Configuration Playbooks - coding-agenthub

Configuration Playbook

Amazon Q Developer CLI

Overview

Configure Amazon Q for AWS-integrated code generation and analysis.

Quick Start

Install Amazon Q CLI and set basic settings:

brew install --cask amazon-q

q login

q settings chat.defaultModel "claude-3-sonnet"

q settings chat.enableKnowledge true

Configuration Files & Locations

Amazon Q uses different configuration locations for different purposes:

Settings Configuration

Scope	Location	Purpose	Git Tracked?
Global	Managed via `q settings` commands	User defaults, authentication, model settings	N/A
Project	`.q/` directory (project root)	Team shared settings, context files	Yes
Local	`.q/settings.local.yaml` (project root)	Personal overrides (git-ignored)	No

Manage settings via: q settings [key] [value] - This is the recommended way. See official settings guide.

MCP Configuration

MCP servers are configured separately:

Scope	Location	Purpose	Git Tracked?
Global	`~/.aws/amazonq/default.json`	MCP server configurations (all projects)	No
Project	`.amazonq/default.json`	Project-specific MCP servers	Yes
Legacy (Global)	`~/.aws/amazonq/mcp.json`	Legacy MCP config (deprecated)	No
Legacy (Project)	`.amazonq/mcp.json`	Legacy project MCP config (deprecated)	Yes

Note: Modern MCP configuration is in default.json. Legacy mcp.json support is controlled by useLegacyMcpJson field in ~/.aws/amazonq/default.json.

See official MCP configuration guide.

Authentication Setup

Amazon Q uses AWS Builder ID (free) or AWS Identity Center (pro) for authentication.

Builder ID (Free Tier)

Run login command:
```
q login --license free
```
Opens browser for authentication
Free tier with basic features

AWS Identity Center (Pro Tier)

Run login with your organization’s details:

q login --license pro \
  --identity-provider https://your-org.awsapps.com/start \
  --region us-east-1

Follow browser authentication flow
Full access to all features

Check status: q whoami

Model & Core Configuration

Option	Type	Default	Purpose
`chat.defaultModel`	string	”claude-3-sonnet”	Primary AI model for conversations
`chat.enableThinking`	boolean	true	Enable complex reasoning tool
`chat.greeting.enabled`	boolean	false	Show greeting message on chat start
`telemetry.enabled`	boolean	true	Share usage metrics with AWS
`chat.enableKnowledge`	boolean	true	Enable knowledge base functionality

Example settings:

q settings chat.defaultModel "claude-3-opus"
q settings chat.enableThinking true
q settings telemetry.enabled false

Tool Permissions & Security

Control which tools Amazon Q can use with granular permissions. Agent configuration uses JSON format:

{
  "tools": [
    "fs_read",
    "fs_write",
    "execute_bash",
    "use_aws"
  ],
  "allowedTools": [
    "fs_read",
    "fs_*",
    "@git/git_status"
  ],
  "toolsSettings": {
    "fs_write": {
      "allowedPaths": ["src/**", "tests/**"]
    },
    "execute_bash": {
      "allowedCommands": ["git status", "cargo check", "npm test"]
    },
    "use_aws": {
      "allowedServices": ["s3", "lambda", "dynamodb"]
    }
  }
}

For per-user settings managed via q settings commands, use the CLI (e.g., q settings chat.defaultModel "claude-3-sonnet").

MCP Servers & Tool Integration

Global MCP Configuration

Edit ~/.aws/amazonq/default.json:

{
  "mcpServers": {
    "github": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-github"],
      "env": {
        "GITHUB_TOKEN": "${GITHUB_TOKEN}"
      },
      "timeout": 60000
    },
    "git": {
      "command": "git-mcp",
      "args": [],
      "env": {
        "GIT_CONFIG_GLOBAL": "/dev/null"
      },
      "timeout": 120000
    }
  },
  "tools": [
    "@github",
    "@git/git_status",
    "@git/git_log"
  ],
  "allowedTools": [
    "@github/search_*",
    "@git"
  ]
}

Project-Level MCP Configuration

Create .amazonq/default.json in project root:

{
  "mcpServers": {
    "postgres": {
      "command": "node",
      "args": ["./mcp-server-postgres.js"],
      "env": {
        "DATABASE_URL": "postgresql://localhost/mydb"
      }
    }
  },
  "tools": ["use_postgres"],
  "allowedTools": ["@postgres/*"]
}

Environment variable resolution uses ${VAR_NAME} syntax from shell environment.

Knowledge Base Configuration

Enable semantic search over your project:

q settings chat.enableKnowledge true
q settings knowledge.indexType "Best"  # or "Fast"
q settings knowledge.maxFiles 1000
q settings knowledge.defaultIncludePatterns '["**/*.rs", "**/*.md", "**/*.toml"]'
q settings knowledge.defaultExcludePatterns '["**/target/**", "**/node_modules/**"]'

Agent Configuration

Create specialized AI assistants in .q/agents/my-agent.json:

{
  "name": "rust-developer",
  "description": "Specialized for Rust and AWS development",
  "prompt": "You are an expert Rust developer with AWS knowledge",
  "model": "claude-3-sonnet",
  "tools": [
    "fs_read",
    "fs_write",
    "execute_bash",
    "use_aws",
    "@git"
  ],
  "allowedTools": [
    "fs_*",
    "execute_bash",
    "use_aws",
    "@git/*"
  ],
  "resources": [
    "file://README.md",
    "file://docs/**/*.md"
  ],
  "hooks": {
    "postToolUse": [
      {
        "matcher": "fs_write",
        "command": "rustfmt $(jq -r '.tool_input.path')"
      }
    ]
  }
}

Run with: q chat --agent rust-developer

Team & Enterprise Configuration

Amazon Q enforces separation between team-shared configuration (git-tracked) and personal settings (local only):

Shared Team Configuration (Git-Tracked)

Store team guidelines and custom agents in version control:

Project Rules (.amazonq/rules/**/*.md):

Code Review Process

All changes require at least 2 approvals
Include tests for new functionality
Update documentation for API changes

