Kenhuang Academy
  • English

      • Sandbox & Security

      Codex runs Shell and writes files locally, so sandbox and approvals are core product features—not optional extras.

      Two independent dimensions

      DimensionConfig / CLIQuestion
      Sandboxsandbox_mode, -sWhat read/write is technically allowed
      Approvalsapproval_policy, -aMust the user approve when crossing boundaries

      Use them together. Example: auto inside workspace, pause when crossing bounds:

      codex --sandbox workspace-write --ask-for-approval on-request

      sandbox_mode values

      ValueBehavior
      read-onlyRead-only; good for planning, review, Q&A
      workspace-writeWrite current workspace (and configured writable_roots)
      danger-full-accessHigh privilege; isolated environments only

      Default recommendation for local work: workspace-write.

      approval_policy values

      ValueBehavior
      untrustedUntrusted commands need approval
      on-requestAuto inside sandbox; ask when crossing boundaries (recommended)
      neverNo prompts (common in CI; use at your own risk)

      Use /permissions in the TUI for temporary changes (e.g. read-only planning).

      Common combinations

      ScenarioRecommendation
      Daily local devworkspace-write + on-request
      Read-only analysisread-only + on-request
      Trusted CI (read-only checkout)workspace-write + never + strict directories
      Fully trusted solo VMStill avoid --yolo unless the VM is disposable

      --yolo (--dangerously-bypass-approvals-and-sandbox): skips sandbox and approvals—do not use on your primary dev machine by default.

      Persist in config.toml

      # ~/.codex/config.toml
sandbox_mode = "workspace-write"
approval_policy = "on-request"

[sandbox_workspace_write]
# Extend writable roots; see official Protected paths docs
# writable_roots = ["..."]

      Prefer --add-dir for extra write paths instead of jumping to danger-full-access.

      Network access

      Local runs often restrict or disable network (OS sandbox dependent). npm install or API calls may trigger approval or policy escalation. Cloud policies are configured separately.

      Debug sandbox behavior

      Use the same sandbox helper Codex uses internally:

      # macOS
codex sandbox macos [--permissions-profile <name>] [--log-denials] -- echo test

# Linux
codex sandbox linux [--permissions-profile <name>] -- echo test

# Windows
codex sandbox windows [--permissions-profile <name>] -- echo test

      Verify whether a command would be denied.

      Enterprise: requirements.toml

      On managed devices, orgs can block dangerous combinations via requirements.toml, e.g.:

      • Disallow approval_policy = "never"
      • Disallow sandbox_mode = "danger-full-access"

      See Managed configuration.

      Security checklist

      • No committed .env; AGENTS.md says do not read production secrets
      • Default workspace-write + on-request
      • git diff + manual commit before sensitive operations
      • MCP tokens with least privilege
      • CI uses read-only tokens and isolated runners

      Next steps