Set a Real Trust Boundary

Lesson 4 · Safety · ~11 minutes

Sandboxing and approvals solve different problems. The sandbox defines what commands can technically access. The approval policy defines when Codex must stop and ask before crossing that boundary.

SandboxUse
read-onlyInspection and consultation
workspace-writeNormal local development
danger-full-accessControlled environments only
Practical default

Use workspace-write with on-request. Add a writable root or a narrow command rule when needed instead of disabling the boundary.

sandbox_mode = "workspace-write"
approval_policy = "on-request"
approvals_reviewer = "user"

Read Approval Requests as Diffs

Check the exact command, why it needs broader access, which files or network target it touches, and whether a narrower alternative exists. Permission is part of task design, not an interruption.

Choose the Narrowest Mechanism

NeedMechanism
Write one adjacent project directoryAdd a writable root
Permit one known command prefixAdd a rule that allows or prompts
Inspect an unfamiliar repositoryStart read-only
Normal implementation inside one repoWorkspace-write with on-request approvals
Unrestricted machine and network accessUse only in a controlled disposable environment

Threat-Model the Task

Before broadening access, identify what is trusted. Repository code can execute through tests, package scripts, build hooks, and developer tools. Web pages and tool output can also contain hostile instructions.

  1. What code will execute?
  2. What credentials are present in the environment?
  3. Which directories could be modified?
  4. Can the task contact external systems?
  5. What evidence will you review afterward?
Approval policy is not a sandbox

approval_policy = "never" means Codex will not ask; it does not grant access forbidden by the sandbox. Conversely, full access removes the technical boundary even if prompts still appear.

Check Your Understanding

A test needs one adjacent fixture directory. What is the narrowest useful response?
Correct. Extend the boundary only to the required directory.
Keep the sandbox and add the smallest required exception.

Do This Now

Run /permissions, identify the active mode, and explain what would trigger the next approval request. Then design the narrowest permission profile for a task that edits one repository, runs tests, and needs no network access.

Primary Source

Codex sandboxing explains boundaries, approval policies, writable roots, and safe defaults.

Questions? Bring me a permission prompt before approving it and we can evaluate the minimum authority required.
← PreviousNext →