Bonus Module · After M10 · CLI Comparison Track
BONUS
AI CLI Tools Compared  ·  BONUS  ·  The Tool We Didn't Cover

OpenAI Codex: The Fourth Contender

This course compared three AI CLI tools. A fourth one earned a seat at the table: OpenAI Codex — a coding agent that lives in your terminal, your IDE, your GitHub PRs, and OpenAI's cloud. This bonus module gives Codex the same treatment the other three got: architecture, setup, security model, automation, pricing, and an honest verdict on where it fits in your stack.

OpenAI Codex
Claude Code
Gemini CLI
GitHub Copilot CLI
Section 1

The Fourth Contender

The band-reunion analogy

BEFORE: Think of a band that had one early hit, broke up, and disappeared for years. "Codex" was originally a 2021 OpenAI model — the engine inside the first GitHub Copilot. By 2023 the original Codex model was deprecated and most developers assumed the name was retired for good.

PAIN: Meanwhile the agentic coding race took off without it. Claude Code defined the autonomous-terminal-agent category, Gemini CLI made it free, and Copilot owned the IDE. If you only studied those three, you had a complete map of the landscape — until 2025, when the map changed.

MAPPING: In 2025 OpenAI brought the name back as something entirely different: Codex the agent — an open-source Rust CLI, a cloud agent that runs tasks in parallel containers, an IDE extension, and a GitHub code reviewer — all under one subscription. The band is back together, with a new sound, and it is competing directly with Claude Code for the "autonomous agent" job in your stack.

From deprecated model to four-surface agent — the Codex timeline

Why this matters for you: if you finished M10 and built a hybrid stack around Claude Code + Gemini CLI + Copilot, Codex is the one tool that could displace a slot in that stack — specifically the autonomous-agent slot. It is the closest architectural sibling to Claude Code of any tool on the market, and it comes bundled "free" with a ChatGPT subscription that millions of developers already pay for. That bundling is the single biggest strategic fact about Codex: for a developer already on ChatGPT Plus, the marginal cost of trying a second autonomous agent is $0.

Naming alert: "Codex" means three different things in the wild

(1) The deprecated 2021 model — ignore anything written about it; (2) the product family (CLI + IDE extension + cloud + code review) — what this module covers; (3) the models that power it (GPT-5.3-Codex and friends). When you read a blog post about "Codex," check the date and which of the three it means. Pre-2025 content is about a different product.

Section 2

How Codex Thinks — Architecture vs. the Other Three

Codex follows the same fundamental design as Claude Code: an agentic loop in your terminal that reads your repo, edits files, runs commands, observes the output, and iterates. Where it differs is in how many surfaces share that loop and how the security boundary is drawn (Section 4).

The four surfaces

  • Codex CLI — the terminal agent, open-source and written in Rust. The direct competitor to Claude Code and Gemini CLI.
  • Codex IDE extension — VS Code / Cursor sidebar with the same agent, sharing context with your editor.
  • Codex cloud — tasks run in isolated cloud containers on OpenAI's infrastructure. You can fire off several tasks in parallel from your phone or browser and review the resulting PRs later. None of the other three tools shipped this as a first-class surface.
  • Codex code review — enable it on a GitHub repo and mention @codex in a PR to get an autonomous review pass.

Project memory: AGENTS.md

Just as Claude Code reads CLAUDE.md and Gemini CLI reads GEMINI.md, Codex reads AGENTS.md — and this one is an open convention that other tools have adopted too. Codex merges instructions hierarchically: a global ~/.codex/AGENTS.md, then the repo root, then nested folders, with deeper files taking precedence — the same layered model you learned for CLAUDE.md in M03.

