docs/sandbox.md

## Sandbox & approvals

### Approval modes

We've chosen a powerful default for how Codex works on your computer: `Auto`. In this approval mode, Codex can read files, make edits, and run commands in the working directory automatically. However, Codex will need your approval to work outside the working directory or access network.

When you just want to chat, or if you want to plan before diving in, you can switch to `Read Only` mode with the `/approvals` command.

If you need Codex to read files, make edits, and run commands with network access, without approval, you can use `Full Access`. Exercise caution before doing so.

#### Defaults and recommendations

- Codex runs in a sandbox by default with strong guardrails: it prevents editing files outside the workspace and blocks network access unless enabled.
- On launch, Codex detects whether the folder is version-controlled and recommends:
  - Version-controlled folders: `Auto` (workspace write + on-request approvals)
  - Non-version-controlled folders: `Read Only`
- The workspace includes the current directory and temporary directories like `/tmp`. Use the `/status` command to see which directories are in the workspace.
- You can set these explicitly:
  - `codex --sandbox workspace-write --ask-for-approval on-request`
  - `codex --sandbox read-only --ask-for-approval on-request`

### Can I run without ANY approvals?

Yes, you can disable all approval prompts with `--ask-for-approval never`. This option works with all `--sandbox` modes, so you still have full control over Codex's level of autonomy. It will make its best attempt with whatever constraints you provide.

### Common sandbox + approvals combinations

| Intent                             | Flags                                                                                       | Effect                                                                                                                                                |
| ---------------------------------- | ------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- |
| Safe read-only browsing            | `--sandbox read-only --ask-for-approval on-request`                                         | Codex can read files and answer questions. Codex requires approval to make edits, run commands, or access network.                                    |
| Read-only non-interactive (CI)     | `--sandbox read-only --ask-for-approval never`                                              | Reads only; never escalates                                                                                                                           |
| Let it edit the repo, ask if risky | `--sandbox workspace-write --ask-for-approval on-request`                                   | Codex can read files, make edits, and run commands in the workspace. Codex requires approval for actions outside the workspace or for network access. |
| Auto (preset)                      | `--full-auto` (equivalent to `--sandbox workspace-write` + `--ask-for-approval on-failure`) | Codex can read files, make edits, and run commands in the workspace. Codex requires approval when a sandboxed command fails or needs escalation.      |
| YOLO (not recommended)             | `--dangerously-bypass-approvals-and-sandbox` (alias: `--yolo`)                              | No sandbox; no prompts                                                                                                                                |

> Note: In `workspace-write`, network is disabled by default unless enabled in config (`[sandbox_workspace_write].network_access = true`).

#### Fine-tuning in `config.toml`

```toml
# approval mode
approval_policy = "untrusted"
sandbox_mode    = "read-only"

# full-auto mode
approval_policy = "on-request"
sandbox_mode    = "workspace-write"

# Optional: allow network in workspace-write mode
[sandbox_workspace_write]
network_access = true
```

You can also save presets as **profiles**:

```toml
[profiles.full_auto]
approval_policy = "on-request"
sandbox_mode    = "workspace-write"

[profiles.readonly_quiet]
approval_policy = "never"
sandbox_mode    = "read-only"
```

### Experimenting with the Codex Sandbox

To test to see what happens when a command is run under the sandbox provided by Codex, we provide the following subcommands in Codex CLI:

```
# macOS
codex sandbox macos [--full-auto] [COMMAND]...

# Linux
codex sandbox linux [--full-auto] [COMMAND]...

# Legacy aliases
codex debug seatbelt [--full-auto] [COMMAND]...
codex debug landlock [--full-auto] [COMMAND]...
```

### Platform sandboxing details

The mechanism Codex uses to implement the sandbox policy depends on your OS:

- **macOS 12+** uses **Apple Seatbelt** and runs commands using `sandbox-exec` with a profile (`-p`) that corresponds to the `--sandbox` that was specified.
- **Linux** uses a combination of Landlock/seccomp APIs to enforce the `sandbox` configuration.

