An in-Odoo AI assistant powered by the OpenAI Codex CLI. It answers questions, queries your data, and builds reports — running as the logged-in user, never as superuser, with a full audit trail.
Quick start · Security model · Configuration · Commercial support · Roadmap
Most "AI for Odoo" add-ons either ship your data to a third-party prompt or hand the model a superuser connection and hope for the best. Codexoo is built the other way around — security first:
| Codexoo | |
|---|---|
| 🔒 Runs as the user | Every ORM action executes with su=False, so the user's ir.model.access rights and record rules are enforced automatically. The model can never see or do more than the person using it. |
| 🧮 Read-only SQL, really | sql_select is double-guarded: a SELECT-only text validator (no stacked statements, row locks, or dangerous functions) and Postgres SET TRANSACTION READ ONLY + a statement timeout. Gated to a dedicated AI SQL Analyst group. |
| 🧾 Full audit log | Every tool call — model, method, SQL, row counts, outcome, even denials — is written to an immutable log on a separate committed cursor, so it survives rollbacks. |
| 🔑 Per-user login, no shared key | Each user clicks Login with ChatGPT and authorizes with their own subscription via the Codex device-code flow. Credentials are stored per user in a private CODEX_HOME, mode 0600, never in the database, never echoed back. |
| 🚫 Sandboxed engine, no surprises | Codex runs in a read-only sandbox with approvals disabled, so the model cannot touch the shell, filesystem, or network on its own. The authoritative boundary is server-side: the model can affect Odoo only through a small set of tools over a loopback bridge that holds no database credentials. |
| ⚡ Streaming UX | Replies and tool "chips" stream into the chat in real time over the Odoo bus. |
If you sell or run Odoo for clients, the security posture is the feature: you can give business users a natural-language window into their ERP without widening anyone's access by a single record.
OWL chat UI ──/codexoo/send (auth=user)──► Odoo worker ──► daemon thread
▲ bus stream (deltas, tool chips) │ spawns
│ codex exec --json (ChatGPT login, read-only sandbox)
│ tool surface = mcp__odoo__* ONLY
│ │ stdio MCP
│ ▼
│ bridge/mcp_server.py (no DB creds, loopback only)
│ │ Bearer(session token)
└──── bus.bus ◄── controllers/tools.py (auth='codexoo_bridge', runs AS the user) ──► Postgres
- Only Odoo touches the database. The CLI subprocess and the MCP forwarder hold no credentials — only a short-lived, session-scoped HMAC bearer token.
- The bridge is reachable on loopback only; the
codexoo_bridgeauth method rejects any non-local caller and rebinds the request to the session's user (su=False). - Codex itself is launched in a read-only sandbox with approvals disabled, so
it cannot escape to the host; its only path to your data is the
mcp__odoo__*tool surface.
- Odoo 18.0
- The OpenAI Codex CLI installed on the Odoo
server (set its path via the
codexoo.cli_path/codexoo.cli_globsystem parameter; auto-detected if blank). - A ChatGPT subscription per user (device-code login) — no API key required.
# Put the module on your addons_path (the repo is the module folder),
# then install it:
odoo-bin -c odoo.conf -d <your-db> -i codexoo --stop-after-init
# Restart your live server afterwards (Odoo does not re-import changed Python).- Open the Codexoo app from the top menu.
- Click Login with ChatGPT and complete the device-code login in your browser.
- Ask away: "How many sale orders are still in draft this month?"
Grant the AI SQL Analyst group to users who should be able to run read-only SQL reports, and AI Assistant Manager to those who configure it and read the audit log.
Codexoo treats LLM output as untrusted and defends accordingly:
- Never superuser. Tool endpoints abort if
request.env.suis true. - ACLs + record rules apply to every read and write, because the call runs as the user.
- Writes are opt-in. Read tools are the default; each write tool
(
orm_create/write/unlink,orm_action,run_wizard,run_server_action) must be granted per user, and zero-trust mode strips them entirely. - SQL can only read. See the guard above.
- Read-only sandbox. Codex runs with approvals disabled and no host write/network access; the server-side bridge + per-user ACLs are the authoritative boundary.
- Capability tokens expire, are session-scoped, single-jti, and HMAC-signed with the database secret.
See SECURITY.md for the full threat model and how to report a vulnerability.
Settings → Codexoo (or System Parameters codexoo.*):
| Parameter | Purpose |
|---|---|
cli_path / cli_glob |
Path (or glob) to the Codex CLI binary (auto-detected if blank) |
model |
Codex model id (blank = your account's default model) |
max_turns, timeout_s |
Per-turn limits |
home_root, scratch_root |
Per-user CODEX_HOME and CLI scratch directories |
base_url |
Loopback URL the bridge calls back on |
sql_enabled |
Master switch for sql_select |
zero_trust_default |
Global default for read-only (zero-trust) mode |
python_bin |
Interpreter used to run the bundled bridge scripts (defaults to Odoo's) |
- AI Assistant User — can use the chat (ORM reads).
- AI SQL Analyst — additionally may run
sql_select. - AI Assistant Manager — configuration + audit log; sees all sessions.
odoo-bin -c odoo.conf -d <db> -i codexoo --test-enable --test-tags codexoo --stop-after-initCovers the SQL guard, bridge-token mint/verify, the tool-access policy, the
codexoo_bridge auth method, and the audit log. CI runs them on every push and PR.
Codexoo is free and open source (LGPL-3.0) and always will be. It is built and maintained by CICDoo, who also offer:
- 🚀 Managed deployment & hosting — Codexoo running securely on your Odoo, you manage your business and we manage your infrastructure
- 🛟 Priority support & SLAs for production rollouts.
- 🧩 Custom tools & integrations — extend the safe tool surface to your models and workflows.
- 📜 Commercial license for organizations that cannot adopt LGPL terms — modify Codexoo and keep your changes private, embed it in a closed product, or get warranty/indemnification. See COMMERCIAL_LICENSE.md.
- 🎓 Training & security review for teams enabling AI access to their ERP.
👉 Get in touch: sam@cicdoo.com · cicdoo.com
If Codexoo saves your team time, consider sponsoring its development.
- Approval-gated
orm_create/orm_write/orm_unlinkwith before→after diff cards - An admin allow/deny policy model for tools and models
- A dedicated
ai_sql_roPostgres role + view scoping - Tighter OS-level sandboxing of the CLI subprocess
- Per-session rate and tool budgets
Have an idea? Open a feature request or a PR — see CONTRIBUTING.md.
Codexoo wraps OpenAI's Codex CLI. "Codex", "OpenAI", and "ChatGPT" are trademarks of OpenAI. Codexoo is an independent, community project and is not affiliated with or endorsed by OpenAI.
Codexoo is dual-licensed — choose whichever fits you:
- 🆓 Open source: GNU LGPL-3.0-or-later. Free for any use, including on both Odoo Community and Enterprise; modifications to Codexoo's own files stay under the LGPL.
- 💼 Commercial: a proprietary-friendly license from CICDoo that lifts the LGPL obligations (keep modifications private, embed in closed products, warranty/SLA). See COMMERCIAL_LICENSE.md · license@cicdoo.com.
SPDX-License-Identifier: LGPL-3.0-or-later OR LicenseRef-Codexoo-Commercial
© 2026 CICDoo