Dimension OpenAI Codex Claude Code Gemini CLI Copilot CLI
Project memory AGENTS.md (open convention) CLAUDE.md GEMINI.md copilot-instructions.md
Config file ~/.codex/config.toml .claude/settings.json settings.json + extensions GitHub account settings
Implementation Rust (open source) Node.js (closed source CLI) Node.js (open source) Node.js
Cloud agent surface Yes — parallel container tasks Claude Code on the web / cloud sessions No first-class equivalent Copilot coding agent (GitHub-hosted)
PR code review @codex on GitHub GitHub Action / /review Gemini Code Assist for GitHub Copilot code review
MCP support Client + can act as MCP server Full client + server ecosystem Client via extensions Limited, GitHub-centric
Auth model ChatGPT sign-in or API key Claude.ai OAuth or API key Google OAuth (free tier) or API key GitHub account
Conceptual bridge: everything you learned in M03 and M06 transfers

If you understood CLAUDE.md hierarchies (M03) and the agentic loop with approval gates (M06), you already understand 80% of Codex. The remaining 20% — the sandbox/approval split, config.toml, and credit billing — is what the next three sections cover. This is the payoff of learning concepts rather than memorizing tool commands: the fourth tool costs you an evening, not a course.

Section 3

Setup & Configuration

Installation follows the same pattern you used in M02 for the other tools. Codex offers an npm package and a Homebrew formula. On first launch it asks you to sign in — and here you face the same fork as Claude Code: subscription sign-in (use your ChatGPT plan, no per-token bills) or API key (pay per token, required for CI).

PowerShell
# WHAT: Install the Codex CLI globally via npm
# WHY:  Same install pattern as Claude Code and Gemini CLI (M02)
# GOTCHA: Codex's sandbox is strongest on macOS/Linux. On Windows,
#         running inside WSL gives you the full Linux sandbox;
#         native PowerShell works but with weaker isolation guarantees.
npm install -g @openai/codex

# WHAT: Start Codex — first run opens a browser to sign in
# WHY:  "Sign in with ChatGPT" uses your existing plan (Plus/Pro/Business)
#       with no separate API billing
codex

# WHAT: Check version and verify your environment
codex --version
bash / zsh
# WHAT: Install the Codex CLI (npm or Homebrew — pick one)
# WHY:  npm matches the other CLIs in this course; brew auto-updates
# GOTCHA: If npm -g fails with EACCES, use nvm instead of sudo
npm install -g @openai/codex
# or:
brew install codex

# WHAT: Start Codex — first run triggers the ChatGPT OAuth flow
# WHY:  Subscription auth = no per-token bills; API key = usage billing
codex

# WHAT: Verify the install
codex --version
No hardcoded API keys — same rule as every module in this course

If you use API-key auth (needed for CI), set OPENAI_API_KEY as an environment variable or CI secret. Never write it into config.toml, AGENTS.md, or any file that gets committed. The M08 secrets-handling patterns apply unchanged.

config.toml — Codex's settings file

Claude Code uses JSON (.claude/settings.json); Codex uses TOML, stored at ~/.codex/config.toml. The three keys that matter most are the model, the sandbox mode, and the approval policy — the last two are explained in depth in Section 4.

~/.codex/config.toml
# WHAT: The three keys you will actually touch
# WHY:  Everything else has sensible defaults
# GOTCHA: TOML, not JSON — no braces, no quoted keys

model = "gpt-5.3-codex"          # default agent model (2026)
sandbox_mode = "workspace-write" # what Codex CAN do (Section 4)
approval_policy = "on-request"   # when Codex must ASK (Section 4)

# WHAT: Let Codex write outside the repo in specific places only
# WHY:  workspace-write blocks everything outside the working dir by default
[sandbox_workspace_write]
writable_roots = ["/tmp/scratch"]

# WHAT: Wire up an MCP server — same protocol you learned in M07
# WHY:  Codex is an MCP client; servers configured here appear as tools
# GOTCHA: Claude Code puts this in JSON; Codex uses a TOML table
[mcp_servers.postgres]
command = "npx"
args = ["-y", "@modelcontextprotocol/server-postgres"]
env = { DATABASE_URL = "postgresql://localhost/dev" }

AGENTS.md — your CLAUDE.md knowledge, transplanted

AGENTS.md (repo root)
# Project: order-tracking-api

## Build & test
- Install: `npm ci`
- Test: `npm test` — ALWAYS run before declaring a task done
- Lint: `npm run lint -- --fix`

## Conventions
- TypeScript strict mode; no `any` without a comment justifying it
- All API handlers must validate input with zod before touching the DB
- Error responses follow RFC 7807 (problem+json)

## Boundaries
- Never edit `migrations/` — generate new migrations instead
- Secrets live in env vars only; flag any hardcoded credential you find
What just happened?