Commit Messages

Use conventional commit format
Include ticket numbers in commit messages


**Shared Agents** (`.amazonq/cli-agents/team-agent.json`):
```json
{
  "name": "team-agent",
  "description": "Team development standards agent",
  "resources": [
    "file://.amazonq/rules/**/*.md",
    "file://README.md",
    "file://docs/**/*.md"
  ],
  "tools": [
    "fs_read",
    "execute_bash"
  ]
}

Personal Overrides (Local Only)

Individual developers set personal preferences via q settings commands (not committed):

q settings chat.defaultModel "claude-3-opus"

q settings telemetry.enabled false

q settings chat.defaultAgent team-agent

Settings are stored in ~/.aws/amazonq/ (never commit to git).

MCP Servers for Teams

Shared MCP servers go in project-level .amazonq/default.json:

{
  "mcpServers": {
    "shared-github": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-github"],
      "env": {
        "GITHUB_TOKEN": "${GITHUB_TOKEN}"
      }
    }
  },
  "allowedTools": [
    "@github/search_*",
    "fs_read"
  ]
}

Custom Commands & Recipes

Amazon Q supports custom agents and prompt templates rather than fixed commands. Create agents for common workflows:

name: "deploy"
description: "Handles deployment workflows"
prompt: "You are a deployment specialist"
tools:
  - execute_bash
  - use_aws
toolsSettings:
  execute_bash:
    allowedCommands:
      - "git push"
      - "npm run build"
      - "aws s3 sync"

Best Practices

✅ Do:

Use q settings commands to manage configuration
Store sensitive values in environment variables or .env files
Create project-specific agents in .q/agents/
Use tool permissions to limit access in shared environments
Enable knowledge base for better project context
Commit team settings to version control, keep personal overrides local

❌ Don’t:

Edit YAML files directly (use q settings commands)
Commit personal authentication tokens
Disable all tool permissions (breaks functionality)
Use wildcard permissions in production without review
Ignore the q diagnostic command when troubleshooting

Troubleshooting & Validation

Validate configuration:

q diagnostic
q settings list

Common issues:

Problem	Solution
Auth fails	Run `q login` and check `q whoami`
Tools blocked	Check `allowedTools` and `toolsSettings` in settings
MCP server not found	Verify command path and environment variables
Knowledge base empty	Run `q settings chat.enableKnowledge true`
Settings not applied	Use `q settings list` to verify, restart chat session

Debug mode:

q settings log.level "debug"
q chat --verbose

Check logs: q diagnostic --format json

Additional Resources

Last updated: 2025-11-12

Configuration Playbook

Claude Code

Overview

Configure Claude Code for terminal-based AI-assisted development.

Quick Start

Install and start Claude Code:

brew install --cask claude-code

curl -fsSL https://claude.ai/install.sh | bash

cd your-project
claude

First run will prompt for login via browser (Claude.ai or Claude Console account required).

Configuration Files & Locations

Scope	Location	Purpose	Git Tracked?
Global	`~/.claude/settings.json`	User defaults, global permissions, MCP servers	No
Project	`.claude/settings.json`	Team shared settings, project-specific config	Yes
Local	`.claude/settings.local.json`	Personal overrides (auto git-ignored)	No
Enterprise	`/Library/Application Support/ClaudeCode/managed-settings.json` (macOS)	IT-managed policies (cannot be overridden)	N/A
MCP Config	`.mcp.json`	Project MCP servers (team shared)	Yes
Context	`CLAUDE.md` or `AGENTS.md`	Project documentation (auto-loaded)	Yes

Authentication Setup

Claude Code uses Claude.ai or Claude Console accounts for authentication.

Run Claude Code:
```
claude
```
Follow browser authentication prompt
Choose account type:
- Claude.ai: Pro or Max subscription (personal use)
- Claude Console: API usage billing (workspace/team use)

Configure which login method to use:

{
  "forceLoginMethod": "claudeai"
}

Options: "claudeai" or "console"

API Key for Automation

For non-interactive use (CI/CD, scripts):

export ANTHROPIC_API_KEY="sk-ant-..."

Or use dynamic key generation:

{
  "apiKeyHelper": "~/bin/get-api-key.sh"
}

Model & Core Configuration

Option	Type	Default	Purpose
`model`	string	”claude-sonnet-4-5-20250929”	Primary AI model for coding tasks
`cleanupPeriodDays`	int	30	Days to retain chat transcripts
`includeCoAuthoredBy`	boolean	true	Include “Co-authored-by: Claude” in commits
`env`	object	{}	Environment variables for every session

Example:

{
  "model": "opus",
  "cleanupPeriodDays": 60,
  "env": {
    "CUSTOM_VAR": "value"
  }
}

Available model shortcuts: "sonnet", "opus", "haiku" (maps to latest versions)

Permission & Access Controls

Claude Code uses a granular permission system with allow/ask/deny rules:

{
  "permissions": {
    "allow": [
      "Bash(git diff:*)",
      "Bash(npm run test:*)",
      "Read(~/.zshrc)"
    ],
    "ask": [
      "Bash(git push:*)",
      "WebFetch"
    ],
    "deny": [
      "Bash(curl:*)",
      "Read(./.env)",
      "Read(./.env.*)",
      "Read(./secrets/**)",
      "Read(~/.aws/**)"
    ],
    "additionalDirectories": ["../docs/"],
    "defaultMode": "acceptEdits"
  }
}

Permission modes:

"plan" - Read-only analysis, no changes
"acceptEdits" - Allow file edits with confirmation
"bypassPermissions" - Skip all permission checks (dangerous)

Tool-specific patterns:

Bash(command:*) - Shell command prefix matching
Read(path) - File/directory read access
Edit(path) - File write access
WebFetch or WebFetch(domain:example.com) - Network access
mcp__servername - All tools from MCP server
mcp__servername__toolname - Specific MCP tool

MCP Servers & Tool Integration

Adding MCP Servers via CLI

claude mcp add --transport http github https://api.githubcopilot.com/mcp/

claude mcp add --transport stdio clickup \
  --env CLICKUP_API_KEY=YOUR_KEY \
  --env CLICKUP_TEAM_ID=YOUR_TEAM_ID \
  -- npx -y @hauptsache.net/clickup-mcp

claude mcp list

MCP Configuration in .mcp.json

{
  "mcpServers": {
    "github": {
      "type": "http",
      "url": "https://api.githubcopilot.com/mcp/"
    },
    "company-internal": {
      "type": "stdio",
      "command": "/usr/local/bin/company-mcp-server",
      "args": ["--config", "/etc/company/mcp-config.json"],
      "env": {
        "API_URL": "${COMPANY_API_URL}"
      }
    }
  }
}

Environment variable expansion: Use ${VAR_NAME} or ${VAR_NAME:-default} syntax.

MCP Permissions

{
  "enableAllProjectMcpServers": false,
  "enabledMcpjsonServers": ["github", "sentry"],
  "disabledMcpjsonServers": ["filesystem"],
  "permissions": {
    "allow": [
      "mcp__github",
      "mcp__sentry__get_issue"
    ],
    "deny": [
      "mcp__filesystem"
    ]
  }
}

Note: MCP permissions do NOT support wildcards. Use mcp__servername for all tools or list each tool individually.

Project Context Management

Auto-load project documentation for better context:

Documentation files (loaded automatically at startup):

CLAUDE.md or AGENTS.md in project root
.claude/CLAUDE.md (project-specific)
~/.claude/CLAUDE.md (personal, all projects)

What to document:

Common bash commands with descriptions
Core files and utility functions
Code style guidelines
Testing instructions
Repository etiquette (branch naming, merge strategy)
Developer environment setup
Project-specific warnings

Sandbox Configuration

Enable advanced sandboxing for bash command isolation (macOS/Linux):

{
  "sandbox": {
    "enabled": true,
    "autoAllowBashIfSandboxed": true,
    "excludedCommands": ["docker", "git"],
    "allowUnsandboxedCommands": true,
    "network": {
      "allowUnixSockets": ["/var/run/docker.sock"],
      "allowLocalBinding": true
    }
  }
}

Filesystem and network access are controlled via Read, Edit, and WebFetch permission rules, not sandbox settings.

Team & Enterprise Configuration

Managed Policy Settings (Enterprise)

IT/DevOps can deploy organization-wide policies that cannot be overridden:

macOS: /Library/Application Support/ClaudeCode/managed-settings.json
Linux/WSL: /etc/claude-code/managed-settings.json
Windows: C:\ProgramData\ClaudeCode\managed-settings.json

{
  "env": {
    "COMPANY_VAR": "value"
  },
  "permissions": {
    "deny": ["Read(~/.aws/**)", "Bash(curl:*)"],
    "disableBypassPermissionsMode": "disable"
  },
  "allowedMcpServers": [
    {"serverName": "github"},
    {"serverName": "company-internal"}
  ],
  "deniedMcpServers": [
    {"serverName": "filesystem"}
  ]
}

Managed MCP Configuration (Enterprise)

Deploy centrally-managed MCP servers:

macOS: /Library/Application Support/ClaudeCode/managed-mcp.json
Linux/WSL: /etc/claude-code/managed-mcp.json
Windows: C:\ProgramData\ClaudeCode\managed-mcp.json

{
  "mcpServers": {
    "company-internal": {
      "type": "stdio",
      "command": "/usr/local/bin/company-mcp-server",
      "args": ["--config", "/etc/company/mcp-config.json"],
      "env": {
        "COMPANY_API_URL": "https://internal.company.com"
      }
    }
  }
}

Settings Precedence

Settings are applied in order (highest to lowest):

Enterprise managed policies (managed-settings.json) - Cannot be overridden
Command line arguments - Temporary session overrides
Local project settings (.claude/settings.local.json) - Personal, git-ignored
Shared project settings (.claude/settings.json) - Team shared, version controlled
User settings (~/.claude/settings.json) - Personal global settings

Best Practices

✅ Do:

Use CLAUDE.md or AGENTS.md to document project context and common commands
Store API keys in environment variables, never in settings files
Create .claude/settings.local.json for personal settings (auto git-ignored)
Use permission deny rules to exclude sensitive files (.env, secrets/)
Configure MCP servers at project level (.mcp.json) for team sharing
Use permissions.defaultMode: "plan" for read-only analysis in production repos
Test configuration changes in isolated branches first

❌ Don’t:

Commit API keys or tokens to version control
Use bypassPermissions mode without strong justification
Mix authentication methods in the same config
Ignore enterprise managed policies (they override everything)
Use wildcards in MCP permission patterns (not supported)
Disable all tool permissions (breaks core functionality)

Troubleshooting & Validation

Interactive configuration:

claude        # Start Claude Code
/config       # Open settings UI
/permissions  # Configure allowed tools
/mcp          # Manage MCP servers

Common issues:

Problem	Solution
Auth fails	Run `claude` and follow login prompt; check account type
MCP server not found	Verify command path and environment variables; check `claude mcp list`
Permission denied	Review `permissions.deny` rules; use `/permissions` command
Context files not loading	Ensure `CLAUDE.md` or `AGENTS.md` exists in project root
Settings not applied	Check precedence order; enterprise policies override all
Sandbox blocks command	Add to `excludedCommands` or set `sandbox.enabled: false`

Environment variables for debugging:

export CLAUDE_CODE_ENABLE_TELEMETRY=1
export DISABLE_PROMPT_CACHING=1

export MAX_MCP_OUTPUT_TOKENS=50000

export CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1

Check configuration:

cat ~/.claude/settings.json

cat .claude/settings.json

claude mcp list

Additional Resources

Last updated: 2025-11-12

Configuration Playbook

Codex CLI

Overview

Configure Codex CLI for OpenAI-powered terminal code generation and planning. For broader feature details, see the official Codex CLI documentation.

Quick Start

Create ~/.codex/config.toml:

model = "gpt-5-codex"
approval_policy = "untrusted"
sandbox_mode = "read-only"

Configuration Files & Locations

Scope	Location	Purpose	Git Tracked?
Global	`~/.codex/config.toml` (or `$CODEX_HOME/config.toml`)	User defaults, model, approval, MCP servers	No
Per-command	`--config key=value` flags	Override any setting for single command	N/A
Environment	`$CODEX_HOME`	Config location (defaults to `~/.codex`)	No

Authentication Setup

Codex CLI supports two authentication methods for OpenAI API access.

Method 1: ChatGPT OAuth (Interactive)

codex login

This opens your browser to authenticate with ChatGPT. Credentials are stored in:

File storage (default): $CODEX_HOME/auth.json (permissions: 0600)
Keyring storage: OS-level secure storage (see “Control Credential Storage” below)

Method 2: API Key (Programmatic)

For CI/CD, automation, or non-interactive environments:

Get key from OpenAI API dashboard
Store in environment:
```
export OPENAI_API_KEY="sk-proj-..."
```
Codex automatically detects and uses the environment variable

No configuration file changes needed—Codex checks for OPENAI_API_KEY by default.

Restrict authentication methods organization-wide:

forced_login_method = "chatgpt"

forced_login_method = "api"

forced_chatgpt_workspace_id = "00000000-0000-0000-0000-000000000000"

Official managed configuration docs

Control Credential Storage

Choose where authentication credentials are stored:

