Codex Configuration
Sandbox modes, approval policies, and config.toml basics
Codex uses a two-layer security model. Sandbox modes control what the agent can technically do. Approval policies determine when the agent must ask permission. This distinction matters for balancing autonomy with safety.
Sandbox modes
The sandbox restricts filesystem and network access at the OS level:
| Mode | Behavior |
|---|---|
read-only | Agent reads files but cannot write or execute commands without approval |
workspace-write | Agent reads and writes within the project directory; network disabled |
danger-full-access | No restrictions; use only in isolated environments |
The default workspace-write mode suits most development work. The agent can edit code and run tests while remaining contained to the project.
Approval policies
Approval policy determines when Codex pauses for confirmation:
| Policy | Behavior |
|---|---|
untrusted | Asks before most actions |
on-failure | Runs commands in sandbox; asks only if they fail |
on-request | Runs automatically unless the agent explicitly requests escalation |
never | Non-interactive; never asks |
The default on-request policy balances flow with control.
Configuration file
Settings live in ~/.codex/config.toml:
model = "gpt-5-codex"
approval_policy = "on-request"
sandbox_mode = "workspace-write"
[sandbox_workspace_write]
network_access = falseCLI overrides
Flags override config.toml for individual sessions:
codex --sandbox read-only "explain this codebase"
codex --full-auto "refactor the authentication module"The --full-auto flag enables autonomous operation within project boundaries: workspace-write sandbox with on-request approval.