Codex — The Ultimate Guide for Developers and DevOps Engineers.

GitHub Copilot lives in your IDE. Codex lives in the cloud. OpenAI's Codex is a fundamentally different kind of AI coding tool — it doesn't autocomplete lines or chat in a sidebar. It takes a task, spins up an isolated cloud sandbox with your entire codebase, works autonomously for 1–30 minutes, and delivers a finished result with verifiable evidence of every step it took.

If You Read Nothing Else: Codex is a cloud-native, async-first coding agent. You describe a task, Codex clones your repo into a secure sandbox (no internet access), makes changes, runs tests, and presents the result for review. You can run many tasks in parallel. It's powered by codex-1, a version of o3 optimized for software engineering. Think of it as hiring a junior developer who works in a clean room, follows instructions precisely, and always shows their work.

This article assumes you've read Article 1: Fundamentals and Article 2: GitHub Copilot. If terms like "context window," "tool layer," or "agent mode" are unfamiliar, start there.

1. What Codex Actually Is (Architecture)

Codex is OpenAI's cloud-based software engineering agent, accessed through the ChatGPT sidebar. Unlike Copilot (which runs in your IDE) or Claude Code (which runs in your terminal), Codex runs entirely on OpenAI's cloud infrastructure.

Fig 1 — Codex's architecture: task in, verified code out. Everything runs in an isolated cloud sandbox with no internet access.

The key architectural decisions

Isolated sandbox: Each task runs in its own container with your repo cloned in. No internet access during execution — only your code and pre-installed dependencies.
Async-first: You submit a task and walk away. Come back in 1–30 minutes. No watching the agent type.
Parallel execution: Run multiple tasks simultaneously. Each gets its own sandbox.
Verifiable output: Every action is logged. Terminal output, file changes, and test results are provided as citations you can trace.

2. How Codex Works — Step by Step

Here's the exact workflow when you use Codex:

Step 1: Submit a task

Open the Codex sidebar in ChatGPT. Choose your repository and branch. Type a prompt and click "Code" (for coding tasks) or "Ask" (for questions about the codebase).

Step 2: Sandbox setup

Codex spins up a secure cloud container. It clones your repository, installs dependencies (using your setup script if configured), and prepares the development environment. Internet access is disabled at this point.

Step 3: Autonomous execution

The codex-1 model reads your codebase, understands the task, makes changes, and runs commands. It follows a test-fix loop — if tests fail, it iterates until they pass or explicitly reports the failure. It reads AGENTS.md files in your repository for guidance on coding conventions, test commands, and project structure.

Step 4: Commit and present

When done, Codex commits its changes and presents:

A summary of what was done.
Code diffs showing exactly what changed.
Citations linking to terminal logs and test outputs so you can verify each decision.

Step 5: Review and integrate

You can:

Open a GitHub PR directly from the result.
Apply changes locally to your development environment.
Request revisions — Codex will iterate on the same sandbox.
Reject and start over with a different approach.

3. The codex-1 Model

Codex runs on codex-1, a version of OpenAI o3 that was specifically trained for software engineering using reinforcement learning on real-world coding tasks. It's not just "o3 with a different name" — it was trained differently:

Cleaner patches: Trained to produce minimal, review-ready diffs (not verbose rewrites).
Instruction following: Much better at adhering to AGENTS.md conventions and project-specific patterns.
Test-driven: Trained to run tests iteratively until they pass, not just assume the code is correct.
Human-aligned style: Output mirrors how experienced developers write PRs — concise commits, clear descriptions.

codex-mini-latest

A smaller, faster version of codex-1 designed for the Codex CLI (terminal tool). Optimized for low-latency code Q&A and editing. Available via the API at $1.50/1M input tokens and $6/1M output tokens, with a 75% prompt caching discount.

Performance

On SWE-Bench Verified (the industry standard for evaluating code agents), codex-1 shows strong performance even without AGENTS.md files or custom scaffolding. With proper environment setup and AGENTS.md guidance, it performs significantly better — just like a human developer performs better with good documentation.

4. AGENTS.md — The Configuration File

AGENTS.md is to Codex what .github/copilot-instructions.md is to GitHub Copilot — a project-level instruction file that tells the agent how to work with your codebase. But AGENTS.md is more structured and more important because Codex runs autonomously without you watching.

