Codex · Part 7

Codex — Part 7 — Approval Modes, Sandboxing, and config.toml

Codex’s safety model runs on two independent layers, what it can technically do and when it must stop and ask, and understanding the difference matters before you trust it on real infrastructure.

Quick idea: Codex security comes from two independent layers: sandbox mode decides what Codex can technically do, and approval policy decides when it has to stop and ask you first.
Sandbox Mode

The technical boundary: what Codex is capable of doing, regardless of what it wants to do.

Approval Policy

The human gate: when Codex has to stop and ask, even for something the sandbox would technically allow.

config.toml

Where both settings live, alongside CLI flags that override them for a single run.

Introduction

Part 4 noted that AGENTS.md is context Codex tries to follow, not a hard guarantee. This post covers the two settings that are a hard guarantee: sandbox mode and approval policy, the same distinction the Claude Code series drew between CLAUDE.md and permission rules.

Two Independent Layers

Codex’s own documentation is direct about this: sandbox mode is what Codex can do technically, for example where it can write and whether it can reach the network. Approval policy is when Codex must ask you before it acts, for example before leaving the sandbox or running something outside a trusted set of commands. The two settings are configured separately and interact rather than substitute for each other.

Key point: A permissive approval policy does not widen what the sandbox allows, and a strict sandbox does not stop Codex from asking to leave it. Review both settings together, not just one.

Sandbox Modes

Mode What Codex Can Do
read-onlyFile reading only. Edits, command execution, and network access are all blocked.
workspace-writeFile edits and command execution inside the active workspace. This is the default.
danger-full-accessNo sandbox enforcement at all, equivalent to the --yolo flag.

Approval Policy Values

Value Behaviour
untrustedOnly safe, read-only operations run automatically. Anything that changes state asks first.
on-requestCodex asks when an action would exceed the sandbox’s boundaries.
neverDisables approval prompts entirely. Use with real caution.
granularSelective control over which categories of prompt surface, such as sandbox escapes, MCP elicitations, or skill approval, set individually.

Where Settings Live

# %USERPROFILE%\.codex\config.toml
approval_policy = "on-request"
sandbox_mode    = "workspace-write"

# Allow network access while still writing only inside the workspace
[sandbox_workspace_write]
network_access = true

The same settings are available as flags for a single run, useful for testing a stricter or looser configuration without editing the config file.

# Set approval behaviour for this run only
codex --ask-for-approval on-request --sandbox workspace-write

# Shorthand for disabling approval prompts
codex -a never

# Full access, no sandbox, no prompts: equivalent to danger-full-access
codex --dangerously-bypass-approvals-and-sandbox
Production note: Treat --dangerously-bypass-approvals-and-sandbox and --yolo the same way the Claude Code series treated bypassPermissions mode: appropriate for a disposable container or VM, not for a session touching production infrastructure.

Recommended Presets

Codex’s own documentation names two presets worth starting from rather than tuning settings from scratch.

Preset Settings Use When
Locked down --sandbox read-only --ask-for-approval on-request You want Codex to read and propose, never act, without you reviewing first
Automation-friendly --sandbox workspace-write --ask-for-approval on-request Routine edits and commands inside a version-controlled project; this is the default preset for that case

A Windows-Specific Layer

On Windows specifically, sandbox enforcement adds one more layer covered in Part 2: an elevated sandbox using a dedicated low-privilege user and firewall rules, or an unelevated fallback using a restricted token when administrator approval for the elevated setup is blocked. That Windows-level setting sits underneath sandbox_mode, controlling how the workspace boundary is actually enforced on that platform.

Final Thoughts

Sandbox mode and approval policy are not the same lever wearing two names. One decides what Codex is capable of; the other decides when a human has to say yes first. Both live in the same config.toml, both have single-run CLI overrides, and both are worth setting deliberately before pointing Codex at anything you would not want changed without a second look.

With the safety model covered, the next post turns to what to do when something in that configuration, or anywhere else, does not behave as documented.

Key takeaway: Start from --sandbox read-only --ask-for-approval on-request if you are not sure yet, and only move to workspace-write once you trust the specific project. Reserve danger-full-access and --yolo for disposable environments, not real infrastructure.
Next in this series

Next, a standing reference for common Codex problems beyond installation: sandbox setup failures, approval surprises, and sessions that behave unexpectedly.