You installed Codex, authenticated against your ChatGPT plan, set three lines of config.toml, and wrote an AGENTS.md. That is the complete onboarding — functionally identical to the Claude Code setup from M02, with TOML swapped for JSON and AGENTS.md swapped for CLAUDE.md. If your team already maintains a CLAUDE.md, you can start by copying its contents into AGENTS.md nearly verbatim; the instructions are tool-agnostic prose either way.

Section 4

Sandbox & Approvals — Codex's Two-Layer Security Model

This is the most genuinely different thing about Codex, and the part worth slowing down for. Claude Code's permission system asks one question: "may I run this?" Codex splits security into two independent layers:

  • Layer 1 — Sandbox mode — what Codex can technically do, enforced by the operating system. Even a confused or manipulated model cannot write outside the sandbox.
  • Layer 2 — Approval policy — when Codex must stop and ask you before acting, even for things the sandbox would allow.
The hotel-keycard analogy

BEFORE: Imagine a hotel where staff supervision is the only security: a manager watches every employee and approves each door they open. It works, but the manager is a bottleneck, and if the manager gets distracted, any door can be opened.

PAIN: Pure supervision doesn't scale, and pure trust is dangerous. You want a porter to deliver luggage to floor 3 without asking permission at every door — but you also want it to be physically impossible for their keycard to open the vault, no matter what anyone tells them.

MAPPING: The sandbox is the keycard — the OS decides which doors can open at all (your repo: yes; ~/.ssh: no; the network: only if you grant it). The approval policy is the manager — deciding which actions still need a human nod even though the keycard would work. Claude Code's permission prompts are primarily the manager; Codex gives you the manager and a hardware keycard, configured independently.

Two dials, three presets — how sandbox mode and approval policy combine

The three sandbox modes

  • read-only — Codex can read files and answer questions but cannot edit or execute anything that changes state. The "explore a new codebase" mode.
  • workspace-write — the everyday default. Codex can read, edit, and run commands inside the working directory; anything outside (other folders, the network) requires escalation and your approval.
  • danger-full-access — no OS sandbox at all. The name is the documentation. Use only inside an already-isolated environment such as a disposable container.

The default Auto preset combines workspace-write with an on-request approval policy: Codex works autonomously inside the repo and interrupts you only when it wants to leave the workspace or reach the network. Compare that with Claude Code's default behavior of prompting per-tool-category, or Gemini CLI's plan-then-execute flow from M06 — three different answers to the same trust question.

Why "the model seems careful" is not a security model

Prompt injection (M06) is the reason the OS-level sandbox matters: if a malicious instruction hidden in a README tells the agent to exfiltrate ~/.aws/credentials, a well-aligned model will probably refuse — but a sandbox makes the read physically fail. Defense in depth means never relying on layer 2 (judgment) when layer 1 (enforcement) can do the job. This principle applies to every tool in this course; Codex just makes the two layers unusually explicit and separately configurable.

Section 5

Headless, Cloud & CI

In M08 you built GitHub Actions pipelines with claude -p and gemini in headless mode. Codex's equivalent is codex exec: it runs one task non-interactively and exits, which makes it scriptable in any pipeline.

bash — codex exec
# WHAT: Run a one-shot, non-interactive Codex task
# WHY:  No TUI, no prompts — suitable for scripts and CI
# GOTCHA: In CI there is no human to approve escalations, so the task
#         must fit inside the sandbox you grant it up front
codex exec "Run the test suite; if any test fails, fix the code (not the test) and re-run until green"

# WHAT: Same, but with explicit sandbox + JSON output for parsing
codex exec --sandbox workspace-write --json \
  "Summarize the diff between HEAD and main as release notes" \
  > release-notes.json || {
    echo "codex exec failed — check auth and rate limits" >&2
    exit 1
  }
.github/workflows/codex-review.yml
# WHAT: Minimal PR-review job using Codex in headless mode
# WHY:  Mirrors the M08 pattern you built for Claude Code and Gemini CLI
# GOTCHA: CI requires API-key auth (OPENAI_API_KEY secret) —
#         your ChatGPT subscription login does not work headless in CI
name: codex-pr-review
on: [pull_request]
jobs:
  review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with: { fetch-depth: 0 }
      - run: npm install -g @openai/codex
      - name: Review the diff
        env:
          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
        run: |
          codex exec --sandbox read-only \
            "Review the diff between origin/main and HEAD for bugs,
             security issues, and missing error handling.
             Output a markdown review." > review.md \
          || { echo "review failed" >&2; exit 1; }
      - name: Post review comment
        uses: marocchino/sticky-pull-request-comment@v2
        with: { path: review.md }