What to include

# AGENTS.md

## Project overview
This is a Django REST API for an e-commerce platform.

## Setup
```bash
pip install -r requirements.txt
python manage.py migrate
```

## Testing
```bash
pytest tests/ -v --tb=short
```
Always run the full test suite before committing.

## Code style
- Follow PEP 8
- Use type hints for all function signatures
- Prefer dataclasses over dictionaries for data structures
- Never use print() for logging — use the logger module

## Architecture
- API views go in `api/views/`
- Business logic goes in `services/`
- Database queries go in `repositories/`
- Never put business logic in views

## Common pitfalls
- The User model has a custom manager — use `User.objects.active()`
- All money amounts are stored in cents (integers), not floats
- Timezone-aware datetimes only — never use `datetime.now()`

Scoping rules

AGENTS.md files can appear anywhere in the repository — root, subdirectories, or even outside repos (home directory).
The scope of an AGENTS.md file is the entire directory tree rooted at the folder containing it.
More-deeply-nested AGENTS.md files take precedence in case of conflicts.
Direct system/user instructions take precedence over AGENTS.md.
If the AGENTS.md includes programmatic checks, Codex MUST run all of them, even for simple changes.

For DevOps: Put an AGENTS.md in your infra/ directory with Terraform conventions, module structure, naming rules, and required terraform validate/terraform plan checks. Codex will follow them even for "simple" changes.

5. The Security Model

Codex's security model is fundamentally different from Copilot's agent mode. In Copilot, the agent runs on your machine with your permissions. In Codex, everything runs in a locked-down cloud sandbox:

No internet access during task execution. The agent can only interact with the code in the cloned repository and pre-installed dependencies.
Isolated container per task. One task cannot access another task's environment.
No access to external APIs, websites, or services.
Repository access only through GitHub integration — Codex sees only the repos you've connected.

What this means practically

Codex cannot install packages from the internet during execution. Pre-install everything via the setup script.
Codex cannot call your staging API to test integration. Tests must be self-contained.
Codex cannot access secrets from your vault or CI system. Environment variables must be configured in the Codex environment settings.
Codex can run any command inside the sandbox — including destructive ones. Review the output carefully.

For DevOps teams: This security model is actually an advantage. You can give Codex access to infrastructure code without worrying about it accidentally running terraform apply against production — there's no network access. It can write and validate the code, but deployment still goes through your CI/CD pipeline.

6. Codex CLI — The Terminal Interface

Codex CLI is OpenAI's open-source coding agent you run locally from your terminal. It is not a trimmed-down version of the cloud agent — it's a full interactive AI coding environment built in Rust, available on macOS, Windows, and Linux. Source is at github.com/openai/codex.

Codex CLI is included in ChatGPT Plus, Pro, Business, Edu, and Enterprise plans. No separate billing or API key is required for included plan users — sign in with your ChatGPT account.

Installation

# npm (all platforms)
npm install -g @openai/codex

# Homebrew (macOS/Linux)
brew install codex

# Upgrade to latest
npm i -g @openai/codex@latest

Authentication

# Browser OAuth (opens a tab)
codex login

# Device code flow (no browser)
codex login --device-auth

# API key via stdin
printenv OPENAI_API_KEY | codex login --with-api-key

# Check current auth status
codex login status

Interactive mode — the full TUI

Running codex with no subcommand opens a full-screen terminal UI. The agent can inspect your repository, edit files, and run commands as you iterate together in real time.

# Open the TUI in the current directory
codex

# Start with an initial prompt
codex "Explain this codebase to me"

# Specify model upfront
codex --model gpt-5.5

# Set working directory without cd
codex --cd apps/frontend

# Grant write access to multiple roots
codex --cd apps/frontend --add-dir ../backend --add-dir ../shared

Inside the TUI you can:

Send prompts, code snippets, or screenshots (paste images directly into the composer).
Watch Codex explain its plan before making changes — approve or reject steps inline.
Press Tab while Codex is running to queue follow-up prompts, slash commands, or ! shell commands for the next turn.
Type @ to open a fuzzy file search and drop any file path into your message.
Prefix a line with ! to run a local shell command directly (e.g. !git log --oneline -5).
Press Ctrl+R to search your prompt history.
Use /theme to preview and save syntax-highlighting themes.

Approval modes

Approval modes define how much Codex can do without stopping for confirmation. Change modes mid-session with /permissions.

