#059
Codex
The sandbox governs ALL spawned processes — not just Codex's own file operations
Every process Codex spawns inherits the sandbox: git, npm, test runners, package managers. workspace-write mode still blocks git commit because .git/ is a protected path.
"The sandbox applies to spawned commands, not just to Codex's built-in file operations. If Codex runs tools like git, package managers, or test runners, those commands inherit the same sandbox boundaries."
↗ Source
#060
Codex
.git/ and .codex/ stay read-only even in workspace-write mode
These protected paths remain read-only even when the rest of the workspace is writable. Use the rules key to create specific command exceptions rather than escalating to full access.
"In workspace-write mode, some environments keep .git/ and .codex/ read-only even when the rest of the workspace is writable."
↗ Source
#061
Codex
--full-auto and --yolo are completely different risk profiles
--full-auto = workspace-write sandbox + on-request approvals. --yolo removes ALL boundaries. Using --yolo on a regular developer machine is a serious security mistake.
"Set --full-auto for unattended local work, but avoid combining it with --dangerously-bypass-approvals-and-sandbox unless you are inside a dedicated sandbox VM."
↗ Source
#062
Codex
Use writable_roots to extend the sandbox surgically instead of removing it
Add specific directories via sandbox_workspace_write.writable_roots. Targeted extension keeps the sandbox intact for everything else — almost always better than escalating to danger-full-access.
"If you need Codex to work across more than one directory, writable roots let you extend the places it can modify without removing the sandbox entirely."
↗ Source
#063
Codex
The rules key allows/rejects specific command prefixes without touching sandbox mode
Declaratively allow, prompt, or forbid specific command prefixes. Block git push while allowing all other git commands — without changing sandbox_mode at all.
"When a workflow needs a specific exception, use rules. Rules let you allow, prompt, or forbid command prefixes outside the sandbox."
↗ Source
#064
Codex
Untrusted projects skip the entire .codex/ layer — config, AGENTS.md, and all project settings
If a project is marked untrusted, its entire .codex/ layer is silently skipped. No project config, no project AGENTS.md. The untrusted flag is all-or-nothing.
"If you mark a project as untrusted, Codex skips project-scoped .codex/ layers (including .codex/config.toml) and falls back to user, system, and built-in defaults."
↗ Source
#065
Codex
Named profiles switch model + sandbox + approval mode in one CLI flag
Define [profiles.deep-review] with Opus + high reasoning + never-approval. Switch with codex --profile deep-review. Profiles are the correct mechanism for per-task resource allocation.
"[profiles.deep-review] model = 'gpt-5-pro' model_reasoning_effort = 'high' approval_policy = 'never' … To make a profile the default, add profile = 'deep-review' at the top level of config.toml."
↗ Source
#066
Codex
The [otel] block enables full OpenTelemetry export of all Codex execution events
Set exporter = "otlp-http" to send Codex traces to your observability stack. log_user_prompt = false (default) redacts prompts from export.
"Enable OpenTelemetry (OTel) log export to track Codex runs (API requests, SSE/events, prompts, tool approvals/results). Disabled by default."
↗ Source
#067
Codex
Smart Approvals can route repeated requests through a guardian subagent automatically
Smart Approvals delegates recurring approval decisions to a guardian subagent for automated evaluation. This reduces approval fatigue without fully disabling approvals — safer than approval_policy = "never".
"Smart Approvals can now route review requests through a guardian subagent in core, app-server, and TUI, reducing repeated setup work on follow-up approvals."
↗ Source
#068
Codex
Use codex sandbox -- <command> to test if a command would be blocked
The codex sandbox subcommand runs any shell command under the exact same policies Codex uses during a session. Test before building automation around it.
"Use the sandbox helper to run a command under the same policies Codex uses internally."
↗ Source
#069
Codex
Enterprise requirements.toml enforces policy floors that no user config can override
Admins can ship requirements.toml disallowing dangerous configs. These are hard floors — no user config, profile, or CLI flag can bypass them. The correct architecture for enterprise compliance.
"On managed machines, your organization may also enforce constraints via requirements.toml (for example, disallowing approval_policy = 'never')."
↗ Source
#070
Codex
Spawned subagents now reliably inherit parent sandbox and network rules
A recent fix: subagents now correctly inherit project-profile sandbox layering and persisted host approvals. Before this fix, subagents could silently run with more permissive sandbox rules than the parent.
"Spawned subagents now inherit sandbox and network rules more reliably, including project-profile layering, persisted host approvals, and symlinked writable roots."
↗ Source
#071
Both
Devcontainer + custom firewall = safe way to use full-bypass flags in unattended operation
Claude Code's devcontainer reference ships a firewall whitelisting only necessary domains. Inside it, --dangerously-skip-permissions is safe. The network firewall provides the security boundary the flag removes.
"The container's enhanced security measures (isolation and firewall rules) allow you to run claude --dangerously-skip-permissions to bypass permission prompts for unattended operation."
↗ Source
#072
Codex
Override the commit co-author trailer — set empty string to remove it entirely
Codex adds a co-author trailer to commits by default. Set commit_coauthor_trailer = "" to disable. Use for internal repos where AI co-authorship shouldn't appear in the git log.
"Override the commit co-author trailer text. Set an empty string to disable automatic attribution."
↗ Source
#073
Codex
tui.alternate_screen = "never" keeps terminal scrollback intact after sessions
By default, Codex clears terminal scrollback on exit (like vim). Set this to keep all session output in your scroll history — critical for post-session debugging without checking log files.
"tui.alternate_screen: control alternate screen usage (set to never to keep terminal scrollback)"
↗ Source
#074
Codex
The notify config key triggers external programs on agent-turn-complete
Triggers an external program when Codex emits supported events. Use for desktop notifications, Slack webhooks, CI pipeline triggers — any side-channel alerting beyond what the built-in TUI covers.
"Use notify to trigger an external program whenever Codex emits supported events (currently only agent-turn-complete)."
↗ Source