claude-settings-to-codex 0.1.0

package/LICENSE

@@ -0,0 +1,8 @@
+Copyright 2026 newnakashima2014@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+

package/README.md

@@ -0,0 +1,83 @@
+# claude-settings-to-codex
+
+`Claude Code` の `settings.json` を、`Codex` 向けの `config.toml` と変換レポートへ落とす CLI です。
+
+特に `permissions.allow / ask / deny` を対象にしています。ただし Codex は Claude のようなコマンド単位 allowlist/denylist をそのまま表現できないため、このツールは安全側の近似変換を行い、非互換部分はレポートに残します。
+
+## 使い方
+
+```bash
+npx claude-settings-to-codex
+```
+
+任意のプロジェクトディレクトリで実行すると、そのディレクトリを基準に以下の既定パスを使います。
+
+- 入力: `.claude/settings.json`
+- 出力: `.codex/config.toml`
+- レポート: `conversion-report.md`
+
+明示指定もできます。
+
+```bash
+npx claude-settings-to-codex \
+  --input ./path/to/settings.json \
+  --output ./.codex/config.toml \
+  --report ./conversion-report.md
+```
+
+ネットワーク設定の扱い:
+
+```bash
+npx claude-settings-to-codex --network off
+npx claude-settings-to-codex --network auto
+npx claude-settings-to-codex --network on
+```
+
+- `off`: 常に `network_access = false`
+- `auto`: `npm install` や `curl` などのパターンがある場合のみ `true`
+- `on`: 常に `network_access = true`
+
+## ローカル開発時の確認
+
+公開前に手元で CLI として確認したい場合:
+
+```bash
+npm link
+cd /path/to/target-project
+claude-settings-to-codex
+```
+
+あるいは、このリポジトリ内で直接実行しても構いません。
+
+```bash
+node src/cli.js --help
+```
+
+## 変換方針
+
+- `Bash(...)` ルールを抽出して集計
+- Codex 側は原則 `approval_policy = "on-request"` を生成
+- Bash 権限が1つでもあれば `sandbox_mode = "workspace-write"`、なければ `read-only`
+- Claude の `allow` / `deny` の厳密再現はできないので、レポートに unsupported / lossy として残す
+- `ask` は `on-request` に近似
+
+## テスト
+
+```bash
+npm test
+```
+
+## npm 公開手順
+
+1. npm アカウントでログインする: `npm login`
+2. 公開名が空いているか確認する: `npm view claude-settings-to-codex`
+3. テストを実行する: `npm test`
+4. 公開内容を確認する: `npm pack --dry-run`
+5. 公開する: `npm publish --access public`
+
+公開後は任意のプロジェクトで次のように使えます。
+
+```bash
+cd /path/to/project
+npx claude-settings-to-codex
+```

package/package.json

@@ -0,0 +1,36 @@
+{
+  "name": "claude-settings-to-codex",
+  "version": "0.1.0",
+  "description": "Convert Claude Code settings.json permission settings into a Codex-oriented config.toml and conversion report.",
+  "type": "module",
+  "bin": {
+    "claude-settings-to-codex": "./src/cli.js"
+  },
+  "files": [
+    "src",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "test": "node --test"
+  },
+  "keywords": [
+    "claude-code",
+    "codex",
+    "converter",
+    "permissions",
+    "cli"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/newnakashima/claude-settings-to-codex.git"
+  },
+  "homepage": "https://github.com/newnakashima/claude-settings-to-codex#readme",
+  "bugs": {
+    "url": "https://github.com/newnakashima/claude-settings-to-codex/issues"
+  },
+  "license": "MIT",
+  "engines": {
+    "node": ">=20"
+  }
+}