cli_auth_credentials_store = "file"  # default: auth.json in $CODEX_HOME
cli_auth_credentials_store = "keyring"  # OS-level secure storage (macOS Keychain, Windows Credential Manager, Linux Secret Service)
cli_auth_credentials_store = "auto"  # Try keyring, fallback to file

Model Selection

Option	Type	Default	Purpose
`model`	string	`"gpt-5-codex"` (macOS/Linux), `"gpt-5"` (Windows)	Primary AI model
`model_provider`	string	`"openai"`	Provider from `model_providers` map
`model_context_window`	int	Auto-detected	Context window in tokens
`model_max_output_tokens`	int	Auto-detected	Max response length
`model_reasoning_effort`	string	`"medium"`	Reasoning models: `"minimal"`, `"low"`, `"medium"`, `"high"`
`model_reasoning_summary`	string	`"auto"`	Summary style: `"auto"`, `"concise"`, `"detailed"`, `"none"`
`model_verbosity`	string	`"medium"`	GPT-5 output length: `"low"`, `"medium"`, `"high"`

Example:

model = "gpt-5"
model_reasoning_effort = "high"
model_reasoning_summary = "detailed"
model_verbosity = "low"

Custom Model Providers

Add non-OpenAI providers compatible with OpenAI API:

model = "mistral"
model_provider = "mistral"

[model_providers.mistral]
name = "Mistral AI"
base_url = "https://api.mistral.ai/v1"
env_key = "MISTRAL_API_KEY"
wire_api = "chat"  # or "responses"

Official model provider examples

Safety & Approval Controls

Approval Policy

Controls when Codex prompts for permission before executing commands:

Value	Behavior
`"untrusted"`	Prompt before running commands not in the “trusted” set (default)
`"on-failure"`	Prompt only when sandbox execution fails
`"on-request"`	Model decides when to escalate for permissions
`"never"`	Never prompt; auto-retry on failure (used by `codex exec` subcommand)

Example:

approval_policy = "untrusted"  # safest for interactive use

Sandbox Mode

OS-level execution constraints for model-generated commands:

Mode	Behavior
`"read-only"`	Can read any file; blocks writes and network access (default)
`"workspace-write"`	Can write to current working directory and `$TMPDIR`; network blocked
`"danger-full-access"`	No sandboxing; full disk and network access

Example:

sandbox_mode = "read-only"  # recommended default

[sandbox_workspace_write]
writable_roots = ["/Users/YOU/.pyenv/shims"]  # additional writable paths
network_access = false  # allow network (default: false)
exclude_tmpdir_env_var = false  # exclude $TMPDIR from writable roots
exclude_slash_tmp = false  # exclude /tmp from writable roots

Command-line overrides:

codex --sandbox read-only  # safest
codex --sandbox workspace-write  # development
codex --sandbox danger-full-access  # unrestricted (use with caution)

Official sandbox documentation

MCP Servers & Tool Integration

Configure Model Context Protocol servers for external tool access.

STDIO Servers

Launch MCP servers directly via commands:

[[mcp_servers]]
[mcp_servers.github]
command = "npx"
args = ["-y", "@modelcontextprotocol/server-github"]
env = { GITHUB_PERSONAL_ACCESS_TOKEN = "${GITHUB_TOKEN}" }

startup_timeout_sec = 20  # default: 10
tool_timeout_sec = 30  # default: 60
enabled = true  # default: true
enabled_tools = ["search", "get_file"]  # optional whitelist
disabled_tools = ["delete"]  # optional blacklist
cwd = "/Users/user/code/my-server"  # optional working directory

Streamable HTTP Servers

Connect to HTTP-based MCP servers:

[mcp_servers.figma]
url = "https://mcp.figma.com/mcp"
bearer_token_env_var = "FIGMA_TOKEN"  # optional auth
http_headers = { "X-Custom" = "value" }  # optional static headers
env_http_headers = { "X-Dynamic" = "ENV_VAR" }  # optional env-based headers

For OAuth support (experimental):

experimental_use_rmcp_client = true

Then login: codex mcp login figma

MCP CLI Commands

codex mcp add github -- npx -y @modelcontextprotocol/server-github
codex mcp list  # show configured servers
codex mcp get github  # show server details
codex mcp remove github
codex mcp login figma  # OAuth login for streamable HTTP servers
codex mcp logout figma

Official MCP integration docs

Profiles for Multiple Environments

Define reusable configuration bundles:

model = "gpt-5-codex"
approval_policy = "untrusted"

profile = "o3"

[profiles.o3]
model = "o3"
model_provider = "openai"
approval_policy = "never"
model_reasoning_effort = "high"
model_reasoning_summary = "detailed"

[profiles.gpt3]
model = "gpt-3.5-turbo"
model_provider = "openai-chat-completions"
approval_policy = "untrusted"

Switch profiles:

codex --profile o3  # via command line
profile = "o3"  # in config.toml

Precedence (highest to lowest):

Command-line flags (--model o3)
--profile selection
config.toml root settings
Built-in defaults

Official profiles documentation

Feature Flags

Enable experimental and optional capabilities:

[features]
streamable_shell = true  # streamable exec tool
web_search_request = true  # allow model to request web searches
apply_patch_freeform = false  # freeform apply_patch tool (beta)
view_image_tool = true  # enable image uploads (stable, default: true)
rmcp_client = false  # OAuth for streamable HTTP MCP servers
ghost_commit = false  # create ghost commit each turn
experimental_sandbox_command_assessment = false  # model-based risk assessment

Full feature flag reference

Shell Environment Policy

Control which environment variables are passed to subprocesses:

[shell_environment_policy]
inherit = "core"  # "all", "core", or "none"
ignore_default_excludes = false  # skip KEY/SECRET/TOKEN filter
exclude = ["AWS_*", "AZURE_*"]  # case-insensitive globs
set = { CI = "1" }  # force-set values
include_only = ["PATH", "HOME"]  # whitelist (if provided, only these pass)

Official environment policy docs

History & Session Tracking

[history]
persistence = "save-all"  # or "none" to disable

Messages are saved to $CODEX_HOME/history.jsonl (permissions: 0600).

AGENTS.md Discovery

Codex automatically discovers project-specific instructions from AGENTS.md files:

project_doc_max_bytes = 32768  # max bytes to read (default: 32 KiB)
project_doc_fallback_filenames = ["CLAUDE.md", ".exampleagentrules.md"]  # fallback names

AGENTS.md documentation

Observability & Telemetry

OpenTelemetry Export

Export structured events to OTLP collectors:

[otel]
environment = "staging"  # defaults to "dev"
exporter = "none"  # or otlp-http, otlp-grpc
log_user_prompt = false  # redact prompt text by default

exporter = { otlp-http = {
  endpoint = "https://otel.example.com/v1/logs",
  protocol = "binary",
  headers = { "x-otlp-api-key" = "${OTLP_TOKEN}" }
}}

exporter = { otlp-grpc = {
  endpoint = "https://otel.example.com:4317",
  headers = { "x-otlp-meta" = "abc123" }
}}

Events emitted: codex.conversation_starts, codex.api_request, codex.sse_event, codex.user_prompt, codex.tool_decision, codex.tool_result

Official OTEL documentation

Custom Notification Script

Execute a program on agent events:

notify = ["python3", "/Users/you/.codex/notify.py"]

Your script receives JSON argument:

{
  "type": "agent-turn-complete",
  "thread-id": "b5f6c1c2-...",
  "turn-id": "12345",
  "cwd": "/Users/alice/projects/example",
  "input-messages": ["Rename foo to bar"],
  "last-assistant-message": "Rename complete."
}

TUI Desktop Notifications

[tui]
notifications = true  # enable all notifications
notifications = ["agent-turn-complete", "approval-requested"]

Note: Requires terminal with escape code support (iTerm2, Ghostty, WezTerm; not macOS Terminal.app or VS Code terminal).

Hide/Show Reasoning

hide_agent_reasoning = true  # suppress reasoning events (default: false)
show_raw_agent_reasoning = true  # show raw chain-of-thought (default: false)

Best Practices

✅ Do:

Store API keys in environment variables (never commit credentials)
Use approval_policy = "untrusted" for interactive development
Set sandbox_mode = "read-only" or "workspace-write" (avoid "danger-full-access")
Use profiles for different environments/models
Document MCP servers and their environment variables in project README
Run codex mcp list to verify MCP server configuration
Keep $CODEX_HOME/config.toml minimal; override per-command when needed
Use AGENTS.md for project-specific instructions

❌ Don’t:

Commit auth.json or API keys to version control
Set sandbox_mode = "danger-full-access" without understanding risks
Use approval_policy = "never" in interactive sessions (reserved for codex exec)
Mix authentication methods without testing
Ignore MCP server startup failures
Disable view_image_tool if you need screenshot analysis

Troubleshooting & Validation

Check configuration:

cat ~/.codex/config.toml | toml-lint

Common issues:

Problem	Solution
”API key invalid” error	Verify `OPENAI_API_KEY` is set: `echo $OPENAI_API_KEY`
”Not authenticated” error	Run `codex login` for ChatGPT OAuth
TOML syntax error	Use https://www.toml-lint.com/ to validate syntax
MCP server fails to start	Check command path: `which npx` and test: `npx -y @modelcontextprotocol/server-github --help`
MCP server timeout	Increase `startup_timeout_sec` in MCP server config
”Permission denied” in sandbox	Check `sandbox_mode` setting; use `workspace-write` for write access
Approval prompts too frequent	Change `approval_policy` to `"on-request"` or `"on-failure"`

Debug logging:

ls ~/.codex/*.log

MCP troubleshooting:

codex mcp list  # show all configured servers
codex mcp get github  # show specific server details
codex mcp remove github  # remove broken server
codex mcp add github -- npx -y @modelcontextprotocol/server-github  # re-add

Additional Resources

Codex CLI Official Configuration Documentation – Complete reference for all settings
Codex CLI Sandbox & Approvals Guide – In-depth safety controls
AGENTS.md Discovery Documentation – Project-specific instructions
Codex CLI Exec Command Guide – Non-interactive execution
Model Context Protocol Documentation – MCP specification and servers
OpenAI Platform Documentation – API keys and model details
OpenAI Codex Security Guide – Enterprise managed configuration

Last updated: 2025-11-12

Configuration Playbook

Cursor

Overview

Configure Cursor AI code editor for intelligent completion, targeted edits, and agentic development. For comprehensive feature details, see the official Cursor documentation.

Quick Start

Access settings via:

Ctrl/⌘ + Shift + J  (Cursor Settings)
OR
Ctrl/⌘ + Shift + P → "Cursor Settings"

Basic settings in Cursor Settings UI:

Models: Select AI models (GPT-4o, Claude, cursor-small, custom)
Features: Enable/disable Tab, Chat, long context
Beta: Experimental features like Long Context Chat

Configuration Files & Locations

Scope	Location	Purpose	Git Tracked?
Cursor Settings	Ctrl/⌘ + Shift + J	Cursor-specific settings (models, features, API keys)	No
VS Code Settings	Ctrl/⌘ + ,	IDE settings (keybindings, themes, extensions)	No
VS Code Settings File	`~/Library/Application Support/Cursor/User/settings.json` (macOS)	Direct JSON editing (advanced)	No
Project Rules	`.cursorrules`	Project-specific AI instructions	Yes
Ignore Files	`.cursorignore`	Files to exclude from AI context	Yes

Windows/Linux path: %APPDATA%/Cursor/User/settings.json

Authentication Setup

Cursor uses account-based authentication for AI features and settings sync.

Click “Sign in” in Cursor (top-left corner)
Browser opens for authentication at cursor.com
Credentials stored securely in system keychain
Settings sync enabled automatically

Plans Available:

Free: Limited fast requests
Pro: $20/month, unlimited fast requests
Teams: Collaborative features
Enterprise: SSO, admin controls

Enterprise SSO

For Teams and Enterprise customers:

SAML/OIDC integration
Centralized management via Cursor dashboard
Admin-enforced rules and commands

Sign Out

Access via Command Palette:

Ctrl/⌘ + Shift + P → "Sign Out"

Model Selection

Configure AI models through Cursor Settings → Models:

Model	Purpose	Context
GPT-4o	High-quality responses, general coding	Standard
GPT-4	Previous generation, reliable	Standard
Claude 3.5 Sonnet	Anthropic model, strong reasoning	Standard
cursor-small	Fast, unlimited access (custom model)	Standard
gpt-4o-128k	Extended context window	128k tokens
gemini-1.5-flash-500k	Google model, massive context	500k tokens
claude-3-haiku-200k	Fast Anthropic model, long context	200k tokens
claude-3-sonnet-200k	Balanced Anthropic model	200k tokens
claude-3.5-sonnet-200k	Latest Anthropic model	200k tokens

Model Selection:

Access via Ctrl/⌘ + K or dropdown below AI input box
Add custom models: Cursor Settings → Models → Model Names

Context Window Limitations:

Standard chat: ~20,000 tokens (or model max if less)
Cmd+K: ~10,000 tokens (optimized for speed)
Long context chat: Full model context window (enable in Beta settings)

Official model documentation

API Keys (Bring Your Own Model)

Configure custom API keys through Cursor Settings → Models:

OpenAI API Key

Cursor Settings → Models → OpenAI API Key
Enter your key → Click "Verify"

Note: API key is sent to Cursor server with each request for prompt building.

Anthropic API Key

Cursor Settings → Models → Anthropic API Key