Mode	What Codex can do	When to use
Auto (default)	Read, edit files, run commands within the working directory. Asks before touching anything outside scope or using the network.	Day-to-day coding
Read-only	Browse and explain files only. Won't make changes or run commands until you approve a plan.	Code review, exploration
Full Access	Work across your machine including network access, without asking.	Trusted repos, isolated VMs

The equivalent CLI flags are --sandbox workspace-write (Auto), --sandbox read-only (Read-only), and --sandbox danger-full-access (Full Access). Use --ask-for-approval on-request for interactive runs or never for non-interactive CI runs.

Non-interactive mode (scripting and CI)

codex exec (alias: codex e) runs Codex without any UI — streams results to stdout for use in scripts and CI pipelines.

# Basic non-interactive run
codex exec "fix the CI failure"

# With sandbox and JSON output for scripting
codex exec --sandbox workspace-write --json "add docstrings to src/api.py"

# Pipe prompt from stdin
echo "summarise all TODO comments" | codex exec -

# CI usage: bypass prompts inside a hardened runner
codex exec --dangerously-bypass-approvals-and-sandbox "run tests and fix failures"

# Resume previous exec session
codex exec resume --last "implement the plan you proposed"

Session management

Codex stores transcripts locally under ~/.codex/sessions/ so you can resume, fork, or branch conversations.

Command	What it does
`codex resume`	Open a picker of recent sessions and continue one.
`codex resume --last`	Jump straight to the most recent session.
`codex fork --last`	Clone the latest session into a new thread, keeping the original intact — useful for exploring an alternative approach.

Slash commands — quick reference

Type / in the composer to open the slash popup. These are the most useful commands:

Command	What it does
`/model`	Switch model mid-session (e.g. gpt-5.5 → gpt-4.1-mini for fast tasks).
`/plan`	Enter plan mode — Codex proposes an execution plan before writing code.
`/goal <objective>`	Set a persistent goal for a long-running task (experimental; requires `features.goals`).
`/init`	Generate an AGENTS.md scaffold in the current directory.
`/review`	Run a dedicated code reviewer on your working tree — reports issues without touching files.
`/diff`	Show the full Git diff including untracked files.
`/permissions`	Switch approval mode (Auto / Read-only / Full Access) mid-session.
`/compact`	Summarise the conversation to free context window tokens.
`/clear`	Clear the terminal and start a fresh chat (unlike Ctrl+L which only clears the view).
`/new`	Start a fresh conversation in the same CLI session.
`/resume`	Reopen a saved session from the picker.
`/fork`	Branch the current conversation into a new thread.
`/side`	Start an ephemeral side conversation without disrupting the main thread.
`/status`	Show active model, approval policy, writable roots, and token usage.
`/mcp`	List configured MCP tools available in the session.
`/hooks`	Browse and manage lifecycle hooks.
`/copy`	Copy the latest completed Codex output to clipboard (also Ctrl+O).
`/fast`	Toggle Fast mode on supported models.
`/agent`	Switch between active subagent threads.
`/logout` / `/quit`	Sign out / exit the session.

Models

The recommended model is gpt-5.5 for complex coding, planning, and multi-step tasks. Fall back to gpt-5.4 if gpt-5.5 is unavailable. ChatGPT Pro subscribers can also access GPT-5.3-Codex-Spark (research preview) for speed-critical tasks. Switch mid-session with /model or set a default in ~/.codex/config.toml.

Image inputs and generation

Paste screenshots directly into the TUI composer or attach them on the command line:

codex -i screenshot.png "what's causing this error?"
codex --image img1.png,img2.jpg "compare these two flows"

Codex can also generate images (icons, banners, sprite sheets) via built-in gpt-image-2. Include $imagegen in your prompt or just ask in natural language.

Web search

Web search is on by default (cached mode — pre-indexed results, lower injection risk). For live results, pass --search or set web_search = "live" in config. Disable with web_search = "disabled".

MCP and subagents

Connect Codex to external tools via MCP servers configured in ~/.codex/config.toml. Manage them with codex mcp add/list/remove. Codex can also spawn subagents to parallelize tasks — each subagent does its own model and tool work inside the same session.

