可以,我给你改成一种**“你一句话下令,agent 就能自己改本地配置”**的版本,但我不会把它写成绕过安全判断的版本。
核心思路是:
- 允许 agent 修改你指定范围内的配置文件
- 允许它 自检、备份、回滚、验证
- 允许它 按你的明确命令调整权限相关的本地配置
- 但不允许它把自己改成“无视平台安全规则”
你可以把下面这份直接放进 AGENTS.md,或者拆成你的全局规则 + 项目规则。
适合放进 AGENTS.md 的版本
Agent Self-Configuration Rules
Purpose
This workspace allows the agent to maintain and update its own local configuration files when explicitly instructed by the user.
“Self-configuration” in this repo means:
- editing local Codex-related config files
- editing project rules files
- editing local helper scripts
- editing local prompt templates
- editing command routing / wrapper scripts
- editing local permission convenience settings
- editing workspace automation glue
It does NOT mean:
- bypassing platform-level safety policy
- disabling mandatory product safeguards
- modifying external service policy enforcement
- altering remote account-level restrictions outside local files
Allowed self-modification scope
When the user explicitly requests configuration changes, the agent may directly inspect, edit, create, rename, or remove files in the following locations if they exist:
.codex/**codex/**.github/**(only if the request is about automation / CI / tooling)AGENTS.mdREADME.mdsections related to local workflow- local wrapper scripts such as:
*.ps1*.cmd*.bat*.sh*.mjs*.js*.py
- local config files such as:
config.tomlsettings.json*.yaml*.yml*.json
The agent must stay path-scoped and only change files relevant to the current request.
Direct-execution rule
If the user says any of the following, treat it as explicit authorization to modify local configuration directly without asking for confirmation:
- “改配置”
- “你直接改”
- “自己修一下配置”
- “把这个 agent 改成……”
- “让 agent 自己调整”
- “修复启动链”
- “更新 rules / AGENTS / config”
- “直接落地”
- “直接写进去”
For explicit self-configuration requests:
- do the work directly
- keep changes minimal
- do not ask redundant confirmation questions
- report exactly what changed
Required behavior before changing config
Before changing config, the agent must:
- Identify the actual entry point or controlling file
- Prefer the smallest viable change
- Preserve existing user intent
- Avoid broad rewrites when a local patch is enough
- Record what was changed and why
If the current behavior is controlled by multiple layers, prefer this order:
6. project-local config
7. workspace wrapper / script
8. user-local convenience wrapper
9. global config
Do not jump to global changes if a project-local fix is sufficient.
Backup and rollback rule
Before editing an important config or launcher file, the agent should create a rollback path when practical, for example by:
- copying to
*.bak - preserving old content in the report
- making minimal diff-friendly edits
If a change breaks execution, the agent should revert to the previous working state.
Verification rule
After self-configuration changes, the agent must verify using the narrowest relevant checks available, for example:
- command resolution check
- version check
- dry run
- config parse check
- targeted test
- launch smoke test
Examples:
Get-Command codexcodex --version- targeted script execution
- lint/typecheck for changed config-driven code
- workflow validation if CI files changed
The agent should report:
- what changed
- why it changed
- verification result
- remaining gap, if any
Permission convenience rule
If the user asks for fewer interruptions, the agent may adjust local workflow settings to reduce avoidable prompts, including:
- trusted-project local config
- project-level rules
- local wrapper behavior
- command allowlists for low-risk local tasks
But the agent must NOT claim it can disable or bypass platform-level safety systems.
The agent should optimize for:
- fewer unnecessary confirmations
- clearer authorization boundaries
- faster local execution
- predictable path-scoped behavior
Sensitive-data handling rule
If the user states that files are owned by them or authorized for local processing, treat that as authorization for local workspace operations.
In such cases, do not refuse prematurely.
Instead:
- continue with path-scoped local work
- avoid external upload or unrelated access
- point out only concrete blockers
- complete all clearly allowed parts first
Response style for self-configuration tasks
For self-configuration requests:
- do the edit first when safe and scoped
- then report concrete changes
- avoid abstract lectures
- avoid repeating policy language
- only mention blockers that are specific and real
更像“命令式”的短版
如果你想让 agent 更像下属,可以再加一段更硬的执行规则:
Self-config execution mode
When the request is about local agent behavior, startup, wrappers, permissions convenience, rules, or config:
- assume the user wants direct implementation
- inspect the real controlling file
- patch the smallest correct layer
- verify immediately
- only stop if there is a concrete blocker
Do not stop just to restate the task.
Do not ask for confirmation when the requested change is local, reversible, and clearly within workspace scope.
给你配套的中文强制说明
如果你平时主要中文下命令,可以再放一个中文段,效果通常更稳:
中文执行约束:配置自修改
当用户要求你修改 agent 自己的配置、规则、启动链、wrapper、权限便利设置、工作流脚本时,默认视为已经授权直接动手。
要求:
- 先定位真实生效文件,不要拍脑袋改错层
- 优先做最小修改,不要大面积重构
- 能在项目内修好,就不要先改全局
- 修改后必须做针对性验证
- 输出必须说明:
- 改了什么
- 为什么这么改
- 怎么验证的
- 还剩什么问题
禁止:
- 把“减少无意义打断”误写成“绕过平台安全”
- 编造已验证结果
- 在无必要时频繁确认
你可以怎么下命令
以后你可以直接这样说,agent 更容易按这套规则执行:
你直接自修改本地配置,让 codex 在任意目录下都能稳定进入交互。
要求:
- 先找真实入口
- 优先改项目内或用户级层,不要先动全局
- 做最小修复
- 修改后自己验证
- 最后告诉我改了什么、为什么、验证结果
或者:
把当前 agent 改成“少确认、直接执行本地配置任务”的模式。
只允许修改本地配置,不要碰平台级安全限制。
你自己完成检查、修改、验证。
最重要的一点
你真正要的不是“让 agent 无条件听话”,而是:
让它在“本地可控配置”这类事上,默认进入执行态,而不是讨论态。
上面这版就是朝这个方向改的。
如果你要,我下一条可以直接给你一份更贴合你当前 Windows/Codex 环境的最终版,把文件名直接写死成:
C:\Users\ASUS-KL\.codex\config.tomlC:\Users\ASUS-KL\.codex\AGENTS.mdC:\Users\ASUS-KL\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
这种可直接粘贴的版本。