package/src/cli.js

@@ -0,0 +1,139 @@
+#!/usr/bin/env node
+
+import fs from "node:fs/promises";
+import path from "node:path";
+import process from "node:process";
+import { convertClaudeSettings, defaultPaths } from "./converter.js";
+import { parseJsonc } from "./jsonc.js";
+
+async function main() {
+  const cwd = process.cwd();
+  const defaults = defaultPaths(cwd);
+  const args = parseArgs(process.argv.slice(2), defaults);
+
+  if (args.help) {
+    printHelp(defaults);
+    return;
+  }
+
+  const sourceText = await fs.readFile(args.input, "utf8");
+  const settings = parseJsonc(sourceText);
+  const result = convertClaudeSettings(settings, {
+    sourcePath: relativeOrAbsolute(cwd, args.input),
+    outputPath: relativeOrAbsolute(cwd, args.output),
+    approvalPolicy: args.approvalPolicy,
+    network: args.network
+  });
+
+  await fs.mkdir(path.dirname(args.output), { recursive: true });
+  await fs.mkdir(path.dirname(args.report), { recursive: true });
+  await fs.writeFile(args.output, result.configToml, "utf8");
+  await fs.writeFile(args.report, result.reportMarkdown, "utf8");
+
+  process.stdout.write(
+    [
+      `Wrote ${relativeOrAbsolute(cwd, args.output)}`,
+      `Wrote ${relativeOrAbsolute(cwd, args.report)}`,
+      `approval_policy=${result.analysis.approvalPolicy}`,
+      `sandbox_mode=${result.analysis.sandboxMode}`,
+      `network_access=${result.analysis.network.enabled}`
+    ].join("\n") + "\n"
+  );
+}
+
+function parseArgs(argv, defaults) {
+  const args = {
+    input: defaults.input,
+    output: defaults.output,
+    report: defaults.report,
+    approvalPolicy: "on-request",
+    network: "off",
+    help: false
+  };
+
+  for (let index = 0; index < argv.length; index += 1) {
+    const arg = argv[index];
+
+    if (arg === "--help" || arg === "-h") {
+      args.help = true;
+      continue;
+    }
+
+    if (arg === "--input") {
+      args.input = requireValue(argv, index, "--input");
+      index += 1;
+      continue;
+    }
+
+    if (arg === "--output") {
+      args.output = requireValue(argv, index, "--output");
+      index += 1;
+      continue;
+    }
+
+    if (arg === "--report") {
+      args.report = requireValue(argv, index, "--report");
+      index += 1;
+      continue;
+    }
+
+    if (arg === "--approval-policy") {
+      const value = requireValue(argv, index, "--approval-policy");
+      if (!["untrusted", "on-failure", "on-request", "never"].includes(value)) {
+        throw new Error(`Unsupported --approval-policy value: ${value}`);
+      }
+      args.approvalPolicy = value;
+      index += 1;
+      continue;
+    }
+
+    if (arg === "--network") {
+      const value = requireValue(argv, index, "--network");
+      if (!["off", "auto", "on"].includes(value)) {
+        throw new Error(`Unsupported --network value: ${value}`);
+      }
+      args.network = value;
+      index += 1;
+      continue;
+    }
+
+    throw new Error(`Unknown argument: ${arg}`);
+  }
+
+  return args;
+}
+
+function requireValue(argv, index, flag) {
+  const value = argv[index + 1];
+  if (!value) {
+    throw new Error(`Missing value for ${flag}`);
+  }
+  return value;
+}
+
+function printHelp(defaults) {
+  process.stdout.write(
+    [
+      "Usage: claude-settings-to-codex [options]",
+      "",
+      "Options:",
+      `  --input <path>             Input Claude settings file (default: ${defaults.input})`,
+      `  --output <path>            Output Codex config.toml (default: ${defaults.output})`,
+      `  --report <path>            Output conversion report (default: ${defaults.report})`,
+      "  --approval-policy <value>  Codex approval policy: untrusted | on-failure | on-request | never",
+      "  --network <mode>           Network mapping: off | auto | on",
+      "  -h, --help                 Show this help",
+      ""
+    ].join("\n")
+  );
+}
+
+function relativeOrAbsolute(cwd, target) {
+  const relative = path.relative(cwd, target);
+  return relative && !relative.startsWith("..") ? relative : target;
+}
+
+main().catch((error) => {
+  process.stderr.write(`${error.message}\n`);
+  process.exitCode = 1;
+});