The two surfaces the other tools don't match

  • Codex cloud — kick off tasks ("fix issue #142", "add tests for the parser") that run in parallel, isolated cloud containers, each producing a reviewable PR. It turns the agent from a pair-programmer into a small queue of background workers. The honest caveat: cloud containers don't have your local environment, so tasks needing unusual system dependencies are better run locally.
  • GitHub code review — once enabled for a repo, commenting @codex review on any PR triggers an autonomous review. This overlaps with what you built manually in M08 — a build-vs-buy question: the hand-rolled pipeline is customizable and model-agnostic; the built-in reviewer is zero-maintenance.
What just happened?

You saw the full automation surface: codex exec for scripted one-shots, a GitHub Actions job identical in shape to your M08 pipelines, cloud tasks for parallel background work, and @codex for turnkey PR review. The mental model from M08 — headless mode + secret-based auth + explicit failure handling — transferred without modification. Only the binary name changed.

Section 6

Pricing & Models (as of mid-2026)

Codex pricing flows through your ChatGPT plan, and in April 2026 OpenAI switched Codex from per-message limits to credit-based billing — your monthly allowance is consumed in proportion to actual token usage, so one giant refactor can cost as much as dozens of small Q&A tasks.

PlanPriceWhat it means for Codex
Free / Go$0 / ~$8 moTaste-test allowances — fine for evaluating, not for daily agentic work
ChatGPT Plus$20/moThe mainstream tier: enough monthly credits for regular (not heavy) agent use across CLI, IDE, and cloud
ChatGPT Pro$100/mo (5×) or $200/mo (20×)Heavy daily agentic work, parallel cloud tasks, access to research-preview models
Business / Enterpriseper-seat / customPooled credits, admin controls, compliance paperwork for procurement
API key (no subscription)pay per tokenRequired for CI; bills like any other API usage — the M09 token-economics math applies directly

The model lineup

The default agent model in mid-2026 is GPT-5.3-Codex — a variant tuned specifically for long-horizon coding work rather than chat. Lighter tasks can run on the cheaper GPT-5.4-mini, and Pro subscribers get research-preview variants early. The strategic note: OpenAI versions its Codex models on a separate track from its chat models, exactly as Anthropic tunes Claude models for agentic coding — both vendors now treat "coding agent" as a distinct model category, which tells you where the investment is going.

Monthly cost of the autonomous-agent slot — typical single developer, mid-2026
The "marginal zero" effect — the number that actually decides adoption

A developer already paying $20/mo for ChatGPT gets Codex at $0 marginal cost. That is the same dynamic that made Gemini CLI's free tier spread (M09): the tool that costs nothing extra gets tried first, regardless of benchmark scores. When you model TCO for a team, ask "what are people already subscribed to?" before comparing sticker prices — the M09 spreadsheet needs a column for sunk subscriptions.

Section 7

Where Codex Fits in Your Stack

M10's core lesson was that the tools compete for jobs, not loyalty. Codex competes almost entirely for one job — the autonomous-agent slot — which until now defaulted to Claude Code. Honest guidance, in the spirit of "this is not a ranking":

Choose Codex when…
Your team already lives on ChatGPT
If everyone has Plus/Pro/Business seats, the agent slot is already paid for. Trying Codex before adding a second vendor invoice is the rational first move — and AGENTS.md is a 10-minute port of your CLAUDE.md.
Choose Codex when…
You want parallel background tasks
Codex cloud's fire-and-forget container tasks (several PRs brewing while you do other work) is its most differentiated surface. If your backlog is full of small, well-specified fixes, this workflow is genuinely new.
Stay with Claude Code when…
Deep multi-step reasoning is the bottleneck
For complex refactors, architecture reviews, and security analysis — the M06/M10 "hard work" category — Claude Code's agentic loop, subagents, hooks, and MCP ecosystem remain the most mature. Run your own bake-off on your own repo before switching the slot.
Keep Gemini CLI / Copilot when…
The job was never "autonomous agent"
Codex does not displace Gemini CLI's free CI automation or Copilot's inline completions. The M10 hybrid stack keeps those slots unchanged; Codex only contests the agent slot.

