LIVE|CLI v0.144.0·model GPT-5.6 Sol·verified 2026-07-09
Codex Insider
The unofficial wire for OpenAI Codex.
config.toml key

projects.<path>.trust_level

default: unset

Published Jul 15, 2026 · Verified against the official config docs

What it does

Per-directory trust flag in ~/.codex/config.toml. Set trusted and Codex loads that project's .codex/ layers: project-local config and hooks. Set untrusted and it skips all of them. There is no documented default; a directory with no entry gets the trust prompt when you launch Codex there. Entries key on exact absolute paths, and wildcards don't work.

This is the key Codex writes for you when you answer the “do you trust the contents of this directory?” prompt. You can also set it by hand, which matters more than it sounds, because trust is the gate on the whole project-config system: project-scoped .codex/config.toml layers apply root-down to your cwd with the closest file winning, and none of them load unless the project is trusted.

Values

Value Effect
"trusted" Project .codex/ layers load: config, hooks
"untrusted" All project-scoped .codex/ layers are skipped (docs)
no entry Codex prompts on launch, then appends your answer to ~/.codex/config.toml
[projects."/path/to/project"]
trust_level = "trusted"

[projects."/path/to/untrusted"]
trust_level = "untrusted"

Even a trusted project’s config can never set these keys: openai_base_url, chatgpt_base_url, apps_mcp_product_sku, model_provider, model_providers, notify, profile, profiles, experimental_realtime_ws_base_url, otel. Provider, auth, and telemetry routing stay machine-local no matter what the repo ships.

When to change it

  1. Pre-trust the repos you live in so the launch prompt never fires. Since v0.113.0, a global approval_policy = "never" no longer suppresses the trust screen (#14547), so an explicit trust_level entry per path is the fix.
  2. Mark a repo you just cloned as "untrusted" before poking around. Its .codex/config.toml and any project-local hooks stay inert (hooks only load from trusted layers).
  3. Committing a .codex/config.toml for your team? It does nothing until each person trusts the path, so tell them.

Gotchas

Exact absolute paths only. Wildcards don’t match, which gets painful across many directories (#14547).

Codex appends trust entries into ~/.codex/config.toml itself, so if you sync that file in a dotfiles repo, machine-specific paths pile up in your git history. An open request wants this split into a separate state file (#14601), with no maintainer response yet.

On WSL, launching in a project with no .codex/ directory can leave an empty .codex file behind (a sandbox mount side effect, #16088).

  • sandbox_mode: what the agent can touch once it’s running
  • approval_policy: when Codex asks before acting; trust decides whose config gets to set it

Sources