Cloud tasks from the terminal

The codex cloud command lets you submit and manage cloud tasks without opening ChatGPT:

# Interactive picker for cloud tasks
codex cloud

# Submit a task directly
codex cloud exec --env ENV_ID "add input validation to the payment API"

# Best-of-3 attempts
codex cloud exec --env ENV_ID --attempts 3 "refactor auth service"

# Apply a cloud task diff locally
codex apply TASK_ID

Key differences: CLI vs cloud agent

Feature	Codex (Cloud)	Codex CLI (Local)
Where it runs	OpenAI cloud sandbox	Your machine
Internet access	Disabled during task	Available (cached web search by default)
Model	codex-1 (cloud agent)	gpt-5.5 / gpt-5.4 (recommended)
Interaction style	Async — submit and check back	Interactive TUI + non-interactive exec
Image support	Not yet	Yes — paste or attach images
Session history	Task-based	Persistent, resumable, forkable
MCP servers	Limited	Full support via config.toml
Parallelism	Multiple tasks in isolated sandboxes	Subagents within a session
Platform	ChatGPT sidebar / cloud	macOS, Windows, Linux

7. When to Use Codex vs Copilot

This is the question every developer asks. The answer is simple once you understand their philosophies:

Fig 2 — The three major AI coding tools occupy different positions on the synchronous-to-asynchronous spectrum.

Use Codex when:

The task is well-scoped and can be described in one prompt.
You want to delegate and walk away — check back later.
You need parallel execution — assign 5 tasks at once.
The task involves writing tests, fixing bugs, or scaffolding features.
You want verifiable output with terminal logs and test results.
Security matters — you want isolated execution with no internet.

Use Copilot when:

You're actively coding and want real-time suggestions.
The task requires frequent back-and-forth and iterative refinement.
You need IDE integration — inline completions, NES, diagnostics.
You want to use multiple models depending on the task.
The task requires local tools, running servers, or debug sessions.

Use both:

The best workflow combines them. Use Copilot for your active work — the feature you're building right now. Simultaneously, assign Codex tasks for everything else: "write tests for the auth module," "fix the 5 linting errors in the dashboard," "add API documentation for all endpoints." You code with Copilot while Codex works in parallel on the periphery.

8. Setting Up the Codex Environment

Because Codex runs in an isolated sandbox, environment configuration is critical. The better your environment matches your real development setup, the better Codex performs.

Setup script

You can configure a setup script that runs when Codex initializes a sandbox. This script installs dependencies, configures tools, and prepares the environment:

#!/bin/bash
# codex-setup.sh

# Install dependencies
pip install -r requirements.txt
npm install

# Setup database
python manage.py migrate

# Install dev tools
pip install pytest black flake8 mypy

# Pre-build assets
npm run build

Environment configuration

In the Codex settings within ChatGPT, you can configure:

Repository: Which GitHub repo to work with.
Branch: Default branch for tasks.
Setup script: Commands to run before task execution.
Environment variables: Non-secret configuration values.

Important: Since Codex has no internet access during execution, every dependency must be pre-installed via the setup script. If your project needs a package that isn't in the base image, the setup script must install it.

9. Prompting Codex Effectively

Codex prompting is different from Copilot chat prompting. With Copilot, you're having a conversation. With Codex, you're writing a task specification — because once you submit it, the agent works autonomously.

The anatomy of a good Codex prompt

# Clear objective
Fix the rate limiting bug where the counter resets when
the Redis connection drops.

# Specific location
The relevant code is in src/middleware/rate_limiter.py
and the Redis client is in src/utils/redis_client.py.

# Acceptance criteria
- Counter should persist across Redis reconnections
- Add exponential backoff for Redis connection retries
- Write tests that simulate Redis disconnection
- All existing tests must still pass

# Constraints
- Don't change the rate limiter's public API
- Use the existing retry utility in src/utils/retry.py
- Follow the error handling pattern in src/middleware/auth.py

Good vs bad prompts

Bad prompt	Good prompt	Why
"Fix the bugs"	"Fix the TypeError in user_service.py line 42 where get_user returns None for deleted users"	Specificity — Codex can't ask you clarifying questions mid-task
"Add tests"	"Write pytest tests for the payment module covering: successful payment, insufficient funds, expired card, and network timeout. Follow the patterns in tests/test_user_service.py"	Scope and reference patterns
"Refactor the codebase"	"Extract the email sending logic from views/order.py into services/email_service.py. Update all callers. Keep the same function signatures."	Bounded scope with clear deliverable
"Deploy the app"	N/A — Codex can't deploy (no internet)	Understand the sandbox limitations

Prompt tips for DevOps tasks

Reference existing patterns: "Follow the module structure in infra/modules/vpc/ to create a new RDS module."
Specify validation: "Run terraform validate and terraform fmt -check before committing."
Be explicit about constraints: "Don't modify any existing resources. Only add new ones."
Include context about your environment: "We use AWS with Terraform 1.7, Kubernetes 1.29, and ArgoCD for deployments."

