Governed Codex CLI in 3 Minutes
Codex CLI is OpenAI’s terminal coding agent — analogous to Claude Code, similar hook protocol, similar deployment shape. And one meaningful governance differentiator: auto-approve mode keeps the hook firing.
Where Claude Code’s --dangerously-skip-permissions disables every hook entirely (including ACP’s audit layer), Codex CLI’s --auto suppresses the interactive prompt but lets hooks continue to run. For teams deploying unattended coding agents, that’s the difference between full audit and an audit-silence gap.
The 3-minute setup
One command:
curl -sf https://agenticcontrolplane.com/install.sh | bash
The installer detects Codex CLI, writes ~/.acp/govern.mjs as a Node hook, and registers it for both PreToolUse and PostToolUse events in ~/.codex/config.json. It also opens your browser to provision (or connect to) your ACP workspace.
Restart Codex and every tool call — Bash, Edit, Write, MCP, file operations — passes through /govern/tool-use before dispatch.
What you get for free
Open the ACP dashboard → Activity. One row per tool call, one audit log per user, across every Codex CLI session on your team:
- Identity per call — bearer token from
~/.acp/credentials, never mixed up across sessions - Workspace policy enforcement — Alice can run
fs.deleteon her dev machine, Bob can’t - Rate limits — per user, per tool, per tier
- PII detection — on tool input and output
- Delegation chain — when Codex spawns subagents, the chain is captured in the hook payload
- Session grouping — related tool calls group by
session_idso you can trace a logical task end-to-end
Where Codex + ACP beats Claude Code + ACP
For interactive use, the two score identically on AgentGovBench — both 43/48. Same hook protocol, same decisions.
The split happens in unattended mode:
Claude Code --dangerously-skip-permissions |
Codex CLI --auto |
|
|---|---|---|
| Interactive prompt | Suppressed | Suppressed |
| ACP hook fires | No ❌ | Yes ✓ |
| Audit log populates | No | Yes ✓ |
If you’re running CI tasks, scheduled jobs, batch processing, or any unattended code-execution workflow, Codex preserves audit where Claude Code silently drops it. We covered the Claude Code gap separately — it’s a real production concern.
Hook behaviour worth knowing
Like Claude Code, ACP’s Codex hook is fail-closed by default — if the gateway is unreachable, the tool call is denied rather than allowed through ungoverned. Anthropic and OpenAI both chose safety over availability for their agent CLIs, and ACP respects that choice.
If you need fail-open for a specific tool or tier (e.g., for development availability), set it server-side in the policy; the hook honours what the server returns.
What happens if you stop the hook?
If a user deletes ~/.acp/govern.mjs or edits ~/.codex/config.json to remove it, the hook stops firing. No client-side governance product can fully prevent a user from opting out of their own hook. You mitigate this the same way you mitigate any client-side governance bypass: server-side anomaly detection on audit-log silence for a user who was previously active.
ACP’s Activity → Anomalies dashboard (shipping in two weeks) alerts on exactly this pattern.
Next steps:
- Codex CLI integration guide — install details and troubleshooting
- Codex CLI scorecard — 43/48 on AgentGovBench
- Governance in Three Minutes series — one install, every framework
- 1. Governance for Claude Code in 60 seconds
- 2. Governing the Anthropic Agent SDK
- 3. Governed LangGraph in 3 Minutes
- 4. Governed CrewAI in 3 Minutes
- 5. Governed Cursor in 3 Minutes
- 6. Governed Codex CLI in 3 Minutes · you are here
- 7. Governed OpenAI Agents SDK in 3 Minutes