Vibe Coding
Back to Codex

Codex / concept

Sandbox, permissions and approvals

Understand how the Codex sandbox restricts file, command, and network access, and how it works with approval policies to control the degree of autonomy of local agents.

Sandbox, permissions and approvals key concepts infographic
Sandbox, permissions and approvals key concepts infographic

What is a sandbox

Codex's sandbox is a running environment that allows agents to act autonomously while still maintaining boundaries. When Codex executes local commands in apps, IDE extensions, and CLI, these commands will not get full permissions on the entire machine by default, but will run in a restricted environment.

The sandbox boundary determines what Codex can do on its own, such as which files it can modify, whether commands can access the network, and whether it can only work within the current workspace. When the task stays within this boundary, Codex can be executed continuously; when it needs to cross the boundary, it will enter the approval process.

Sandboxing and approvals are two different but complementary sets of controls. The sandbox defines the technical boundaries, and the approval policy determines when Codex must stop and ask. It's important to understand that allowing more approvals doesn't mean expanding the sandbox, and expanding the sandbox doesn't mean eliminating approvals at all.

  • The sandbox restricts the commands for model generation and startup, not just the built-in file editing of Codex.
  • Child processes such as git, package managers, test frameworks, build scripts, etc. all inherit the same set of sandbox boundaries.
  • The underlying implementation differs between macOS, Linux, WSL2, and Windows, but the goal is to have agents work within well-defined scopes.

Why you need a sandbox

Sandboxing reduces approval fatigue from low-risk operations. You don't need separate confirmations for each time you read a file, change a workspace file, or run a local test, but you can still tell when the Codex is trying to cross a boundary.

It also makes it easier for teams to build a trust model: instead of simply trusting the agent to "do something good," you make it work within the constraints enforced by the operating system or runtime. In this way, when dealing with a real repository, you can give it enough space to complete the task without letting it touch the host, network or sensitive directories by default.

Platform premise

Codex automatically uses available platform sandboxing capabilities. macOS uses the system's built-in mechanism; Windows can use the native Windows sandbox or WSL2's Linux sandbox; Linux and WSL2 recommend installing bubblewrap.

On some Linux distributions, bubblewrap also relies on unprivileged user namespace or AppArmor configuration. When Codex is started, if it detects that bwrap is missing or cannot create the required namespace, a warning will be displayed; at this time, priority should be given to repairing the system's sandboxing capabilities rather than switching directly to full access.

sudo apt install bubblewrap
# or
sudo dnf install bubblewrap
PlatformSandbox preparationThings to note
macOSReady out of the boxUsing the system's built-in sandbox capabilities, no additional installation is usually required.
Windows PowerShellUse native Windows sandboxSee the official Windows documentation for details. System permissions and local shell environment will affect usability.
WSL2 / LinuxInstall bubblewrapCodex preferentially uses bwrap in PATH; it will prompt if it is missing or the namespace is restricted.

How to control the sandbox

Most users start with permission control within the product. Codex App and IDE can select permission mode near the input box; in CLI session, you can use /permissions to switch.

1

Switch mid-session

Use /permissions in the CLI to view and toggle the behaviors allowed for the current session. Perfect for switching from read-only exploration to workspace editing, or tightening permissions when a task becomes sensitive.

/permissions
2

Specified at startup

Explicitly provide the sandbox and approval policy when starting Codex from the command line, so that a session has clear boundaries from the beginning.

codex --sandbox workspace-write --ask-for-approval on-request
3

Write default configuration

If you want the same behavior every time you launch it, write the default values into the Codex's config.toml and choose whether to use stricter defaults based on project risk.

sandbox_mode = "workspace-write"
approval_policy = "on-request"
approvals_reviewer = "user"

Common sandbox modes

Codex's common sandbox modes can be understood as three levels: read-only, workspace writable, and full access. Each level should be viewed together with the approval strategy.

modeWhat Codex can doSuitable for the scene
read-onlyFiles can be inspected, but are restricted or require approval before editing them or running commands that require higher privileges.Code understanding, solution design, sensitive repository, and first time taking over projects.
workspace-writeCan read files, edit within the workspace, and run regular local commands within the boundary. Network is off by default.Daily local development, bug fixing, testing, and page changes.
danger-full-accessSandbox restrictions are lifted, and file system and network boundaries are relaxed.Externally isolated containers, CI runners, or disposable VMs only.

Recommended default value

Low-risk local automation typically uses workspace-write + on-request. It allows Codex to advance tasks within the workspace while stopping and interrogating when boundaries are crossed, networking or sensitive operations occur.