Note that when running Linux in a containerized environment such as Docker, sandboxing may not work if the host/container configuration does not support the necessary Landlock/seccomp APIs. In such cases, we recommend configuring your Docker container so that it provides the sandbox guarantees you are looking for and then running `codex` with `--sandbox danger-full-access` (or, more simply, the `--dangerously-bypass-approvals-and-sandbox` flag) within your container.
README / docs refactor (#2724) This PR cleans up the monolithic README by breaking it into a set navigable pages under docs/ (install, getting started, configuration, authentication, sandboxing and approvals, platform details, FAQ, ZDR, contributing, license). The top‑level README is now more concise and intuitive, (with corrected screenshots). It also consolidates overlapping content from codex-rs/README.md into the top‑level docs and updates links accordingly. The codex-rs README remains in place for now as a pointer and for continuity. Finally, added an extensive config reference table at the bottom of docs/config.md. --------- Co-authored-by: easong-openai <easong@openai.com> 2025-08-27 10:30:39 -07:00			`## Sandbox & approvals`

			`### Approval modes`

			We've chosen a powerful default for how Codex works on your computer: `Auto`. In this approval mode, Codex can read files, make edits, and run commands in the working directory automatically. However, Codex will need your approval to work outside the working directory or access network.

			When you just want to chat, or if you want to plan before diving in, you can switch to `Read Only` mode with the `/approvals` command.

			If you need Codex to read files, make edits, and run commands with network access, without approval, you can use `Full Access`. Exercise caution before doing so.

			`#### Defaults and recommendations`

			`- Codex runs in a sandbox by default with strong guardrails: it prevents editing files outside the workspace and blocks network access unless enabled.`
			`- On launch, Codex detects whether the folder is version-controlled and recommends:`
			- Version-controlled folders: `Auto` (workspace write + on-request approvals)
			- Non-version-controlled folders: `Read Only`
			- The workspace includes the current directory and temporary directories like `/tmp`. Use the `/status` command to see which directories are in the workspace.
			`- You can set these explicitly:`
			- `codex --sandbox workspace-write --ask-for-approval on-request`
			- `codex --sandbox read-only --ask-for-approval on-request`

			`### Can I run without ANY approvals?`

fix typo in sandbox doc (#4256) just fixes a simple typo I noticed. 2025-09-25 16:03:44 -07:00			Yes, you can disable all approval prompts with `--ask-for-approval never`. This option works with all `--sandbox` modes, so you still have full control over Codex's level of autonomy. It will make its best attempt with whatever constraints you provide.
README / docs refactor (#2724) This PR cleans up the monolithic README by breaking it into a set navigable pages under docs/ (install, getting started, configuration, authentication, sandboxing and approvals, platform details, FAQ, ZDR, contributing, license). The top‑level README is now more concise and intuitive, (with corrected screenshots). It also consolidates overlapping content from codex-rs/README.md into the top‑level docs and updates links accordingly. The codex-rs README remains in place for now as a pointer and for continuity. Finally, added an extensive config reference table at the bottom of docs/config.md. --------- Co-authored-by: easong-openai <easong@openai.com> 2025-08-27 10:30:39 -07:00
			`### Common sandbox + approvals combinations`

chore: subject docs/*.md to Prettier checks (#4645) Apparently we were not running our `pnpm run prettier` check in CI, so many files that were covered by the existing Prettier check were not well-formatted. This updates CI and formats the files. 2025-10-03 11:35:48 -07:00			`\| Intent \| Flags \| Effect \|`
			`\| ---------------------------------- \| ------------------------------------------------------------------------------------------- \| ----------------------------------------------------------------------------------------------------------------------------------------------------- \|`
			\| Safe read-only browsing \| `--sandbox read-only --ask-for-approval on-request` \| Codex can read files and answer questions. Codex requires approval to make edits, run commands, or access network. \|
			\| Read-only non-interactive (CI) \| `--sandbox read-only --ask-for-approval never` \| Reads only; never escalates \|
			\| Let it edit the repo, ask if risky \| `--sandbox workspace-write --ask-for-approval on-request` \| Codex can read files, make edits, and run commands in the workspace. Codex requires approval for actions outside the workspace or for network access. \|
			\| Auto (preset) \| `--full-auto` (equivalent to `--sandbox workspace-write` + `--ask-for-approval on-failure`) \| Codex can read files, make edits, and run commands in the workspace. Codex requires approval when a sandboxed command fails or needs escalation. \|
			\| YOLO (not recommended) \| `--dangerously-bypass-approvals-and-sandbox` (alias: `--yolo`) \| No sandbox; no prompts \|
README / docs refactor (#2724) This PR cleans up the monolithic README by breaking it into a set navigable pages under docs/ (install, getting started, configuration, authentication, sandboxing and approvals, platform details, FAQ, ZDR, contributing, license). The top‑level README is now more concise and intuitive, (with corrected screenshots). It also consolidates overlapping content from codex-rs/README.md into the top‑level docs and updates links accordingly. The codex-rs README remains in place for now as a pointer and for continuity. Finally, added an extensive config reference table at the bottom of docs/config.md. --------- Co-authored-by: easong-openai <easong@openai.com> 2025-08-27 10:30:39 -07:00
			> Note: In `workspace-write`, network is disabled by default unless enabled in config (`[sandbox_workspace_write].network_access = true`).

