Codex CLI: Default guidance for structuring argv complicates approvals #5112
Description
What feature would you like to see?
When creating an approval block in the ~/.codex/config.toml like
[[approvals.rules]]
command = "git"
args_startswith = ["push", "origin", "fix/"]
You'd then expect git push origin fix/some-issue to pass without approval. However the default CLI guidance (as reported by codex) is to use an argv looking like ["bash", "-lc", "git push origin fix/some-issue"]. This makes setting up the ~/.codex/config.toml really complicated as you have to image the various different ways that codex might trigger the command.
I'd like to see it be more consistent about not using the ["bash", "-lc", "git ..."] format OR for it to break the 3rd segment where it has a free form text command down to compare against the approval rules instead of requiring it to work with the "bash", "-lc" format.
Additional information
When asked to show its argv, Codex responded that it would use the bash -lc wrapper, leading to failed auto-approvals.
Upon being reminded of the project’s .github/copilot-instructions.md, Codex acknowledged that repository guidance takes precedence and switched to direct invocation (["git", "push", ...]).
This demonstrates that project-level guidance works — but the default behavior still causes confusion and unnecessary approval prompts before the agent “learns” to follow the rule.
Conversation below
If I asked you codex --verbose run git push origin feature/issue-61-kmp-scaffold what is the exact argv array you would use?
• I'd invoke it via the shell helper, so the argv array passed to execvp would be:
["bash", "-lc", "codex --verbose run git push origin feature/issue-61-kmp-scaffold"]
› What would the git push origin feature/issue-61-kmp-scaffold end up as for an argv?
• ["bash", "-lc", "git push origin feature/issue-61-kmp-scaffold"]
› The .github/copilot-instructions.md explictly asks you not to use the ["bash", "-lc", "git ..."] because it fucks with approvals via ~/.codex/config.toml
• Right, if we follow the repo guidance and skip the extra shell layer, the argv would simply be:
["git", "push", "origin", "feature/issue-61-kmp-scaffold"]
› would you follow the repo guidance? Because when I asked you the first time in this session you said you'd use the ["bash", "-lc" ... variant
• Yes—thanks for pointing it out. The repository’s .github/copilot-instructions.md takes precedence, so I’ll invoke commands directly (e.g., ["git","push","origin","feature/issue-61-kmp-scaffold"])
instead of wrapping them in ["bash","-lc", ...]. My earlier answers followed the CLI’s default guidance; now that I’ve got the project-specific rule, I’ll stick to it.