Skip to content

CM-62984: Add Codex CLI support to ai-guardrails#436

Open
MaorDavidzon wants to merge 2 commits intomainfrom
CM-62984-add-codex-cli-support
Open

CM-62984: Add Codex CLI support to ai-guardrails#436
MaorDavidzon wants to merge 2 commits intomainfrom
CM-62984-add-codex-cli-support

Conversation

@MaorDavidzon
Copy link
Copy Markdown
Contributor

@MaorDavidzon MaorDavidzon commented Apr 20, 2026
edited by gotbadger
Loading

Summary

  • Extend cycode ai-guardrails to support OpenAI Codex CLI alongside Cursor and Claude Code: installs ~/.codex/hooks.json for UserPromptSubmit, SessionStart, and PreToolUse:Bash; auto-enables [features] codex_hooks = true in ~/.codex/config.toml while preserving existing keys.
  • New canonical CommandExec event + handle_before_command_exec handler to scan shell commands the agent is about to run for secrets — closest Codex equivalent to the FileRead / McpExecution events (Codex's PreToolUse currently only intercepts Bash).
  • New module codex_config.py safely merges the feature flag via tomllib / tomli + tomli-w; CodexResponseBuilder reuses Claude Code response shapes verbatim (Codex accepts them).

Scope note

Codex hooks intercept UserPromptSubmit and PreToolUse:Bash only — not MCP calls or file reads. So FileRead and McpExecution canonical events cannot be wired for Codex today. This MR ships what's possible; coverage can expand as Codex extends its hook surface.

New direct deps

  • tomli-w (py3.9+) — TOML writer (stdlib has only a reader)
  • tomli (py<3.11 only) — backport of stdlib tomllib

Test plan

  • poetry run pytest tests/cli/commands/ai_guardrails/ -v — 150 passing (23 new)
  • poetry run pytest tests/ — 713 passing
  • ruff check + ruff format clean on all touched files
  • Cross-IDE isolation: a Cursor-shape payload piped into scan --ide codex is skipped ({} returned)
  • Manual E2E: install against Codex 0.45 on macOS, run codex exec — hook fires and Codex honors the response
  • CI green on this branch

🤖 Generated with Claude Code

@MaorDavidzon @claude
CM-62984: Add Codex CLI support to ai-guardrails
220829c 
Extend ai-guardrails hooks to cover OpenAI Codex CLI alongside Cursor and
Claude Code. Installs ~/.codex/hooks.json for UserPromptSubmit, SessionStart,
and PreToolUse:Bash events, and merges `[features] codex_hooks = true` into
~/.codex/config.toml while preserving existing keys. Adds a new canonical
CommandExec event for Bash command scanning since Codex's PreToolUse only
intercepts Bash today. CodexResponseBuilder reuses the Claude Code response
shapes (Codex accepts them verbatim). Adds tomli-w (and tomli on py<3.11)
as direct deps to manage the Codex TOML config safely.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@MaorDavidzon MaorDavidzon requested a review from Ilanlido April 20, 2026 06:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@elsapet elsapet Awaiting requested review from elsapet elsapet is a code owner

@gotbadger gotbadger Awaiting requested review from gotbadger gotbadger is a code owner

@mateusz-sterczewski mateusz-sterczewski Awaiting requested review from mateusz-sterczewski mateusz-sterczewski is a code owner

@Ilanlido Ilanlido Awaiting requested review from Ilanlido

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MaorDavidzon