Enter your key to enable Claude models

Enables Claude-based models at your cost. Key transmitted to Cursor server.

Azure API Key

Cursor Settings → Models → Azure API Key
Configure to use Azure OpenAI models

Google API Key

Cursor Settings → Models → Google API Key
Example model: gemini-1.5-flash-500k

Official API key documentation

Chat Configuration

Configure Chat behavior through Cursor Settings → Features → Chat:

Setting	Purpose	Default
Always search the web	AI browses web for up-to-date information	Disabled
Add chat fading animation	Smooth animation for AI messages	Enabled
Default to no context	Use only user message (no file context)	Disabled
Auto scroll chat	Auto-scroll during AI generation	Enabled
Narrow scrollbar	Adjust scrollbar width	Enabled
Show chat history	Display history when starting new chat	Enabled

Official chat customization docs

Tab Completion Configuration

Enable advanced Tab features through Cursor Settings → Features → Cursor Tab:

Partial Accepts

Accept parts of suggestions (e.g., next word):

Keybinding: Ctrl/⌘ + Right Arrow
Navigate to: Cursor Settings → Features → Cursor Tab
Set: editor.action.inlineSuggest.acceptNextWord

Cursor Prediction

Cursor predicts next edit location after accepting changes. Press Tab to move through sequential edits.

Tab in Peek Views

Use Tab functionality in “Go to Definition” or “Go to Type Definition” peek views. Especially useful with Vim’s gd command to fix all usages efficiently.

Official Tab documentation

Project-Specific AI Rules

Create a .cursorrules file in your project root to define custom AI instructions:


Use TypeScript for all new files.
Write tests for all functions.
Follow Material-UI design patterns.
Prefer functional components over class components.

Usage:

Instructions apply to Cursor Chat and Ctrl/⌘ K
Project-specific, committed to version control
Plain text format, one instruction per line

Official rules documentation

Ignore Files (.cursorignore)

Exclude files/directories from Cursor’s AI context using .cursorignore:


dist/

*.log

config.json

node_modules/

Syntax: Same as .gitignore (supports wildcards and directory patterns)

Official ignore files documentation

Long Context Chat

Enable larger context windows for complex tasks:

Cursor Settings → Beta → Long Context Chat

Toggle modes: Ctrl/⌘ + .

Context Limits:

Standard chat: ~20,000 tokens
Long context: Full model window (up to 500k for gemini-1.5-flash-500k)

Long Context Models:

gpt-4o-128k
gemini-1.5-flash-500k
claude-3-haiku-200k
claude-3-sonnet-200k
claude-3.5-sonnet-200k

Context Symbols (@-mentions)

Reference specific context in Chat or Cmd+K:

Symbol	Purpose
`@Files`	Include specific files
`@Folders`	Include folder contents
`@Code`	Include code definitions
`@Docs`	Include documentation
`@Web`	Include web search results
`@Git`	Include git information
`@Codebase`	Include codebase search results

Cmd K Chunking Strategies:

auto: Automatically selects strategy based on file size
full file: Uses entire file as context
outline: Parses file outline
chunks: Selects most relevant chunk

Official context documentation

Keyboard Shortcuts

Shortcut	Action
`Ctrl/⌘ + L`	Open/focus Chat (toggle AI pane)
`Ctrl/⌘ + K`	Targeted code generation
`Tab`	Accept inline completion
`Esc`	Reject suggestion
`Ctrl/⌘ + →`	Accept next word (partial accept)
`Ctrl/⌘ + Enter`	Accept code changes
`Ctrl/⌘ + Backspace`	Reject code changes
`Ctrl/⌘ + Shift + E`	AI fix for linter errors
`Ctrl/⌘ + Alt + L`	Access chat history
`Ctrl/⌘ + .`	Toggle chat modes (with long context enabled)
`Ctrl/⌘ + Shift + J`	Open Cursor Settings
`Ctrl/⌘ + Shift + P`	Command Palette

VS Code Settings Integration

Cursor automatically imports VS Code settings:

Extensions: Installed extensions migrate automatically
Themes: Color and icon themes
Keybindings: Custom shortcuts
Workspace settings: Project-specific configurations

Manual Import:

Cursor Settings → Import from VS Code

Change Activity Bar Orientation:

Open VS Code settings (Ctrl/⌘ + ,)
Set "workbench.activityBar.orientation" to "vertical"
Restart Cursor

Official migration guide

Best Practices

✅ Do:

Use .cursorrules to document project coding standards
Enable Long Context Chat for complex tasks requiring large context
Store API keys securely (use Cursor Settings UI, not plain text files)
Commit .cursorrules and .cursorignore to version control
Use @Files and @Code symbols to provide precise context
Review AI changes in diff view before accepting (Ctrl/⌘ + Enter)
Use Tab for quick completions, Cmd+K for targeted changes, Chat for complex tasks
Enable partial accepts for granular control over suggestions

❌ Don’t:

Commit API keys to version control
Use web search for every query (enable only when needed)
Accept all AI suggestions without review
Ignore .cursorignore for sensitive files
Mix VS Code and Cursor settings files (use appropriate UI)
Disable Long Context Chat if working with large codebases

Troubleshooting & Validation

Access Developer Tools:

Ctrl/⌘ + Shift + P → "Developer: Open DevTools"

Check Logs:

macOS/Linux: ~/.cursor/logs/
Windows: C:\Users\<user-name>\AppData\Roaming\Cursor\logs

Common Issues:

Problem	Solution
OAuth doesn’t open browser	Check firewall settings; try signing out and back in
API key invalid	Verify key in Cursor Settings → Models → Click “Verify”
Suggestions not appearing	Enable Cursor Tab in Cursor Settings → Features
Chat history missing	Enable “Show chat history” in Cursor Settings → Features → Chat
High token usage	Disable “Always search the web” unless needed
Context too large	Use `.cursorignore` to exclude large files/directories
Settings not syncing	Verify sign-in status; check network connection

Disable HTTP/2 (for corporate proxy issues):

{
  "cursor.general.disableHttp2": true
}

Add to VS Code settings file.

Sign Out of GitHub:

Ctrl/⌘ + Shift + P → Sign out of GitHub

Useful for resolving authentication issues.

Log File Locations

OS	Path
macOS	`~/.cursor/logs/`
Linux	`~/.cursor/logs/`
Windows	`C:\Users\<user-name>\AppData\Roaming\Cursor\logs`

Additional Resources

Cursor Official Documentation – Complete feature guides and API references
Cursor Homepage – Product overview and downloads
Cursor Pricing – Free, Pro, Teams, Enterprise plans
Cursor Changelog – Latest features and updates (2.0 features)
Cursor Forum – Community discussions and support
Model Context Protocol Documentation – MCP specification (if integrating custom tools)
VS Code Documentation – Base editor features and extensions

Last updated: 2025-11-12

Configuration Playbook

Gemini CLI

Overview

Configure Google’s Gemini CLI for AI-assisted development workflows. For comprehensive feature documentation, see official Gemini CLI documentation.

Quick Start

Create ~/.gemini/settings.json:

{
  "model": {
    "name": "gemini-2.5-flash"
  },
  "tools": {
    "sandbox": true,
    "autoAccept": false
  },
  "privacy": {
    "usageStatisticsEnabled": false
  }
}

Configuration Files & Locations

Scope	Location	Purpose	Git Tracked?
System Defaults	`/etc/gemini-cli/system-defaults.json` (Linux/macOS)	Base system-wide defaults (lowest precedence)	No
User Settings	`~/.gemini/settings.json`	Personal configuration for all projects	No
Project Settings	`.gemini/settings.json`	Project-specific configuration	Yes
System Overrides	`/etc/gemini-cli/settings.json` (Linux/macOS)	Admin overrides (highest precedence)	No

Configuration precedence (higher numbers override lower):

Default values (hardcoded)
System defaults file
User settings file
Project settings file
System settings file
Environment variables
Command-line arguments

Authentication Setup

Gemini CLI supports multiple authentication methods for accessing Gemini and Vertex AI APIs.

Method 1: Gemini API Key (Simplest)

Set environment variable:

export GEMINI_API_KEY="your-api-key-here"

Or add to .env file in project root:

GEMINI_API_KEY=your-api-key-here

Method 2: Google Cloud Application Default Credentials

For Vertex AI access:

gcloud auth application-default login

Set required environment variables:

export GOOGLE_CLOUD_PROJECT="your-project-id"
export GOOGLE_CLOUD_LOCATION="us-central1"

Method 3: Service Account (CI/CD)

For automation environments:

export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account.json"
export GOOGLE_CLOUD_PROJECT="your-project-id"
export GOOGLE_CLOUD_LOCATION="us-central1"

See official authentication documentation for all available methods.

Model Selection

Configure which Gemini model to use and inference parameters.

Option	Type	Default	Purpose
`model.name`	string	undefined	Primary model (e.g., “gemini-2.5-pro”, “gemini-2.5-flash”)
`model.maxSessionTurns`	number	-1	Max conversation turns (-1 = unlimited)
`model.compressionThreshold`	number	0.2	Context compression trigger (0.0-1.0)

Example:

{
  "model": {
    "name": "gemini-2.5-pro",
    "maxSessionTurns": 20,
    "compressionThreshold": 0.3
  }
}

Command-line override:

gemini --model gemini-2.5-flash
gemini -m gemini-2.5-flash

Environment variable:

export GEMINI_MODEL="gemini-2.5-flash"

See official model documentation for available models.

Tool Configuration

Controls built-in tools like file operations, shell commands, and web access.

Option	Type	Default	Purpose
`tools.sandbox`	boolean/string	undefined	Enable sandbox (true/false/“docker”/“podman”/path)
`tools.autoAccept`	boolean	false	Auto-approve read-only operations
`tools.allowed`	array	undefined	Tool allowlist bypassing confirmation
`tools.exclude`	array	undefined	Tools to disable
`tools.core`	array	undefined	Restrict built-in tools to allowlist

Example:

{
  "tools": {
    "sandbox": "docker",
    "autoAccept": false,
    "allowed": [
      "run_shell_command(git)",
      "run_shell_command(npm test)"
    ],
    "exclude": ["web_search"]
  }
}

Command-line flags:

gemini --sandbox
gemini -s

gemini --approval-mode auto_edit  # auto-approve edits only
gemini --approval-mode yolo       # auto-approve everything
gemini --approval-mode default    # prompt for all

gemini --allowed-tools "run_shell_command(git status),read_file"

See official tools documentation for all built-in tools.

MCP Servers

Configure in mcpServers section of settings.json:

{
  "mcpServers": {
    "github": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-github"],
      "env": {
        "GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_TOKEN}"
      }
    },
    "postgres": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-postgres"],
      "env": {
        "POSTGRES_CONNECTION_STRING": "${DB_URL}"
      },
      "trust": true,
      "includeTools": ["query", "schema"]
    },
    "custom-api": {
      "httpUrl": "https://api.example.com/mcp",
      "headers": {
        "Authorization": "Bearer ${API_TOKEN}"
      },
      "timeout": 30000
    }
  }
}

MCP server configuration options:

Option	Type	Purpose
`command`	string	Command to start MCP server via stdio
`args`	array	Arguments for command
`env`	object	Environment variables (supports `${VAR}` syntax)
`cwd`	string	Working directory for server
`url`	string	SSE endpoint URL
`httpUrl`	string	HTTP streaming endpoint URL
`headers`	object	HTTP headers for url/httpUrl
`timeout`	number	Request timeout (milliseconds)
`trust`	boolean	Bypass tool confirmation for this server
`includeTools`	array	Tool allowlist from this server
`excludeTools`	array	Tools to exclude from this server

Global MCP control:

{
  "mcp": {
    "allowed": ["github", "postgres"],
    "excluded": ["untrusted-server"]
  }
}

Command-line:

gemini --allowed-mcp-server-names github,postgres

See official MCP documentation for details.

Context Files (GEMINI.md)

Provide project-specific instructions via hierarchical Markdown context files.

Default filename: GEMINI.md (configurable via context.fileName)

Loading hierarchy (more specific overrides more general):

~/.gemini/GEMINI.md - Global user context
Parent directories up to project root - Broad project context
Current directory and subdirectories - Specific component context

Example GEMINI.md:

Coding Style

Use 2 spaces for indentation
Prefer functional programming
All functions require JSDoc comments

File Conventions

Interface names prefixed with I (e.g., IUserService)
Private class members prefixed with _
Test files: *.spec.ts

Component: src/api/client.ts

Use fetchWithRetry for all GET requests
Include error logging for API failures


**Configuration options**:

| Option | Type | Default | Purpose |
|--------|------|---------|---------|
| `context.fileName` | string/array | undefined | Context file name(s) to load |
| `context.discoveryMaxDirs` | number | 200 | Max directories to search |
| `context.includeDirectories` | array | [] | Additional directories for context |
| `context.fileFiltering.respectGitIgnore` | boolean | true | Honor .gitignore when scanning |
| `context.fileFiltering.respectGeminiIgnore` | boolean | true | Honor .geminiignore when scanning |

**Commands**:
```bash
/memory show