Approval strategy

Approval policies control when Codex is paused. Common official policies include untrusted, on-request, and never; when approval is interactive, there is also the option to review by user or auto_review.

auto_review only reviews requests that inherently require approval, such as sandbox out of bounds, blocked network requests, request_permissions prompts, or app/MCP tool calls with side effects. Behaviors already allowed within the sandbox will not pass through it.

approval_policy = "on-request"
approvals_reviewer = "auto_review"
Approval strategybehaviorSuggestions
untrustedCommands not in the trusted set will be asked.Suitable for scenarios where you are unfamiliar with the repository or require more frequent confirmations.
on-requestContinue within the sandbox and request approval when crossing boundaries.Recommended for most interactive local development tasks.
neverNo approval prompt will pop up, and Codex will try its best to complete the process within the established sandbox.Good for non-interactive scripts, but the sandbox must be tightened in advance.
auto_reviewIt is not an approval policy, but an approval reviewer; the eligible request is first handed over to the review agent.Suitable for reducing manual approval, but cannot change sandbox boundaries.

network access

workspace-write turns off command network access by default. When you need to connect to the Internet to install dependencies, call APIs, or access internal services, you should explicitly open the network and try to use domain name rules to limit exports.

network_proxy does not grant network permissions individually, it simply imposes policies on enabled command network access. That is, network_access still determines whether the command has a network, and network_proxy determines where this network traffic can go.

The domain name policy is allowlist-first: the exact host only matches itself, *.example.com matches subdomains, **.example.com matches both root domains and subdomains, and deny always takes precedence. The global *allow represents very wide network permissions and should be avoided as much as possible.

[sandbox_workspace_write]
network_access = true

[features.network_proxy]
enabled = true
domains = { "api.openai.com" = "allow", "example.com" = "deny" }

protected path

In the default workspace-write, some directories remain read-only. The official specifically mentioned that .git, .agents, .codex and their recursive contents will be protected to prevent tasks from accidentally destroying the repository state or Codex's own configuration.

If .git is a gitdir pointer file, the parsed Git directory is also read-only. When encountering requirements such as git commit, git reset, and modification of Codex configuration, Codex may require approval or explicit authorization.

  • Don't switch directly to danger-full-access just to let a command pass.
  • First determine whether the task really needs to write a protected path, and whether it can use ordinary files, temporary directories, or smaller approval exceptions instead.
  • Check the diff when finished to confirm that no version control, configuration, or automation files were accidentally modified.

Run silently

If you want to cancel the approval prompt, you can use --ask-for-approval never or -a never, but it will still be subject to the sandbox mode.

This means never does not equal full permissions. A safer non-interactive approach is workspace-write + never, which allows the Codex to execute automatically within the workspace; only consider danger-full-access + never when the external environment is isolated and there is no host risk.

If you really need to read files, write files, run commands and connect to the Internet without any prompts, the official also provides danger-full-access or dangerously bypass related entrances, but these should only be used in a controlled environment.

codex --sandbox workspace-write --ask-for-approval never "Run tests and fix failures"

# High risk, isolated environment only
codex --sandbox danger-full-access --ask-for-approval never

Study Checklist

Put the content on this page into real tasks and use the five dimensions of entry, context, permissions, verification and team rules to check whether you have truly mastered it.

Study Checklist

After reading this page, do not just remember the concept name. You should be able to place "Sandbox, permissions and approvals" back into a real Codex engineering workflow: where the task starts, what context the system loads, which actions need approval, how the result is verified, and how to roll back when it fails.

If this is a concept page, be specific about how it affects the real task: does it change context, permissions, execution paths, validation methods, or changes the team collaboration process.

  • Be able to describe in your own words the specific problem this page solves, rather than just reciting the title.
  • Able to write a minimal example task with goals, scope, prohibitions, and acceptance criteria.
  • Be able to determine which information should be put into the current prompt and which should be captured as project rules or configurations.
  • Be able to explain which long-term rules should go into AGENTS.md, and which runtime behavior should be handled by config.toml, permission profile, skills and MCP.
  • Ability to check diffs, command output, test results, screenshots or PR notes after a task is completed instead of just trusting the natural language summary.

If this page is used for team training, ask learners to complete a small task with Codex: read and explain first, submit a plan, make the smallest useful change, and close with real verification commands plus human diff review.

Codex practical notes

Fill in the most overlooked execution details of Codex usage around local environments, privilege escalation, remote entry, automation failures, and rollbacks.

Codex Practical Notes

This page belongs to the core concepts of Codex. When learning, connect concepts to real-world implementation: will it change context, permissions, task splitting, verification paths, or change the way teams collaborate.

When handling tasks related to "Sandbox, permissions and approvals", always confirm the current Git status and working directory first. Codex can make changes quickly, but it does not automatically know which uncommitted edits came from the user, which files are off limits, or which commands may affect production.

  • Prioritize using low-risk branches or working trees for local tasks, and review them with git diff after completion.
  • When it comes to installation dependencies, networking, databases, deployment, push, deletion, and reset, Codex must first be asked to explain the impact before approval.
  • Results generated by remote or collaborative portals must also be confirmed back to PR, CI, build logs and test evidence.
  • Automated tasks must define failure output and exit conditions in advance to avoid Codex repeatedly trying in the wrong direction.

Think of Codex as an engineering teammate who can execute commands, rather than an assistant who can only write text. The closer you get to a real system, the greater the need for clear boundaries, evidence, and rollbacks.