offs of using Codex as your runner, k