The bake-off protocol: the capstone asked you to build the same app with three tools. Extend it: take the same spec, run it through codex with the Auto preset, and score it on the same rubric — time to working code, correctness, error handling, and how often you had to intervene. One evening of measurement on your codebase beats any benchmark chart, including the ones in this course.

Shelf-life warning

This bonus module describes mid-2026 reality: GPT-5.3-Codex as default, credit billing since April 2026, the four-surface product. Codex is evolving as fast as the other three tools — treat specific model names and plan limits as snapshots, and re-verify against developers.openai.com/codex before making purchasing decisions. The architecture concepts (two-layer security, AGENTS.md, headless exec) are the durable knowledge.

Knowledge Check

Five questions on Codex — and on how it changes the conclusions you drew in M09 and M10.

Question 1 of 5
A teammate finds a 2022 tutorial titled "Getting started with OpenAI Codex" and asks if it's a good intro to the tool covered in this module. What do you tell them?
Correct. The name "Codex" was reused. The 2021 Codex was a code-completion model that powered the original GitHub Copilot and was deprecated in 2023. The Codex this module covers is the agentic product family OpenAI launched in 2025 — open-source Rust CLI, IDE extension, cloud container tasks, and @codex PR review — powered by dedicated coding models like GPT-5.3-Codex. A 2022 tutorial describes a product that no longer exists; always check publication dates when researching "Codex."
Question 2 of 5
In Codex's security model, what is the difference between sandbox_mode and approval_policy?
Correct. This is the two-layer model: the sandbox (Apple Seatbelt on macOS, Landlock/seccomp on Linux) makes forbidden actions physically fail at the OS level, while the approval policy decides which allowed actions still require a human nod. The layers are configured independently — the default Auto preset is workspace-write + on-request. The defense-in-depth lesson: never rely on model judgment (layer 2) for guarantees that OS enforcement (layer 1) can provide, because prompt injection attacks target judgment, not kernels.
Question 3 of 5
Your team wants to add a Codex-powered review step to GitHub Actions. A teammate says "easy — we all have ChatGPT Plus, so CI is covered." What's wrong with that plan?
Correct. The same subscription-vs-API fork applies to all the tools in this course: interactive subscription auth covers a human at a terminal, while CI needs a non-interactive credential — an API key stored as a CI secret — billed per token. Codex runs headless via codex exec (with the sandbox granted up front, since nobody is present to approve escalations). Alternatively, the built-in @codex GitHub review feature can cover the review use case without maintaining your own pipeline.
Question 4 of 5
After the April 2026 billing change, a developer on ChatGPT Plus runs one massive repo-wide refactor and finds most of their monthly Codex allowance gone. Why?
Correct. Under credit billing, usage tracks real token consumption — input tokens (the code the agent reads) plus output tokens (what it writes), with heavier models burning credits faster. A repo-wide refactor forces the agent to read huge amounts of context across many loop iterations, which is exactly the workload that drains a credit pool. This is the same token-economics intuition you built in M09 for Claude Code's API billing — credit systems just hide the dollar signs, not the math. For sustained heavy work: Pro tiers (5x/20x) or API-key billing.
Question 5 of 5
A 6-person startup pays for ChatGPT Business seats (for general AI use) and currently follows this course's M10 hybrid stack: Claude Code (agent) + Gemini CLI (free CI) + Copilot (IDE). What is the most rational way to evaluate Codex?
Correct. Codex competes for one slot in the hybrid stack — the autonomous agent — not for Gemini's free-CI slot or Copilot's completions slot. Because the team already pays for ChatGPT Business, trying Codex costs $0 marginal (the "sunk subscription" effect). The disciplined move is a measured bake-off: same tasks, same repo, same rubric (time to working code, correctness, interventions needed), then keep whichever agent wins on their codebase. That is M10's decision framework applied to a new entrant — which is exactly how you should handle the fifth contender when it arrives.