package/src/converter.js

@@ -0,0 +1,333 @@
+import path from "node:path";
+
+const NETWORK_PATTERNS = [
+  /\bnpm\s+(install|i)\b/i,
+  /\bpnpm\s+(add|install|up|update|dlx)\b/i,
+  /\byarn\s+(add|install|up|upgrade|dlx)\b/i,
+  /\bbun\s+(add|install|updatex?)\b/i,
+  /\bpip(?:3)?\s+install\b/i,
+  /\buv\s+pip\s+install\b/i,
+  /\bpoetry\s+add\b/i,
+  /\bcargo\s+(add|install)\b/i,
+  /\bgo\s+(get|install)\b/i,
+  /\bgem\s+install\b/i,
+  /\bbrew\s+(install|upgrade|tap)\b/i,
+  /\bapt(?:-get)?\s+(install|update)\b/i,
+  /\bapk\s+add\b/i,
+  /\bdnf\s+install\b/i,
+  /\byum\s+install\b/i,
+  /\bpod\s+install\b/i,
+  /\bcomposer\s+(require|install|update)\b/i,
+  /\bnuget\s+install\b/i,
+  /\bdotnet\s+add\s+package\b/i,
+  /\bgit\s+clone\b/i,
+  /\bcurl\b/i,
+  /\bwget\b/i,
+  /\bnpx\b/i,
+  /\bdocker\s+pull\b/i
+];
+
+export function convertClaudeSettings(settings, options = {}) {
+  const normalized = normalizeClaudeSettings(settings);
+  const entries = extractPermissionEntries(normalized.permissions);
+  const bashEntries = entries.filter((entry) => entry.kind === "bash");
+  const nonBashEntries = entries.filter((entry) => entry.kind !== "bash");
+
+  const sandboxMode = deriveSandboxMode(bashEntries);
+  const network = deriveNetworkAccess(bashEntries, options.network ?? "off");
+  const approvalPolicy = options.approvalPolicy ?? "on-request";
+
+  const configToml = renderCodexConfig({
+    approvalPolicy,
+    sandboxMode,
+    networkAccess: network.enabled,
+    notes: buildConfigNotes({ entries, bashEntries, nonBashEntries, network })
+  });
+
+  const reportMarkdown = renderReport({
+    sourcePath: options.sourcePath ?? ".claude/settings.json",
+    outputPath: options.outputPath ?? ".codex/config.toml",
+    normalized,
+    entries,
+    bashEntries,
+    nonBashEntries,
+    approvalPolicy,
+    sandboxMode,
+    network
+  });
+
+  return {
+    configToml,
+    reportMarkdown,
+    analysis: {
+      entries,
+      bashEntries,
+      nonBashEntries,
+      approvalPolicy,
+      sandboxMode,
+      network
+    }
+  };
+}
+
+export function normalizeClaudeSettings(settings) {
+  const permissions = isPlainObject(settings?.permissions) ? settings.permissions : {};
+
+  return {
+    permissions: {
+      allow: normalizeStringArray(permissions.allow),
+      ask: normalizeStringArray(permissions.ask),
+      deny: normalizeStringArray(permissions.deny)
+    }
+  };
+}
+
+function normalizeStringArray(value) {
+  if (!Array.isArray(value)) {
+    return [];
+  }
+
+  return value.filter((item) => typeof item === "string").map((item) => item.trim()).filter(Boolean);
+}
+
+export function extractPermissionEntries(permissions) {
+  const groups = ["allow", "ask", "deny"];
+  const entries = [];
+
+  for (const group of groups) {
+    for (const raw of permissions[group] ?? []) {
+      entries.push(parsePermissionEntry(raw, group));
+    }
+  }
+
+  return entries;
+}
+
+export function parsePermissionEntry(raw, group) {
+  const bashMatch = /^Bash\(([\s\S]*)\)$/u.exec(raw);
+  if (bashMatch) {
+    const command = bashMatch[1].trim();
+    return {
+      group,
+      raw,
+      kind: "bash",
+      tool: "Bash",
+      command,
+      requiresNetwork: NETWORK_PATTERNS.some((pattern) => pattern.test(command))
+    };
+  }
+
+  const toolCallMatch = /^([A-Za-z][A-Za-z0-9_-]*)\(([\s\S]*)\)$/u.exec(raw);
+  if (toolCallMatch) {
+    return {
+      group,
+      raw,
+      kind: "tool-call",
+      tool: toolCallMatch[1],
+      argument: toolCallMatch[2].trim()
+    };
+  }
+
+  const bareToolMatch = /^([A-Za-z][A-Za-z0-9_-]*)$/u.exec(raw);
+  if (bareToolMatch) {
+    return {
+      group,
+      raw,
+      kind: "tool",
+      tool: bareToolMatch[1]
+    };
+  }
+
+  return {
+    group,
+    raw,
+    kind: "unknown",
+    tool: null
+  };
+}
+
+function deriveSandboxMode(bashEntries) {
+  return bashEntries.length > 0 ? "workspace-write" : "read-only";
+}
+
+function deriveNetworkAccess(bashEntries, mode) {
+  if (mode === "on") {
+    return { enabled: true, reason: "Forced by --network on", commands: [] };
+  }
+
+  if (mode === "off") {
+    return { enabled: false, reason: "Forced by --network off", commands: [] };
+  }
+
+  const commands = bashEntries.filter((entry) => entry.requiresNetwork).map((entry) => entry.command);
+  return {
+    enabled: commands.length > 0,
+    reason: commands.length > 0 ? "Enabled by heuristic network command detection" : "No network-oriented command patterns detected",
+    commands
+  };
+}
+
+function buildConfigNotes({ entries, bashEntries, nonBashEntries, network }) {
+  const notes = [];
+
+  if (entries.length === 0) {
+    notes.push("No Claude permissions entries were found.");
+  }
+
+  if (bashEntries.some((entry) => entry.group === "allow")) {
+    notes.push("Claude Bash allowlist rules are not representable in Codex config; approval is approximated globally.");
+  }
+
+  if (bashEntries.some((entry) => entry.group === "deny")) {