10. Citations and Verification

This is one of Codex's strongest features and something neither Copilot nor Claude Code offers as comprehensively. Every step Codex takes is logged and presented as verifiable citations.

What citations look like

When Codex presents results, you see:

File citations: References like 【F:src/auth.py†L42-L58】 pointing to specific lines in files.
Terminal citations: References to command output, test results, and logs.
Diff view: Standard git diff showing exactly what changed.

Why this matters

In Copilot agent mode, you watch the agent work in real-time — you can see each file edit and command. But for async tasks, you need a different kind of trust. Citations provide that: instead of watching the process, you verify the evidence.

Verification workflow

Read the summary: Does it match what you asked for?
Check the diff: Review the actual code changes.
Follow the citations: Click through to see terminal output and test results.
Look for test results: Did the tests pass? Did it add new tests?
Open the PR: If satisfied, create a PR for team review.

Pro tip: When writing AGENTS.md, include specific test commands and validation steps. Codex will run them and cite the results, giving you more evidence to verify.

11. Parallel Task Execution

This is where Codex fundamentally changes how you work. Instead of working on one thing at a time, you can submit multiple independent tasks and review them all when they're done.

The morning workflow

Start your day by assigning batch tasks:

Task 1: "Write unit tests for the new payment service, covering all edge cases in services/payment.py."
Task 2: "Fix all 12 mypy errors in src/api/. Don't change any function signatures."
Task 3: "Add docstrings to all public functions in src/models/ following Google style."
Task 4: "Refactor utils/helpers.py — it's 800 lines. Split into logical modules under utils/."

While those run, you work on the complex feature that requires your human judgment and architectural decisions. When you check back 30 minutes later, you have four PRs ready for review.

Best practices for parallel tasks

Keep tasks independent. Don't have Task 2 depend on the output of Task 1 — they run in separate sandboxes.
Be specific about scope. Each task should touch different files to avoid merge conflicts.
Start with well-tested codebases. Codex verifies by running your tests — the better your tests, the more reliable its output.
Review carefully. Parallel doesn't mean unreviewed. Each task's output still needs human review.

12. Integration with CI/CD

Codex creates PRs — and PRs trigger your CI pipeline. This creates a natural integration point:

You submit a Codex task.
Codex creates a PR on GitHub.
Your CI pipeline runs (tests, linting, security scans, build).
You review the PR with CI results.
If CI fails, you can ask Codex to iterate on the same task.

REST API integration

Codex can be triggered via the REST API, enabling automation:

Issue triage: When a bug is filed, automatically assign it to Codex for a fix attempt.
Dependency updates: Schedule weekly Codex tasks to update and test dependencies.
Code quality: After each sprint, assign Codex to fix accumulated lint warnings.
Documentation: Automatically generate API docs when endpoints change.

For DevOps: The combination of Codex + CI/CD creates a powerful feedback loop. Codex writes code that your pipeline validates, creating a separation of concerns: AI generates, automation verifies, humans review.

13. Limitations You Need to Know

Codex is powerful but has real limitations. Understanding them prevents frustration and wasted tasks:

No internet access

Can't install packages during execution (pre-install everything).
Can't call external APIs (mock them or use local stubs).
Can't access documentation websites (include relevant docs in the repo).
Can't pull Docker images (use the setup script).

No mid-task course correction

Once a task is submitted, you can't redirect the agent. If it's heading in the wrong direction, you have to wait for it to finish and then submit a revised task. This is the trade-off of async execution.

No image input

As of May 2026, Codex cannot process images. You can't paste a screenshot of a UI and ask it to implement it. This limits frontend work compared to tools like Copilot or Claude Code.

