Sandboxing and approvals solve different problems. The sandbox defines what commands can technically access. The approval policy defines when Codex must stop and ask before crossing that boundary.
| Sandbox | Use |
|---|---|
read-only | Inspection and consultation |
workspace-write | Normal local development |
danger-full-access | Controlled environments only |
Use workspace-write with on-request. Add a writable root or a narrow command rule when needed instead of disabling the boundary.
sandbox_mode = "workspace-write"
approval_policy = "on-request"
approvals_reviewer = "user"
Check the exact command, why it needs broader access, which files or network target it touches, and whether a narrower alternative exists. Permission is part of task design, not an interruption.
| Need | Mechanism |
|---|---|
| Write one adjacent project directory | Add a writable root |
| Permit one known command prefix | Add a rule that allows or prompts |
| Inspect an unfamiliar repository | Start read-only |
| Normal implementation inside one repo | Workspace-write with on-request approvals |
| Unrestricted machine and network access | Use only in a controlled disposable environment |
Before broadening access, identify what is trusted. Repository code can execute through tests, package scripts, build hooks, and developer tools. Web pages and tool output can also contain hostile instructions.
approval_policy = "never" means Codex will not ask; it does not grant access forbidden by the sandbox. Conversely, full access removes the technical boundary even if prompts still appear.
Run /permissions, identify the active mode, and explain what would trigger the next approval request. Then design the narrowest permission profile for a task that edits one repository, runs tests, and needs no network access.
Codex sandboxing explains boundaries, approval policies, writable roots, and safe defaults.