+    notes.push("Claude Bash denylist rules are not representable in Codex config; see the conversion report for manual follow-up.");
+  }
+
+  if (nonBashEntries.length > 0) {
+    notes.push("Non-Bash Claude permission entries were preserved only in the conversion report.");
+  }
+
+  if (network.reason) {
+    notes.push(`Network access decision: ${network.reason}.`);
+  }
+
+  return notes;
+}
+
+export function renderCodexConfig({ approvalPolicy, sandboxMode, networkAccess, notes }) {
+  const lines = [
+    "# Generated by claude-settings-to-codex",
+    "# This config is a best-effort approximation of Claude Code permissions.",
+    ...notes.map((note) => `# ${note}`),
+    `approval_policy = ${tomlString(approvalPolicy)}`,
+    `sandbox_mode = ${tomlString(sandboxMode)}`
+  ];
+
+  if (sandboxMode === "workspace-write") {
+    lines.push("");
+    lines.push("[sandbox_workspace_write]");
+    lines.push(`network_access = ${networkAccess ? "true" : "false"}`);
+    lines.push("writable_roots = []");
+  }
+
+  lines.push("");
+  return lines.join("\n");
+}
+
+export function renderReport({
+  sourcePath,
+  outputPath,
+  normalized,
+  entries,
+  bashEntries,
+  nonBashEntries,
+  approvalPolicy,
+  sandboxMode,
+  network
+}) {
+  const counts = countByGroup(entries);
+  const lines = [
+    "# Conversion Report",
+    "",
+    `- Source: \`${sourcePath}\``,
+    `- Generated config: \`${outputPath}\``,
+    `- Bash permission entries: ${bashEntries.length}`,
+    `- Non-Bash permission entries: ${nonBashEntries.length}`,
+    "",
+    "## Generated Codex Defaults",
+    "",
+    `- approval_policy: \`${approvalPolicy}\``,
+    `- sandbox_mode: \`${sandboxMode}\``,
+    `- network_access: \`${network.enabled}\``,
+    `- network decision: ${network.reason}`,
+    "",
+    "## Claude Permission Summary",
+    "",
+    `- allow: ${counts.allow}`,
+    `- ask: ${counts.ask}`,
+    `- deny: ${counts.deny}`,
+    "",
+    "## Compatibility Notes",
+    "",
+    "- Claude `ask` entries are approximated by Codex's global `approval_policy = \"on-request\"`.",
+    "- Claude command-level `allow` rules cannot be represented exactly in Codex config today.",
+    "- Claude command-level `deny` rules cannot be represented exactly in Codex config today.",
+    "- Non-Bash Claude permissions are not translated into Codex config keys by this tool.",
+    ""
+  ];
+
+  if (network.commands.length > 0) {
+    lines.push("## Network Heuristic Matches", "");
+    for (const command of network.commands) {
+      lines.push(`- \`${command}\``);
+    }
+    lines.push("");
+  }
+
+  if (entries.length > 0) {
+    lines.push("## Entry-by-Entry Analysis", "");
+    for (const entry of entries) {
+      lines.push(`- ${formatEntryLine(entry)}`);
+    }
+    lines.push("");
+  }
+
+  if (normalized.permissions.allow.length === 0 && normalized.permissions.ask.length === 0 && normalized.permissions.deny.length === 0) {
+    lines.push("## Notes", "", "- No Claude `permissions` entries were found, so the generated Codex config is only a baseline shell-execution profile.", "");
+  }
+
+  lines.push("## Manual Follow-up", "");
+  lines.push("- Review `allow` and `deny` entries manually; Codex cannot enforce them as exact per-command rules.");
+  lines.push("- If your workflows need package installation or HTTP access, re-run with `--network auto` or `--network on`.");
+  lines.push("- If you need extra writable directories, edit `writable_roots` in the generated `config.toml`.");
+  lines.push("");
+
+  return lines.join("\n");
+}
+
+function formatEntryLine(entry) {
+  const base = `\`${entry.raw}\` (${entry.group})`;
+
+  if (entry.kind === "bash") {
+    if (entry.group === "ask") {
+      return `${base}: approximated by global on-request approval.`;
+    }
+
+    if (entry.group === "allow") {
+      return `${base}: unsupported exact mapping; treated as a manual review item.`;
+    }
+
+    if (entry.group === "deny") {
+      return `${base}: unsupported exact mapping; treated as a manual review item.`;
+    }
+  }
+
+  if (entry.kind === "tool" || entry.kind === "tool-call") {
+    return `${base}: non-Bash Claude permission, preserved in report only.`;
+  }
+
+  return `${base}: unrecognized permission syntax, preserved in report only.`;
+}
+
+function countByGroup(entries) {
+  return {
+    allow: entries.filter((entry) => entry.group === "allow").length,
+    ask: entries.filter((entry) => entry.group === "ask").length,
+    deny: entries.filter((entry) => entry.group === "deny").length
+  };
+}
+
+function tomlString(value) {
+  return JSON.stringify(value);
+}
+
+function isPlainObject(value) {
+  return value !== null && typeof value === "object" && !Array.isArray(value);
+}
+
+export function defaultPaths(cwd) {
+  return {
+    input: path.join(cwd, ".claude", "settings.json"),
+    output: path.join(cwd, ".codex", "config.toml"),
+    report: path.join(cwd, "conversion-report.md")
+  };
+}