/memory refresh

See official context documentation for details.

UI & Display

Customize terminal appearance and behavior.

Option	Type	Default	Purpose
`ui.theme`	string	undefined	Color theme name
`ui.hideFooter`	boolean	false	Hide status footer
`ui.hideBanner`	boolean	false	Hide startup banner
`ui.hideTips`	boolean	false	Hide helpful tips
`ui.useFullWidth`	boolean	true	Use entire terminal width
`ui.showLineNumbers`	boolean	false	Show line numbers in chat

Example:

{
  "ui": {
    "theme": "GitHub",
    "hideBanner": true,
    "hideTips": true,
    "useFullWidth": false
  },
  "general": {
    "vimMode": true,
    "preferredEditor": "code"
  }
}

Command-line:

gemini --screen-reader

See official themes documentation for available themes.

Privacy & Telemetry

Control usage data collection.

Option	Type	Default	Purpose
`privacy.usageStatisticsEnabled`	boolean	true	Enable anonymous usage statistics
`telemetry.enabled`	boolean	false	Enable detailed telemetry
`telemetry.target`	string	undefined	Telemetry destination (“local” or “gcp”)
`telemetry.logPrompts`	boolean	false	Include prompt content in logs

Example:

{
  "privacy": {
    "usageStatisticsEnabled": false
  }
}

Environment variables:

export GEMINI_TELEMETRY_ENABLED=false

See official telemetry documentation for details on what’s collected.

Sandboxing

Execute tools in isolated environments for security.

Configuration:

{
  "tools": {
    "sandbox": true  // or "docker", "podman", or path to profile
  }
}

Custom sandbox with Dockerfile:

Create .gemini/sandbox.Dockerfile in project root:

FROM gemini-cli-sandbox

RUN apt-get update && apt-get install -y python3-pip
RUN pip3 install pytest pandas

COPY ./requirements.txt /app/
RUN pip3 install -r /app/requirements.txt

Build and run:

BUILD_SANDBOX=1 gemini -s

Environment variable:

export GEMINI_SANDBOX=true
export GEMINI_SANDBOX=docker

See official sandbox documentation for advanced configurations.

Environment Variables

Key environment variables for configuration.

Variable	Purpose	Example
`GEMINI_API_KEY`	Gemini API authentication	`export GEMINI_API_KEY="sk_..."`
`GOOGLE_CLOUD_PROJECT`	GCP project ID for Vertex AI	`export GOOGLE_CLOUD_PROJECT="my-project"`
`GOOGLE_CLOUD_LOCATION`	GCP region for Vertex AI	`export GOOGLE_CLOUD_LOCATION="us-central1"`
`GOOGLE_APPLICATION_CREDENTIALS`	Service account credentials	`export GOOGLE_APPLICATION_CREDENTIALS="/path/to/creds.json"`
`GEMINI_MODEL`	Default model	`export GEMINI_MODEL="gemini-2.5-pro"`
`GEMINI_SANDBOX`	Enable sandbox	`export GEMINI_SANDBOX=true`
`GEMINI_TELEMETRY_ENABLED`	Enable telemetry	`export GEMINI_TELEMETRY_ENABLED=false`

.env file loading order:

.env in current directory
Search upward to project root (identified by .git)
~/.env in home directory

Example .env:

GEMINI_API_KEY=your-api-key
GOOGLE_CLOUD_PROJECT=my-project-id
GOOGLE_CLOUD_LOCATION=us-central1

See official environment variables documentation for complete list.

Best Practices

✅ Do:

Store API keys in environment variables or .env files (git-ignored)
Use project settings (.gemini/settings.json) for team-shared configuration
Use user settings (~/.gemini/settings.json) for personal preferences
Document configuration decisions in project README
Use GEMINI.md files for project-specific instructions
Enable sandbox mode for untrusted operations
Version control .gemini/settings.json for team consistency

❌ Don’t:

Commit API keys or credentials to version control
Use global settings for project-specific needs
Ignore .gemini directory in .gitignore (only ignore .gemini/.local.json)
Mix authentication methods without clear documentation
Disable sandbox mode with --yolo in production environments

Validation & Troubleshooting

Validate settings:

The CLI validates settings automatically on startup. Check for schema errors in the output.

View current configuration:

/settings show

/memory show

Debug mode:

gemini --debug
export DEBUG=true
gemini

Common issues:

Issue	Solution
”Authentication failed”	Verify `GEMINI_API_KEY` or run `gcloud auth application-default login`
”Model not found”	Check `model.name` in settings or `GEMINI_MODEL` env var
MCP server fails to connect	Verify command path, check `env` variables, review `timeout` setting
Context files not loading	Run `/memory refresh`, check `context.discoveryMaxDirs`
Sandbox build fails	Verify Docker installed, check `.gemini/sandbox.Dockerfile` syntax

Schema validation:

Use JSON schema for autocomplete and validation in your editor:

{
  "$schema": "https://raw.githubusercontent.com/google-gemini/gemini-cli/main/schemas/settings.schema.json",
  "model": {
    "name": "gemini-2.5-flash"
  }
}

See official troubleshooting documentation for detailed debugging.

Additional Resources

Official Gemini CLI Documentation – Complete feature guide
Configuration Reference – Exhaustive settings options
Authentication Guide – All auth methods
MCP Server Integration – External tool setup
Built-in Tools – Available CLI tools
Enterprise Configuration – Team/admin setup
GitHub Repository – Source code and examples
Settings Schema – JSON validation schema

Last updated: 2025-11-12

Configuration Playbook

GitHub Copilot

Overview

Configure GitHub Copilot across IDE extensions and enterprise deployments.

Quick Start

VS Code settings (~/.config/Code/User/settings.json or settings.json in workspace):

{
  "github.copilot.enable": {
    "*": true,
    "plaintext": false
  },
  "github.copilot.chat.enabled": true,
  "github.copilot.advanced": {
    "authorizationFallback": true
  }
}

Configuration Files & Locations

Scope	Location	Purpose	Git Tracked?
Global (VS Code)	`~/.config/Code/User/settings.json`	User preferences, keybindings	No
Workspace	`.vscode/settings.json`	Team shared Copilot settings	Yes
Enterprise	GitHub Admin portal	Organization policy enforcement	N/A
MCP Config (Personal)	VS Code `settings.json`	User-level MCP servers	No
MCP Config (Project)	`.vscode/mcp.json`	Project MCP servers (shared with team)	Yes
JetBrains MCP	`mcp.json` in IDE config	JetBrains-specific MCP configuration	No

Authentication Setup

GitHub Copilot uses GitHub account login with OAuth.

VS Code / JetBrains IDEs

Install GitHub Copilot extension
Click “Sign in to GitHub” in extension
Browser opens for OAuth flow
Authorize extension access
Token stored securely in IDE credential store (auto-refreshed)

GitHub CLI

gh auth login
gh auth setup-git

Copilot can access GitHub CLI authentication automatically.

Enterprise SSO

For organization-managed users:

Go to GitHub → Settings → Developer settings → Authorizations
Enterprise may enforce specific OAuth app
Token syncs from GitHub SAML/SSO provider

IDE Configuration

VS Code

Option	Type	Default	Purpose
`github.copilot.enable`	object	true	Enable per language type
`github.copilot.chat.enabled`	boolean	true	Enable chat sidebar
`github.copilot.advanced.authorizationFallback`	boolean	true	Use GitHub CLI auth as fallback

Example workspace config:

{
  "github.copilot.enable": {
    "*": true,
    "plaintext": false,
    "markdown": false,
    "yaml": false
  },
  "github.copilot.chat.enabled": true,
  "github.copilot.voice.enabled": false
}

JetBrains IDEs

Via IDE Settings pane:

GitHub Copilot → Toggle “Show Copilot in editor”
GitHub Copilot Chat → Configure chat panel location
Advanced → Set API timeout and max retries

Vim/Neovim

Configure via Vim plugin settings. See GitHub Copilot.vim documentation for configuration options.

Example configuration in .vimrc or init.vim:

" Enable Copilot for specific filetypes
let g:copilot_filetypes = {
\ '*': v:true,
\ 'markdown': v:false,
\ }

" Customize keybindings
imap <silent><script><expr> <C-J> copilot#Accept("\<CR>")

Enterprise Controls

GitHub Organization admins can enforce policies via Admin portal:

Policy	Options	Purpose
Copilot Chat	Disabled / Enabled	Allow/block chat feature
Copilot CLI	Disabled / Enabled	Allow/block CLI access
Copilot Voice	Disabled / Enabled	Allow/block voice input
Suggestion Delay	Default / Custom	Minimum suggestion latency
Audit Logging	Off / On	Track Copilot usage

Workspace enforcement (via .vscode/settings.json):

{
  "github.copilot.enable": {
    "*": true
  },
  "[python]": {
    "github.copilot.enable": true
  }
}

MCP Servers & Tool Integration

Configure MCP servers for GitHub Copilot to access external tools and services.

