OpenAI Codex

Manage Phase secrets directly from OpenAI Codex. Codex can list, create, update, and delete secrets, run processes with injected secrets, and manage your Phase environments — all from natural language.

Prerequisites

• Phase CLI installed and authenticated
• OpenAI Codex CLI installed

Setup

1. Enable AI integration

phase ai enable

Select Codex when prompted. This installs the Phase skill to ~/.agents/skills/phase-cli/SKILL.md and configures secret visibility.

You'll be asked whether AI agents can see secret values:

• Mask values (recommended) — secret and sealed types show as [REDACTED]
• Show values — secret and config types are visible; sealed is always hidden

2. Start using Phase in Codex

Invoke the skill explicitly with $phase-cli or let Codex auto-detect it from task context:

You: $phase-cli list my secrets
You: create a DATABASE_URL as config with value postgres://localhost:5432/mydb
You: rotate the API_KEY as a sealed secret with random base64

How it works

The Phase CLI installs a skill document that teaches Codex how to use the Phase CLI. Codex runs Phase commands directly — no separate server or middleware.

The skill is installed at ~/.agents/skills/phase-cli/SKILL.md, which is the user-level skill directory scanned by Codex for all projects.

Secret types and AI visibility

Security guardrails

The Phase CLI enforces guardrails when it detects an AI agent:

• printenv, env, export, set, declare, compgen are blocked inside phase run
• phase shell is blocked entirely in AI mode
• Sealed secret values are always redacted in output
• phase ai enable / phase ai disable must be run by the user directly

Managing the integration

# Update the skill (re-run after CLI upgrade)
phase ai enable

# Remove the integration
phase ai disable

# View the skill document
phase ai skill