Safety Modes

Codex gives you fine-grained control over what the agent can do on your system. Two settings work together: approval policy (when Codex pauses to ask) and sandbox mode (what Codex can access).

Approval Policy#

Controls when Codex pauses for human approval before running commands.

| Policy | Behavior | Best For | |--------|----------|----------| | untrusted | Only known-safe read-only commands auto-run; everything else prompts | Maximum safety, untrusted code | | on-request | Model decides when to ask (default) | Daily development | | never | Never prompts | Automated pipelines, codex exec |

# ~/.codex/config.toml
approval_policy = "on-request"

Granular Reject Policy#

For fine-tuned control, use a reject policy to auto-reject specific prompt categories:

approval_policy = { reject = {
  sandbox_approvals = true,
  execpolicy_prompts = true,
  mcp_elicitations = false
} }

This auto-rejects sandbox and exec policy prompts while keeping MCP input requests interactive.

Sandbox Mode#

Controls filesystem and network access for model-generated shell commands.

| Mode | File Access | Network | Best For | |------|-------------|---------|----------| | Read-only | Read anywhere | None | Exploration, code review | | Workspace-write | Write only in workspace | None (configurable) | Daily development (default) | | Full access | Unrestricted | Full | Trusted environments, CI/CD |

# Workspace-write with custom writable paths
sandbox_mode = "workspace-write"

[sandbox_workspace_write]
writable_roots = ["/Users/YOU/.pyenv/shims"]
network_access = false

Workspace-Write Details#

In workspace-write mode:

• Your project directory is writable
• .git/ and .codex/ directories stay read-only
• $TMPDIR and /tmp can be excluded from restrictions
• Commands like git commit may still require approval (runs outside sandbox)

Full Access / YOLO Mode#

# Maximum access - use only in isolated environments
codex --dangerously-bypass-approvals-and-sandbox
# or the shorthand:
codex --yolo

### The --full-auto Shortcut

For low-friction local work, --full-auto combines relaxed settings:

codex --full-auto "Fix the failing tests"
# Equivalent to: --ask-for-approval on-request --sandbox workspace-write

Platform-Specific Sandboxes#

| Platform | Sandbox Technology | |----------|--------------------| | macOS | Native seatbelt (sandbox-exec) | | Linux | Landlock (default), optional bubblewrap pipeline | | Windows | Native Windows sandbox (in Codex app) |

Organization-Enforced Restrictions#

On managed machines, admins can enforce constraints via requirements.toml:

# requirements.toml (admin-controlled)
[allowed]
approval_policy = ["untrusted", "on-request"]  # "never" not allowed
sandbox_mode = ["workspace-write"]              # No full access

This prevents users from disabling safety measures, even with CLI flags.

Choosing the Right Settings#

| Scenario | Approval Policy | Sandbox Mode | |----------|----------------|--------------| | Exploring unfamiliar codebase | untrusted | Read-only | | Daily development | on-request | workspace-write | | Trusted personal projects | on-request | workspace-write | | CI/CD pipelines | never | workspace-write or isolated full access | | Quick one-off tasks | on-request | workspace-write | | Codex exec in scripts | never | Read-only (default) |

## Web Search Safety

Codex handles web search content carefully:

• Default (web_search = "cached"): Uses an OpenAI-maintained cache of web results, reducing exposure to prompt injection
• Live (web_search = "live"): Fetches real-time results, enabled with --search flag
• In YOLO mode: Web search defaults to live results

Always treat web search results as untrusted input, regardless of the search mode.

Next Steps#

• AGENTS.md Guide — Project instructions
• MCP Servers — External tool integrations
• Configuration Reference — Full settings overview