VS Code - Personal MCP Configuration

Add to settings.json for user-level MCP servers:

{
  "github.copilot.mcp.servers": [
    {
      "serverID": "github-mcp",
      "serverUrl": "https://api.githubcopilot.com/mcp/"
    }
  ]
}

Or enable automatic discovery of existing MCP configurations:

{
  "chat.mcp.discovery.enabled": true
}

VS Code - Project MCP Configuration

Create .vscode/mcp.json in repository root to share MCP servers with team:

{
  "inputs": [
    {
      "type": "promptString",
      "id": "github_token",
      "description": "GitHub Personal Access Token",
      "password": true
    }
  ],
  "servers": {
    "github": {
      "command": "docker",
      "args": [
        "run",
        "-i",
        "--rm",
        "-e",
        "GITHUB_PERSONAL_ACCESS_TOKEN",
        "ghcr.io/github/github-mcp-server"
      ],
      "env": {
        "GITHUB_PERSONAL_ACCESS_TOKEN": "${input:github_token}"
      }
    }
  }
}

JetBrains IDEs - MCP Configuration

Local MCP Server (using NPM):

{
  "servers": {
    "memory": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-memory"
      ]
    }
  }
}

Remote MCP Server (OAuth):

{
  "servers": {
    "github": {
      "type": "http",
      "url": "https://api.githubcopilot.com/mcp/"
    }
  }
}

Remote MCP Server (PAT authentication):

{
  "servers": {
    "github": {
      "url": "https://api.githubcopilot.com/mcp/",
      "requestInit": {
        "headers": {
          "Authorization": "Bearer YOUR_PAT_HERE"
        }
      }
    }
  }
}

MCP Server Configuration for Coding Agent

For GitHub Copilot Coding Agent, configure MCP servers with specific tools and environment variables:

{
  "mcpServers": {
    "sentry": {
      "type": "local",
      "command": "npx",
      "args": ["@sentry/mcp-server@latest", "--host=$SENTRY_HOST"],
      "tools": ["get_issue_details", "get_issue_summary"],
      "env": {
        "SENTRY_HOST": "https://contoso.sentry.io",
        "SENTRY_ACCESS_TOKEN": "COPILOT_MCP_SENTRY_ACCESS_TOKEN"
      }
    }
  }
}

MCP Configuration Guide: See official MCP documentation for complete setup instructions.

Copilot Chat Commands

Use slash commands in Copilot Chat for specific tasks:

Command	Purpose
`/explain`	Explain selected code
`/test`	Generate tests for code
`/fix`	Suggest fixes for errors
`/doc`	Generate documentation
`@workspace`	Reference entire workspace context
`@github`	Reference GitHub issues and PRs

These commands provide targeted assistance within the Copilot Chat interface.

Best Practices

✅ Do:

Keep GitHub token current; re-authenticate periodically
Use workspace-level .vscode/settings.json for team consistency
Enable audit logging in enterprise deployments
Scope Copilot suggestions with “Brush” filters for quality code
Review Copilot suggestions before accepting (especially in security-sensitive code)
Document approved Copilot settings in team onboarding

❌ Don’t:

Share GitHub tokens or auth credentials
Accept all Copilot suggestions blindly
Disable enterprise security policies
Mix personal and work GitHub accounts
Rely on Copilot for security-critical code without review

Troubleshooting & Validation

Verify authentication:

gh auth status

Common issues:

Problem	Solution
”Copilot not authorized”	VS Code: Sign out/in Copilot; GitHub CLI: `gh auth refresh`
No suggestions appearing	Check file language is supported; wait 1-2s for suggestions
Enterprise policy blocks Copilot	Verify org admin hasn’t disabled feature; check audit logs
MCP server not recognized	Reload VS Code window: `Cmd+Shift+P` → “Reload Window”

Debug mode:

VS Code:

Open output panel: Cmd+Shift+U
Select “GitHub Copilot” from dropdown
Check for auth, connection, and suggestion errors

JetBrains:

Help → Diagnostics → Show Log in Finder
Search logs for “Copilot” entries

Additional Resources

Last updated: 2025-11-12

Configuration Playbook

Qwen Code

Overview

Configure Qwen Code for AI-powered command-line development workflows. Qwen Code is adapted from Gemini CLI and optimized for Qwen3-Coder models.

Quick Start

Create ~/.qwen/settings.json:

{
  "model": {
    "name": "qwen3-coder-plus"
  },
  "tools": {
    "approvalMode": "plan",
    "sandbox": "docker"
  }
}

Configuration Files & Locations

Scope	Location	Purpose	Git Tracked?
Global	`~/.qwen/settings.json`	User defaults, model, MCP servers	No
User Environment	`~/.qwen/.env`	Global API keys and credentials	No
Project Environment	`.qwen/.env`	Project-specific API keys	No
Subagents	`~/.qwen/agents/`	Specialized agent configurations	No
Custom Commands	`~/.qwen/commands/*.toml`	Custom slash commands	Yes
Context Files	`QWEN.md`	Project documentation (hierarchical loading)	Yes

Authentication Setup

Qwen Code supports multiple authentication methods. Qwen OAuth is recommended for free tier access.

Method 1: Qwen OAuth (🚀 Recommended - Free)

Free tier: 2,000 requests/day, 60 requests/minute

Run: qwen
Browser opens automatically for authentication
Login with your qwen.ai account
Credentials cached automatically in ~/.qwen/

Switch to Qwen OAuth (if already using OpenAI-compatible mode):

/auth

Method 2: OpenAI-Compatible API

User-wide configuration (~/.qwen/.env):

mkdir -p ~/.qwen
cat >> ~/.qwen/.env <<'EOF'
OPENAI_API_KEY="your-api-key"
OPENAI_BASE_URL="https://dashscope.aliyuncs.com/compatible-mode/v1"
OPENAI_MODEL="qwen3-coder-plus"
EOF

Project-specific configuration (.qwen/.env):

mkdir -p .qwen
cat >> .qwen/.env <<'EOF'
OPENAI_API_KEY="your-api-key"
OPENAI_BASE_URL="https://api-inference.modelscope.cn/v1"
OPENAI_MODEL="Qwen/Qwen3-Coder-480B-A35B-Instruct"
EOF

Environment variables:

export OPENAI_API_KEY="your_api_key_here"
export OPENAI_BASE_URL="your_api_endpoint"  # Optional
export OPENAI_MODEL="your_model_choice"     # Optional

API Provider Options

Mainland China (Free Options):

ModelScope (2,000 free calls/day):

OPENAI_BASE_URL="https://api-inference.modelscope.cn/v1"
OPENAI_MODEL="Qwen/Qwen3-Coder-480B-A35B-Instruct"

Alibaba Cloud Bailian:

OPENAI_BASE_URL="https://dashscope.aliyuncs.com/compatible-mode/v1"
OPENAI_MODEL="qwen3-coder-plus"

International Users:

OpenRouter (free tier available):

OPENAI_BASE_URL="https://openrouter.ai/api/v1"
OPENAI_MODEL="qwen/qwen3-coder:free"

Alibaba Cloud ModelStudio:

OPENAI_BASE_URL="https://dashscope-intl.aliyuncs.com/compatible-mode/v1"
OPENAI_MODEL="qwen3-coder-plus"

Model & Core Configuration

Configure model and general settings in ~/.qwen/settings.json:

{
  "general": {
    "vimMode": true,
    "preferredEditor": "code"
  },
  "ui": {
    "theme": "GitHub",
    "hideBanner": false,
    "hideTips": false
  },
  "model": {
    "name": "qwen3-coder-plus",
    "maxSessionTurns": 10
  }
}

Model Settings

Option	Type	Default	Purpose
`model.name`	string	auto-detected	AI model name
`model.maxSessionTurns`	int	10	Max conversation turns
`model.summarizeToolOutput`	object	{}	Token budget for tool outputs

Session Token Management

Configure session limits:

{
  "sessionTokenLimit": 32000
}

Session commands:

/compress - Compress conversation history to save tokens
/clear - Clear all conversation history
/stats - Check current token usage and limits

Tools & Approval Configuration

Configure tool behavior and approval modes:

{
  "tools": {
    "approvalMode": "plan",
    "sandbox": "docker",
    "discoveryCommand": "bin/get_tools",
    "callCommand": "bin/call_tool",
    "exclude": ["dangerous_tool"]
  }
}

Approval Modes

Mode	Behavior	Use Case
`default`	Ask for confirmation before each action	Safest option
`auto-edit`	Auto-approve file edits, ask for commands	Development workflow
`yolo`	Execute all actions without confirmation	Trusted automation
`plan`	Show plan, then execute with confirmation	Review before execution

Sandbox Configuration

Enable sandboxing in settings.json:

{
  "tools": {
    "sandbox": "docker"
  }
}

Or via environment variable:

export GEMINI_SANDBOX=true
qwen -p "run the test suite"

Custom sandbox flags (Podman):

export SANDBOX_FLAGS="--security-opt label=disable"

Tool Filtering

Exclude specific tools:

{
  "tools": {
    "exclude": ["write_file", "delete_file"]
  }
}

MCP Servers & Tool Integration

Configure MCP servers in ~/.qwen/settings.json:

{
  "mcpServers": {
    "github": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-github"],
      "env": {
        "GITHUB_TOKEN": "$GITHUB_PERSONAL_ACCESS_TOKEN"
      },
      "trust": true
    },
    "filesystem": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-filesystem", "/tmp"],
      "timeout": 30000,
      "trust": false
    }
  }
}

MCP Server Types

Stdio Transport (local servers):

{
  "mcpServers": {
    "pythonServer": {
      "command": "python",
      "args": ["-m", "my_mcp_server", "--port", "8080"],
      "cwd": "./mcp-servers/python",
      "env": {
        "API_KEY": "$EXTERNAL_API_KEY"
      },
      "timeout": 15000
    }
  }
}

Docker Transport:

{
  "mcpServers": {
    "dockerizedServer": {
      "command": "docker",
      "args": [
        "run", "-i", "--rm",
        "-e", "API_KEY",
        "-v", "${PWD}:/workspace",
        "my-mcp-server:latest"
      ],
      "env": {
        "API_KEY": "$EXTERNAL_SERVICE_TOKEN"
      }
    }
  }
}

SSE Transport (remote servers):

{
  "mcpServers": {
    "remoteServer": {
      "url": "https://api.example.com/sse",
      "headers": {
        "Authorization": "Bearer $API_TOKEN"
      },
      "timeout": 60000
    }
  }
}

MCP Server Access Control

{
  "mcp": {
    "allowed": ["github", "filesystem"],
    "excluded": ["experimental-server"]
  }
}

Or use allowMCPServers and excludeMCPServers:

{
  "allowMCPServers": ["github", "filesystem"],
  "excludeMCPServers": ["dangerous-server"]
}

MCP Authentication (Remote Servers)

Google Credentials:

{
  "mcpServers": {
    "googleCloudServer": {
      "httpUrl": "https://my-gcp-service.run.app/mcp",
      "authProviderType": "google_credentials",
      "oauth": {
        "scopes": ["https://www.googleapis.com/auth/userinfo.email"]
      }
    }
  }
}

Service Account Impersonation:

{
  "mcpServers": {
    "serviceAccountServer": {
      "httpUrl": "https://your-iap-protected-service.run.app/mcp",
      "authProviderType": "service_account_impersonation",
      "targetAudience": "YOUR_OAUTH_CLIENT_ID",
      "targetServiceAccount": "your-service-account@your-project.iam.gserviceaccount.com"
    }
  }
}

OAuth Discovery (automatic):

{
  "mcpServers": {
    "discoveredServer": {
      "url": "https://api.example.com/sse"
    }
  }
}

Managing MCP Servers via CLI

Add stdio server:

qwen mcp add my-server python server.py --port 8080
qwen mcp add github-server -e API_KEY=123 /path/to/server arg1 arg2

List servers:

qwen mcp list

Authenticate with OAuth servers:

/mcp auth

/mcp auth serverName

Subagents & Specialization

Subagents are stored in ~/.qwen/agents/ directory as separate configuration files.

