CLI Creator
Create a real CLI that future Codex threads can run by command name from any working directory.
This skill is for durable tools, not one-off scripts. If a short script in the current repo solves the task, write the script there instead.
Start
Name the target tool, its source, and the first real jobs it should do:
- Source: API docs, OpenAPI JSON, SDK docs, curl examples, browser app, existing internal script, article, or working shell history.
- Jobs: literal reads/writes such as , , , , .
- Install name: a short binary name such as , , , or .
Prefer a new folder under
when the user wants a personal tool and has not named a repo.
Before scaffolding, check whether the proposed command already exists:
bash
command -v <tool-name> || true
If it exists, choose a clearer install name or ask the user.
Choose the Runtime
Before choosing, inspect the user's machine and source material:
bash
command -v cargo rustc node pnpm npm python3 uv || true
Then choose the least surprising toolchain:
- Default to Rust for a durable CLI Codex should run from any repo: one fast binary, strong argument parsing, good JSON handling, easy copy/install into .
- Use TypeScript/Node when the official SDK, auth helper, browser automation library, or existing repo tooling is the reason the CLI can be better.
- Use Python when the source is data science, local file transforms, notebooks, SQLite/CSV/JSON analysis, or Python-heavy admin tooling that can still be installed as a durable command.
Do not pick a language that adds setup friction unless it materially improves the CLI. If the best language is not installed, either install the missing toolchain with the user's approval or choose the next-best installed option.
State the choice in one sentence before scaffolding, including the reason and the installed toolchain you found.
Command Contract
Sketch the command surface in chat before coding. Include the binary name, discovery commands, resolve or ID-lookup commands, read commands, write commands, raw escape hatch, auth/config choice, and PATH/install command.
When designing the command surface, read references/agent-cli-patterns.md for the expected composable CLI shape.
Build toward this surface:
- shows every major capability.
- verifies config, auth, version, endpoint reachability, and missing setup.
- stores local config when env-only auth is painful.
- Discovery commands find accounts, projects, workspaces, teams, queues, channels, repos, dashboards, or other top-level containers.
- Resolve commands turn names, URLs, slugs, permalinks, customer input, or build links into stable IDs so future commands do not repeat broad searches.
- Read commands fetch exact objects and list/search collections. Paginated lists support a bounded , cursor, offset, or clearly documented default.
- Write commands do one named action each: create, update, delete, upload, schedule, retry, comment, draft. They accept the narrowest stable resource ID, support , , or first when the service allows it, and do not hide writes inside broad commands such as , , or .
- returns stable machine-readable output.
- A raw escape hatch exists: , , , or the nearest honest name.
Do not expose only a generic
command. Give Codex high-level verbs for the repeated jobs.
Document the JSON policy in the CLI README or equivalent: API pass-through versus CLI envelope, success shape, error shape, and one example for each command family. Under
, errors must be machine-readable and must not contain credentials.
Auth and Config
Support the boring paths first, in this precedence order:
- Environment variable using the service's standard name, such as .
- User config under
~/.<tool-name>/config.toml
- or a tool-specific token flag only for explicit one-off tests. Prefer env/config for normal use because flags can leak into shell history or process listings.
Never print full tokens.
should say whether a token is available, the auth source category (
,
,
, provider default, or missing), and what setup step is missing.
If the CLI can run without network or auth, make that explicit in
: report fixture/offline mode, whether fixture data was found, and whether auth is not required for that mode.
For internal web apps sourced from DevTools curls, create sanitized endpoint notes before implementing: resource name, method/path, required headers, auth mechanism, CSRF behavior, request body, response ID fields, pagination, errors, and one redacted sample response. Never commit copied cookies, bearer tokens, customer secrets, or full production payloads.
Use screenshots to infer workflow, UI vocabulary, fields, and confirmation points. Do not treat screenshots as API evidence unless they are paired with a network request, export, docs page, or fixture.
Build Workflow
- Read the source just enough to inventory resources, auth, pagination, IDs, media/file flows, rate limits, and dangerous write actions. If the docs expose OpenAPI, download or inspect it before naming commands.
- Sketch the command list in chat. Keep names short and shell-friendly.
- Scaffold the CLI with a README or equivalent repo-facing instructions.
- Implement , discovery, resolve, read commands, one narrow draft or dry-run write path if requested, and the raw escape hatch.
- Install the CLI on PATH so works outside the source folder.
- Smoke test from another repo or , not only with or package-manager wrappers. Run , , and
<tool-name> --json doctor
- Run format, typecheck/build, unit tests for request builders, pagination/request-body builders, no-auth , help output, and at least one fixture, dry-run, or live read-only API call.
If a live write is needed for confidence, ask first and make it reversible or draft-only.
When the source is an existing script or shell history, split the working invocation into real phases: setup, discovery, download/export, transform/index, draft, upload, poll, live write. Preserve the flags, paths, and environment variables the user already relies on, then wrap the repeatable phases with stable IDs, bounded JSON, and file outputs.
For raw escape hatches, support read-only calls first. Do not run raw non-GET/HEAD requests against a live service unless the user asked for that specific write.
For media, artifact, or presigned upload flows, test each phase separately: create upload, transfer bytes, poll/read processing status, then attach or reference the resulting ID.
For fixture-backed prototypes, keep fixtures in a predictable project path and make the CLI locate them after installation. Smoke-test from
to catch binaries that only work inside the source folder.
For log-oriented CLIs, keep deterministic snippet extraction separate from model interpretation. Prefer a command that emits filenames, line numbers or byte ranges, matched rules, and short excerpts.
Rust Defaults
When building in Rust, use established crates instead of custom parsers:
- for commands and help
- for HTTP
- / for payloads
- for small config files
- for CLI-shaped error context
Add a
target such as
that builds release and installs the binary into
.
TypeScript/Node Defaults
When building in TypeScript/Node, keep the CLI installable as a normal command:
- or for commands and help
- native , the official SDK, or the user's existing HTTP helper for API calls
- only where external payload validation prevents real breakage
- entry for the installed command
- , , or using the repo's existing convention
Add an install path such as
,
, and
, or a
target that installs a small wrapper into
.
Python Defaults
When building in Python, prefer boring standard-library pieces unless the workflow needs more:
- for commands and help, or when subcommands would otherwise get messy
- / , , or for HTTP, matching what is already installed or already used nearby
- , , , , and for local files, exports, databases, and existing scripts
- console script or a small executable wrapper for the installed command
- or a virtualenv only when dependencies are actually needed
Add a
target such as
that installs the command on PATH and document whether it depends on
, a virtualenv, or only system Python.
Companion Skill
After the CLI works, create or update a small skill for it. Use
when it is available. Use
$CODEX_HOME/skills/<tool-name>/SKILL.md
for a personal companion skill unless the user names a repo-local
path or another skill repo.
Write the companion skill in the order a future Codex thread should use the CLI, not as a tour of every feature. Explain:
- How to verify the installed command exists.
- Which command to run first.
- How auth is configured.
- Which discovery command finds the common ID.
- The safe read path.
- The intended draft/write path.
- The raw escape hatch.
- What not to do without explicit user approval.
- Three copy-pasteable command examples.
Keep API reference details in the CLI docs or a skill reference file. Keep the skill focused on ordering, safety, and examples future Codex threads should actually run.