package/src/jsonc.js

@@ -0,0 +1,57 @@
+export function parseJsonc(input) {
+  const stripped = stripJsonComments(input);
+  return JSON.parse(stripped);
+}
+
+function stripJsonComments(input) {
+  let output = "";
+  let inString = false;
+  let quote = "";
+  let escaped = false;
+
+  for (let i = 0; i < input.length; i += 1) {
+    const char = input[i];
+    const next = input[i + 1];
+
+    if (inString) {
+      output += char;
+      if (escaped) {
+        escaped = false;
+      } else if (char === "\\") {
+        escaped = true;
+      } else if (char === quote) {
+        inString = false;
+        quote = "";
+      }
+      continue;
+    }
+
+    if (char === "\"" || char === "'") {
+      inString = true;
+      quote = char;
+      output += char;
+      continue;
+    }
+
+    if (char === "/" && next === "/") {
+      while (i < input.length && input[i] !== "\n") {
+        i += 1;
+      }
+      output += "\n";
+      continue;
+    }
+
+    if (char === "/" && next === "*") {
+      i += 2;
+      while (i < input.length && !(input[i] === "*" && input[i + 1] === "/")) {
+        i += 1;
+      }
+      i += 1;
+      continue;
+    }
+
+    output += char;
+  }
+
+  return output;
+}