Create subagent:

/agents create

Manage existing subagents:

/agents manage

Subagent configuration example (~/.qwen/agents/backend.json):

{
  "name": "backend",
  "description": "Backend API development specialist",
  "model": "qwen3-coder-plus",
  "mcpServers": ["github", "postgres"],
  "tools": ["bash", "git", "docker"],
  "approvalMode": "plan"
}

Custom Commands & Workflows

Custom commands are defined in ~/.qwen/commands/*.toml files:

.qwen/commands/deploy.toml:

[command.deploy]
description = "Deploy to staging environment"
steps = [
  "npm run build",
  "npm run test",
  "npm run deploy:staging"
]
approval = true

Run command:

/deploy

Project Context Management

Qwen Code uses QWEN.md file for project context with hierarchical loading:

QWEN.md (in project root):

Architecture

This project uses microservices architecture…

Development Setup

Run npm install to set up dependencies…


**Configure context loading** in settings.json:
```json
{
  "context": {
    "fileName": ["CONTEXT.md", "QWEN.md"],
    "includeDirectories": ["~/projects/shared-docs"],
    "loadFromIncludeDirectories": true,
    "fileFiltering": {
      "respectGitIgnore": false
    }
  }
}

Context files are automatically loaded when starting Qwen Code in a project directory.

Vision Model Configuration

Qwen Code supports automatic vision model switching for image analysis.

Configure vision switching in settings.json:

{
  "experimental": {
    "vlmSwitchMode": "once",
    "visionModelPreview": true
  }
}

Vision switch modes:

"once" - Switch to vision model for one query only
"session" - Switch for entire session
"persist" - Never switch automatically
Not set - Show interactive dialog (default)

Command line override:

qwen --vlm-switch-mode once
qwen --vlm-switch-mode session

Disable vision models:

{
  "experimental": {
    "visionModelPreview": false
  }
}

Telemetry & Privacy Configuration

Configure telemetry and usage statistics:

{
  "telemetry": {
    "enabled": true,
    "target": "local",
    "otlpEndpoint": "http://localhost:4317",
    "logPrompts": true
  },
  "privacy": {
    "usageStatisticsEnabled": true
  }
}

Disable telemetry:

{
  "telemetry": {
    "enabled": false
  },
  "privacy": {
    "usageStatisticsEnabled": false
  }
}

Advanced Configuration

Complete settings.json Example

{
  "general": {
    "vimMode": true,
    "preferredEditor": "code"
  },
  "ui": {
    "theme": "GitHub",
    "hideBanner": false,
    "hideTips": false,
    "customWittyPhrases": [
      "Connecting to AGI"
    ]
  },
  "tools": {
    "approvalMode": "plan",
    "sandbox": "docker",
    "discoveryCommand": "bin/get_tools",
    "callCommand": "bin/call_tool",
    "exclude": ["dangerous_tool"]
  },
  "mcpServers": {
    "github": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-github"],
      "env": {
        "GITHUB_TOKEN": "$GITHUB_PERSONAL_ACCESS_TOKEN"
      }
    }
  },
  "telemetry": {
    "enabled": true,
    "target": "local",
    "otlpEndpoint": "http://localhost:4317",
    "logPrompts": true
  },
  "privacy": {
    "usageStatisticsEnabled": true
  },
  "model": {
    "name": "qwen3-coder-plus",
    "maxSessionTurns": 10,
    "summarizeToolOutput": {
      "run_shell_command": {
        "tokenBudget": 100
      }
    }
  },
  "context": {
    "fileName": ["CONTEXT.md", "QWEN.md"],
    "includeDirectories": ["~/projects/shared"],
    "loadFromIncludeDirectories": true,
    "fileFiltering": {
      "respectGitIgnore": false
    }
  },
  "advanced": {
    "excludedEnvVars": ["DEBUG", "DEBUG_MODE", "NODE_ENV"]
  }
}

Best Practices

✅ Do:

Use Qwen OAuth for free tier (2,000 requests/day)
Store API keys in .qwen/.env or ~/.qwen/.env (git-ignored)
Use approvalMode = "plan" for production work
Configure sandboxing (sandbox: "docker") for safety
Define custom commands in .qwen/commands/ for team workflows
Use QWEN.md for project context documentation
Create subagents for specialized tasks in ~/.qwen/agents/
Configure MCP servers in settings.json with proper authentication

❌ Don’t:

Commit API keys or secrets to git
Use approvalMode = "yolo" without understanding risks
Disable sandboxing in untrusted environments
Mix authentication methods (choose one approach)
Store sensitive credentials in settings.json directly (use environment variables)

Troubleshooting & Validation

Common issues:

Problem	Solution
Auth fails	Run `/auth` to switch to Qwen OAuth or verify environment variables
JSON syntax error	Use https://jsonlint.com/ to validate settings.json
MCP server not found	Verify command path and npm package installation
Custom command not working	Check `.qwen/commands/` directory and TOML syntax
Subagent not available	Confirm file exists in `~/.qwen/agents/`

Debug mode:

export DEBUG=qwen:*
qwen --verbose

Check logs: Logs are stored in ~/.qwen/logs/ (if logging enabled)

Session commands:

/help - Display available commands
/stats - Show session information and token usage
/compress - Compress conversation history
/clear - Clear conversation history

Additional Resources

Qwen Code GitHub Repository - Official repository with documentation
Qwen Models Documentation - Qwen3-Coder model details
Gemini CLI Documentation - Original project (Qwen Code is adapted from this)
Model Context Protocol (MCP) - MCP specification
Alibaba Cloud DashScope - DashScope API documentation (Mainland China)
ModelScope API - Free tier API (2,000 calls/day)
OpenRouter - International free tier option

Last updated: 2025-11-12

Configuration Playbook

Windsurf

Overview

Configure Windsurf AI IDE with Cascade agent for collaborative code development.

Quick Start

Windsurf uses standard VS Code-style settings with Windsurf-specific extensions for Cascade features.

Access settings via:

Profile icon (top right) → Windsurf Settings
Command Palette (Cmd/Ctrl+Shift+P) → “Open Windsurf Settings”

Configuration Files & Locations

Scope	Location	Purpose	Git Tracked?
Windsurf Config	`~/.codeium/windsurf/`	User preferences, auth, settings	No
MCP Servers	`~/.codeium/windsurf/mcp_config.json`	MCP server configuration	No
VS Code Settings	`~/Library/Application Support/Windsurf/User/settings.json` (macOS)	Editor settings, keybindings, themes	No
Workflows	`.windsurf/workflows/*.md`	Automation sequences (custom)	Yes
Project Instructions	`WINDSURF.md`	Project documentation (hierarchical loading)	Yes
Ignore Patterns	`.codeiumignore`	Files to exclude from Cascade context	Yes

Windows path: %APPDATA%\Codeium\windsurf\ Linux path: ~/.codeium/windsurf/

Authentication Setup

Windsurf uses Windsurf account authentication (free signup) for IDE and Cascade features.

Windsurf Account (Required)

Sign up during onboarding (completely free):

Launch Windsurf application
Onboarding flow prompts for authentication
Select “Sign up” or “Log in”
Browser opens for OAuth authentication
Authenticate with your account
Token stored securely in system
Click “Open Windsurf” to start

Free Tier: Includes Cascade access with limited credits/month

Pro/Teams/Enterprise: Paid plans with higher usage limits and team features

Manual Authentication Code (Fallback)

If OAuth flow fails:

During onboarding, select “Having Trouble?”
Click “Copy link” to get authentication URL
Open link in browser and authenticate
Copy authentication code
Enter code manually in Windsurf

Account Management

Access account settings:

Profile icon (top right) → Windsurf Settings → Account

Cascade Configuration

Cascade settings are accessible via:

Profile icon (top right) → Windsurf Settings → Cascade
OR
Command Palette → Open Windsurf Settings → Cascade section

Key Cascade Settings

Setting	Purpose
Model Selection	Choose AI model (gpt-4, Claude, etc.) based on plan
MCP Plugins	Manage Model Context Protocol servers and tools
Auto-Continue	Auto-continue if Cascade hits 20-tool-call limit
Sounds	Enable sound alerts when Cascade completes tasks
Themes	Customize Cascade panel appearance

Cascade Modes

Cascade Code (Cmd/Ctrl+L):

Create/edit files, generate projects, refactor code
File changes with Accept/Reject flow
Per tool call + context size credit cost

Cascade Chat (Cmd/Ctrl+L):

Questions, design discussions, explanations
Conversation + optional code proposals
Per message credit cost

Plans & Todo Lists

Planning Agent - Continuously refines strategy while executing actions
Todo Lists - Cascade maintains task list within conversation
Manual/Auto Updates - Plans evolve based on errors, discoveries, Memory entries

Named Checkpoints

Create - Save named snapshot of project state at conversation step
Revert - Hover over prompt → click revert arrow (irreversible!)
Use Case - Explore multiple approaches, snapshot, revert if needed

Cascade Workflows

Reusable markdown-based task automation stored in .windsurf/workflows/:

Invocation: /[workflow-name] in Cascade

Pre-configured workflows:

/address-pr-comments - Process GitHub PR feedback
/git-workflows - Commit, branch, and PR management
/dependency-management - Update/install dependencies
/code-formatting - Run Prettier, Black, ESLint, Flake8
/run-tests-and-fix - Execute tests and auto-fix failures
/deployment - Automate deployment workflows
/security-scan - Run vulnerability scans

Create custom workflow:

Click Customizations icon (top right Cascade panel) → Workflows
Click + Workflow
Write markdown steps (Cascade follows sequentially)
Workflows support nested calls: /workflow-1 can invoke /workflow-2

Example: PR Review Workflow (.windsurf/workflows/review-pr.md):


1. Fetch latest changes
   $ git fetch origin

2. Check out PR branch
   $ git checkout PR-123

3. Run tests
   $ npm test

4. Check linting
   $ npx eslint . --fix

5. Summarize findings

MCP Servers & Tool Integration

Configure MCP servers in ~/.codeium/windsurf/mcp_config.json:

Adding MCP Plugins

Via Plugin Store (recommended):

Click Plugins icon (Cascade panel top right)
Search Plugin Store (official plugins show blue checkmark)
Click plugin → Install
Refresh Cascade

Manual Configuration: Edit ~/.codeium/windsurf/mcp_config.json directly

MCP Server Configuration

Stdio Transport (GitHub example):

{
  "mcpServers": {