No real-time collaboration

Unlike Copilot's chat or Claude Code's terminal, there's no conversation. You submit, wait, and review. This makes it poor for exploratory tasks where you'd want to guide the agent.

Environment setup complexity

Complex development environments (specific system libraries, custom build tools, hardware-dependent code) can be difficult to replicate in the Codex sandbox. If your project requires 20 minutes of environment setup, Codex has 20 minutes less for the actual task.

14. Codex for DevOps — Real Workflows

Workflow 1: Terraform module creation

"Create a new Terraform module at infra/modules/rds-aurora/
for provisioning Aurora PostgreSQL clusters. Follow the patterns
in infra/modules/rds-mysql/. Include:
- Required variables: cluster_name, instance_class, engine_version
- Optional variables: backup_retention, preferred_maintenance_window
- Outputs: cluster_endpoint, reader_endpoint, cluster_id
- Run terraform validate before committing."

Workflow 2: Kubernetes manifest migration

"Migrate all Kubernetes Deployment manifests in k8s/
from apps/v1beta2 to apps/v1. Update any deprecated fields.
Add resource limits where missing (default: 256Mi/500m).
Run kubeval against each manifest to validate."

Workflow 3: CI pipeline optimization

"Analyze .github/workflows/ci.yml and optimize for speed:
- Add caching for npm and pip dependencies
- Parallelize test jobs where possible
- Add a matrix strategy for Node 18, 20, and 22
- Keep the current behavior for the deploy job unchanged
- Validate the YAML syntax."

Workflow 4: Security audit

"Review all files in src/ for security vulnerabilities:
- SQL injection (check all database queries)
- XSS (check all user input rendering)
- Hardcoded secrets or API keys
- Missing input validation on API endpoints
Create a report file at SECURITY_AUDIT.md with findings,
severity ratings, and recommended fixes."

15. Pricing and Availability

Plan	Access	Limits
ChatGPT Pro ($200/mo)	Full access	Generous during preview
ChatGPT Enterprise	Full access	Generous during preview
ChatGPT Business	Full access	Generous during preview
ChatGPT Plus ($20/mo)	Available (added June 2025)	Rate-limited
ChatGPT Edu	Coming soon	TBD

During the research preview, OpenAI provides generous access at no additional cost. After the preview, expect rate-limited access with options to purchase additional usage on-demand.

Codex CLI pricing

The CLI uses the API, priced at:

codex-mini-latest: $1.50/1M input tokens, $6/1M output tokens.
75% prompt caching discount on cached inputs.
Plus users get $5 in free API credits, Pro users get $50.

16. Tips That Actually Matter

Write a thorough AGENTS.md. This is the single highest-impact thing you can do. A good AGENTS.md is worth hours of per-task prompting.
Invest in your test suite. Codex verifies by running tests. No tests = no verification = lower quality output.
Pre-install everything. Don't waste sandbox time on dependency installation. Optimize your setup script.
Scope tasks tightly. "Fix this specific bug" beats "improve the codebase." You can't course-correct mid-task.
Run tasks in parallel. This is Codex's superpower. Batch your routine work and submit it all at once.
Review the citations. Don't just accept the diff. Follow the evidence trail — test results, terminal output, file references.
Use "Ask" for codebase questions. Before assigning coding tasks, ask Codex questions about the codebase to verify it understands the structure.
Start with small tasks. Build confidence by assigning well-scoped tasks first. Expand scope as you learn what Codex handles well.
Treat it like a junior developer. Clear specs, good documentation, and verification checks. The same things that help junior devs help Codex.
Combine with Copilot. Code with Copilot for your primary task. Delegate periphery work to Codex. Review Codex PRs with Copilot's review feature.

What's Next

Codex represents a fundamental shift in how we think about AI coding tools — from real-time pair programming to async task delegation. It's not a replacement for Copilot or Claude Code; it's a different modality entirely.

OpenAI envisions a future where developers "drive the work they want to own and delegate the rest to agents." Codex is the first real implementation of that vision — and as codex-1 improves, expect tasks to get more complex, environments to get richer, and the line between "tasks I do" and "tasks I delegate" to shift dramatically.

Next in the series: Claude Code — The Ultimate Guide. The terminal-native agent with the deepest reasoning capabilities, hooks, subagents, agent teams, and the most flexible permission model. A fundamentally different philosophy — and the most powerful tool for developers who live in the terminal.