Best Practices Advanced

This final lesson covers everything you need to use OpenAI Codex effectively at scale: writing optimal tasks, preparing your repository, understanding security, managing costs, knowing when to use Codex vs manual coding, and scaling AI-assisted development across your team.

Writing Effective Tasks

  1. One task, one concern

    Each task should focus on a single, well-defined objective. Avoid bundling unrelated changes into one task.

  2. Be specific, not prescriptive

    Describe what you want done and any constraints, but let Codex decide the implementation details. Specify the "what" and "why", not the "how".

  3. Include acceptance criteria

    Define what "done" looks like. List the specific tests that should pass, behaviors that should work, and edge cases to handle.

  4. Reference existing patterns

    Point Codex to similar implementations in your codebase: "Follow the pattern used in src/api/users.ts" gives it a concrete example.

  5. Start small, then scale

    Begin with small, low-risk tasks to build confidence. Gradually increase complexity as you learn what works well.

Repository Setup for Best Results

Optimize your repository to help Codex produce better results:

Factor Recommendation
AGENTS.md Create a comprehensive AGENTS.md with setup instructions, conventions, testing commands, and architectural notes
Test suite Maintain a robust test suite. Codex validates its changes by running tests — more tests mean better validation
CI/CD Configure CI to run on pull requests. This gives Codex (and you) confidence that changes work correctly
Linting Use ESLint, Prettier, or similar tools. Codex follows your linting rules when they are configured
Type safety TypeScript, type hints in Python, or other type systems help Codex understand data flow and catch errors
Documentation Well-documented code helps Codex understand intent. JSDoc comments, README, and architecture docs all help
Clean structure Organized file structure with clear naming conventions makes it easier for Codex to find and modify the right files

Security

Codex is designed with security as a core principle:

Sandboxed Execution

Codex runs in an isolated cloud environment. It cannot access your local machine, network, or other systems.

No Network by Default

The sandbox has no internet access by default. Codex cannot make external API calls, download packages at runtime, or exfiltrate data.

No Secret Access

Codex cannot access environment variables, secrets, or credentials from your repository or CI/CD pipeline.

Human Review Required

All changes go through a pull request. Nothing is merged automatically. You always have the final say.

Security reminder: Always review generated code carefully before merging. While Codex operates in a sandbox, the generated code itself runs in your production environment. Check for SQL injection, XSS, insecure dependencies, and other vulnerabilities.

Cost Management

Manage your Codex usage costs effectively:

  • Prioritize high-value tasks: Use Codex for tasks where the time savings justify the cost — tedious but well-defined work
  • Write clear tasks: Vague tasks lead to iterations and retries, increasing cost. Invest time in clear task descriptions
  • Batch similar tasks: Group related small changes into logical batches rather than submitting them one by one
  • Monitor usage: Track your Codex usage through the OpenAI dashboard. Set spending limits and alerts
  • Start small: Test with small, low-risk tasks before committing to large-scale usage

When to Use Codex vs Manual Coding

Use Codex Code Manually
Well-defined bug fixes with clear reproduction steps Complex bugs requiring deep system understanding
Adding tests for existing, untested code Designing test architecture and strategy
Implementing features with clear requirements Exploring architectural options and trade-offs
Routine refactoring (extract function, rename, restructure) Fundamental architecture changes
Generating API documentation and code comments Writing high-level design documents and ADRs
Batch processing a backlog of small tasks Sensitive security-critical code

Scaling AI-Assisted Development

  1. Start with a pilot

    Begin with one team and one repository. Document what works and what does not.

  2. Establish review standards

    Create guidelines for reviewing AI-generated PRs. Define what to check and quality thresholds.

  3. Standardize AGENTS.md

    Create a template AGENTS.md that teams can customize. Include organizational coding standards and conventions.

  4. Track metrics

    Measure PR acceptance rate, time saved, iteration count, and cost per task. Use data to improve your process.

  5. Share learnings

    Document effective task patterns, common pitfalls, and tips. Build an internal knowledge base for your team.

Frequently Asked Questions

Yes, Codex reads your repository to understand the codebase and make changes. Your code is processed in a secure, sandboxed environment. OpenAI's data usage policies apply — with Team and Enterprise plans, your data is not used for model training.

No. Codex runs in a sandboxed environment that does not have access to your repository's secrets, environment variables, or CI/CD credentials. If your code needs secrets at runtime, the tests should use mocks or fixtures.

All changes go through a standard pull request. If the code is wrong, request changes through the PR or the Codex interface. Codex will iterate on its work based on your feedback. Nothing is merged automatically.

The original Codex API (2021) was a code-completion model accessed via API. The new OpenAI Codex (codex.openai.com) is a fully autonomous cloud-based coding agent that reads repos, writes code, runs tests, and creates PRs. They share the name but are fundamentally different products.

Yes. Codex works with both public and private GitHub repositories. When you connect your GitHub account, you choose which repositories Codex can access. Private repository code is processed securely according to OpenAI's data policies.

Codex supports all major programming languages and frameworks. It works best with well-established languages like Python, JavaScript/TypeScript, Java, Go, Rust, and C#. The quality depends on the training data available for the language and how well your project is set up (tests, linting, AGENTS.md).

← Workflows