    "github": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-github"
      ],
      "env": {
        "GITHUB_PERSONAL_ACCESS_TOKEN": "<YOUR_PAT>"
      }
    }
  }
}

HTTP Transport (SSE example):

{
  "mcpServers": {
    "figma": {
      "serverUrl": "<your-server-url>/mcp"
    }
  }
}

MCP Tool Limits

Total Tool Limit: 100 tools maximum across all plugins
Per-Plugin Configuration: Navigate to plugin → Tools tab → toggle tools on/off
Settings Access: Windsurf Settings → Cascade → Manage plugins

Supported Transport Types

stdio - Command-based execution (Node.js, Python, Go servers)
http - URL-based endpoint (URL format: https://<server-url>/mcp)

MCP Resources

Team MCP Controls (Teams & Enterprise)

Team admins can whitelist approved MCP servers:

Access: Team Settings → MCP Settings

Whitelist Behavior:

Whitelist even one server → all non-whitelisted servers blocked for team
Uses regex pattern matching for flexible configuration
Command field, arguments, and array length must match exactly

Regex Matching Rules:

Full string matching (auto-anchored with ^(?:pattern)$)
Case-sensitive
Special characters (., $, [, ]) need escaping for literal matches

Common Patterns:

Pattern	Matches	Example
`.*`	Any string	`/home/user/script.py`
`[0-9]+`	Any number	`8080`, `3000`
`\\$HOME`	Literal `$HOME`	`$HOME` (not expanded)
`\\.py`	Literal `.py`	`script.py`

Terminal Integration

Configure Cascade’s interaction with terminal commands:

Access: Windsurf Settings → Terminal

Auto-Execute Settings

Allow List - Commands that auto-execute without confirmation:

Example: Add "git" to allow list
→ "git add -A" runs automatically

Deny List - Commands that always require user permission:

Example: Add "rm" to deny list
→ "rm index.py" always prompts for confirmation

Turbo Mode - Additional terminal execution optimizations (configurable in settings)

Terminal Actions

Send Selection to Cascade - Highlight error/stack trace → Cmd/Ctrl+L
Cascade Terminal Commands - Cascade can execute terminal commands with tool calls
Monitor Terminal Output - Cascade monitors terminal output for real-time awareness

Remote Development

Windsurf supports remote development workflows:

SSH Support

Connect to Linux-based remote hosts
Execute Cascade tasks on remote machines
Built-in OpenSSH integration
Access via “Open a Remote Window” (bottom left)

Dev Containers

Local: Docker required
Remote over SSH: Docker on remote host
Commands: Reopen in Container, Attach to Running Container, Show Logs
Uses devcontainer.json configuration

WSL (Beta)

Windows Subsystem for Linux support
Access via “Open a Remote Window” (bottom left)

Memories & Rules

Customize Cascade behavior with persistent context via Memories feature:

Access: /memory command in Cascade or Windsurf Settings → Cascade → Memories

Memories

Store project-specific knowledge that persists across conversations:

Coding standards and patterns
Project architecture notes
Common workflows and conventions
Team-specific guidelines

Format: Define rules using markdown or structured text within Cascade

Example (coding guidelines):

- Project language: Python
- Use early returns when possible
- Always add documentation for new functions and classes

Organized format (with XML tags):

<coding_guidelines>
- Project language: Python  
- Use early returns when possible
- Always add documentation for new functions and classes
</coding_guidelines>

Rules

Guide Cascade’s decision-making and behavior:

Define preferred coding styles
Specify testing requirements
Set documentation standards
Establish naming conventions

Persistence: Memories and rules remain active across conversations in the same project

Management:

View current memories: /memory command
Edit via Cascade Settings → Memories
Project-level persistence (not stored as JSON files)

Project Context Files

WINDSURF.md

Optional project instructions file with hierarchical loading:

Global: ~/.windsurf/WINDSURF.md
Git Root: <repo-root>/WINDSURF.md
Subdirectory: <subfolder>/WINDSURF.md

Cascade automatically loads context from these files when starting in a project directory.

Ignore Patterns

Exclude files from Cascade context using .codeiumignore:

Project-level (.codeiumignore at workspace root):

node_modules/
dist/
.git/
*.log
build/
coverage/
secrets/
*.env

Global (Teams/Enterprise: ~/.codeium/.codeiumignore):

Enforced across all repositories for team members

Format: Follows gitignore syntax

Gitignore Access Setting

Configure whether Cascade can read .gitignore-matched files:

Access: Windsurf Settings → Cascade → Cascade Gitignore Access

Voice Input (Beta)

Enable voice-to-text for hands-free Cascade interaction:

Note: Transcription only; Cascade still requires written prompts for full reasoning

Enable: Windsurf Settings → Cascade → Voice Mode (beta feature for paying users)

Slash Commands

Common commands to invoke during Cascade conversation:

Command	Purpose
`/chat`	Switch to Chat mode (default)
`/code`	Switch to Code mode
`/memory`	View Memory entries
`/settings`	Open Cascade settings
`/workflows`	List available workflows
`/mcp`	Manage MCP servers/plugins
`/help`	Show command list

Advanced Features

Queued Messages

Queue multiple requests while Cascade works
Type message → Press Enter to queue
Send immediately: Press Enter again (if text box empty)
Delete: Remove queued message before execution

Real-Time Awareness

Cascade monitors your live edits, terminal output, and active context
Simply tell Cascade “Continue” after making edits
No manual context re-injection needed

Share Cascade conversations with team members:

Cascade panel → ... (more options) → Share Conversation

Custom App Icons (Beta - Mac only)

For paying users:

Profile/settings icon (top right) → Customize App Icon

Best Practices

✅ Do:

Create checkpoints before major changes - Use named snapshots to explore safely
Start with Chat mode for planning - Discuss approach before Code mode edits
Review before accepting changes - Always review Cascade’s edits before clicking Accept
Build custom workflows - Workflows are faster than repeated prompts for common tasks
Use Memories for project context - Store coding standards, patterns, architecture notes
Configure terminal allow/deny lists - Prevent dangerous commands from auto-executing
Set up MCP plugins strategically - Stay under 100-tool limit by enabling only needed tools
Use .codeiumignore - Exclude sensitive files from Cascade context
Enable proper team MCP controls - Whitelist approved servers for team security

❌ Don’t:

Revert without caution - Checkpoints reverts are irreversible
Disable all approval gates - Keep some review points for safety
Exceed 100 MCP tool limit - Disable unused tools to stay under limit
Commit sensitive data to workflows - Keep credentials in environment variables
Ignore terminal deny list - Add dangerous commands (like rm -rf) to deny list
Mix authentication accounts - Use consistent account across devices
Rely solely on Cascade - Always review AI-generated code before shipping

Troubleshooting & Validation

Common issues:

Problem	Solution
OAuth flow doesn’t open browser	Check firewall settings; try manual authentication code method
MCP server not found	Verify npm package installed: `npm list @modelcontextprotocol/server-github`
MCP server won’t start	Check command path exists: `which npx`
Environment variables not resolving	Verify env vars are set in shell or MCP config `env` section
Cascade doesn’t execute workflows	Verify `.windsurf/workflows/` files have valid markdown syntax
Memories not persisting	Access via `/memory` command or Cascade Settings → Memories
Remote connection fails	Verify SSH credentials and network connectivity
Hitting 100 tool limit	Disable unused MCP tools via plugin settings
Team whitelist blocking servers	Verify regex patterns match exactly; check admin whitelist config

Debug MCP connection:

which npx

npx @modelcontextprotocol/server-github --version

cat ~/.codeium/windsurf/mcp_config.json

Debug mode:

Open Developer Console: Cmd/Ctrl+Shift+P → “Developer: Toggle Developer Tools”
Check Windsurf logs: ~/.codeium/windsurf/logs/
Look for MCP and auth errors in console

Restart Windsurf: Many config changes require restart to take effect

Update Windsurf

Auto-update:

Click “Restart to Update” button (top right menu bar when available)

Manual check:

Profile icon dropdown → Check for Updates
Command Palette (Cmd/Ctrl+Shift+P) → “Check for Updates”

Windsurf Next (Prerelease):

Opt-in for early access to newest features
Download: https://windsurf.com/editor/download-next

Uninstall Windsurf

Steps:

Close Windsurf application
Delete application (drag to Trash on macOS)
Remove configuration directory:

macOS/Linux:

rm -rf ~/.codeium/windsurf

Windows:

C:\Users\[YourUsername]\.codeium\windsurf

(Manually delete this folder)

Additional Resources

Windsurf Getting Started - Installation, onboarding, setup
Cascade Overview - Full Cascade capabilities
Cascade Workflows - Creating and running workflows
MCP Integration - Extending Cascade with custom tools
Memories & Rules - Persistent context customization
Advanced Configuration - SSH, Dev Containers, WSL
Terminal Integration - Terminal commands and auto-execute policies
Model Context Protocol - MCP specification
MCP Server Repository - Official MCP servers
Windsurf Changelog - Release notes and updates
Discord Community - Support and discussions

Last updated: 2025-11-12

Overview

Quick Start

Configuration Files & Locations

Authentication Setup

Method 1: ChatGPT OAuth (Interactive)

Method 2: API Key (Programmatic)

Enterprise: Forcing a Login Method

Control Credential Storage

Model Selection

Custom Model Providers

Safety & Approval Controls

Approval Policy

Sandbox Mode

MCP Servers & Tool Integration

STDIO Servers

Streamable HTTP Servers

MCP CLI Commands

Profiles for Multiple Environments

Feature Flags

Shell Environment Policy

History & Session Tracking

AGENTS.md Discovery

Observability & Telemetry

OpenTelemetry Export

Custom Notification Script

TUI Desktop Notifications

Hide/Show Reasoning

Best Practices

Troubleshooting & Validation

Additional Resources