			#### Fine-tuning in `config.toml`

			```toml
			`# approval mode`
			`approval_policy = "untrusted"`
			`sandbox_mode = "read-only"`

			`# full-auto mode`
			`approval_policy = "on-request"`
			`sandbox_mode = "workspace-write"`

			`# Optional: allow network in workspace-write mode`
			`[sandbox_workspace_write]`
			`network_access = true`
			```

			`You can also save presets as profiles:`

			```toml
			`[profiles.full_auto]`
			`approval_policy = "on-request"`
			`sandbox_mode = "workspace-write"`

			`[profiles.readonly_quiet]`
			`approval_policy = "never"`
			`sandbox_mode = "read-only"`
			```

			`### Experimenting with the Codex Sandbox`

			`To test to see what happens when a command is run under the sandbox provided by Codex, we provide the following subcommands in Codex CLI:`

			```
			`# macOS`
add `codex sandbox {linux\|macos}` (#4782) ## Summary - add a `codex sandbox` subcommand with macOS and Linux targets while keeping the legacy `codex debug` aliases - update documentation to highlight the new sandbox entrypoints and point existing references to the new command - clarify the core README about the linux sandbox helper alias ## Testing - just fmt - just fix -p codex-cli - cargo test -p codex-cli ------ https://chatgpt.com/codex/tasks/task_i_68e2e00ca1e8832d8bff53aa0b50b49e 2025-10-05 15:51:57 -07:00			`codex sandbox macos [--full-auto] [COMMAND]...`
README / docs refactor (#2724) This PR cleans up the monolithic README by breaking it into a set navigable pages under docs/ (install, getting started, configuration, authentication, sandboxing and approvals, platform details, FAQ, ZDR, contributing, license). The top‑level README is now more concise and intuitive, (with corrected screenshots). It also consolidates overlapping content from codex-rs/README.md into the top‑level docs and updates links accordingly. The codex-rs README remains in place for now as a pointer and for continuity. Finally, added an extensive config reference table at the bottom of docs/config.md. --------- Co-authored-by: easong-openai <easong@openai.com> 2025-08-27 10:30:39 -07:00
			`# Linux`
add `codex sandbox {linux\|macos}` (#4782) ## Summary - add a `codex sandbox` subcommand with macOS and Linux targets while keeping the legacy `codex debug` aliases - update documentation to highlight the new sandbox entrypoints and point existing references to the new command - clarify the core README about the linux sandbox helper alias ## Testing - just fmt - just fix -p codex-cli - cargo test -p codex-cli ------ https://chatgpt.com/codex/tasks/task_i_68e2e00ca1e8832d8bff53aa0b50b49e 2025-10-05 15:51:57 -07:00			`codex sandbox linux [--full-auto] [COMMAND]...`

			`# Legacy aliases`
			`codex debug seatbelt [--full-auto] [COMMAND]...`
README / docs refactor (#2724) This PR cleans up the monolithic README by breaking it into a set navigable pages under docs/ (install, getting started, configuration, authentication, sandboxing and approvals, platform details, FAQ, ZDR, contributing, license). The top‑level README is now more concise and intuitive, (with corrected screenshots). It also consolidates overlapping content from codex-rs/README.md into the top‑level docs and updates links accordingly. The codex-rs README remains in place for now as a pointer and for continuity. Finally, added an extensive config reference table at the bottom of docs/config.md. --------- Co-authored-by: easong-openai <easong@openai.com> 2025-08-27 10:30:39 -07:00			`codex debug landlock [--full-auto] [COMMAND]...`
			```

			`### Platform sandboxing details`

			`The mechanism Codex uses to implement the sandbox policy depends on your OS:`

			- macOS 12+ uses Apple Seatbelt and runs commands using `sandbox-exec` with a profile (`-p`) that corresponds to the `--sandbox` that was specified.
			- Linux uses a combination of Landlock/seccomp APIs to enforce the `sandbox` configuration.

chore: subject docs/*.md to Prettier checks (#4645) Apparently we were not running our `pnpm run prettier` check in CI, so many files that were covered by the existing Prettier check were not well-formatted. This updates CI and formats the files. 2025-10-03 11:35:48 -07:00			Note that when running Linux in a containerized environment such as Docker, sandboxing may not work if the host/container configuration does not support the necessary Landlock/seccomp APIs. In such cases, we recommend configuring your Docker container so that it provides the sandbox guarantees you are looking for and then running `codex` with `--sandbox danger-full-access` (or, more simply, the `--dangerously-bypass-approvals-and-sandbox` flag) within your container.