> approvals & sandbox
Codex has two independent safety dials: the sandbox decides what commands can technically touch (files, network), and the approval policy decides when Codex pauses to ask you. This section covers both, the --full-auto and --yolo presets, and how to widen access deliberately. The mental model is that the sandbox is the fence and approvals are the checkpoints — set them together, because "never ask" inside a read-only sandbox is still safe, while --yolo removes both.
// approvals & sandbox
6 commands$ codex --sandbox read-only "audit this code for injection bugs"$ codex --ask-for-approval on-request "refactor and run the tests"$ codex --full-auto "run the tests and fix whatever breaks"$ codex --yolo "set up the dev environment from scratch"$ codex --add-dir ../shared-lib "update the shared types"$ /permissions// faq
What are the sandbox modes?
read-only lets Codex read and answer but not edit or run mutating commands; workspace-write lets it edit files and run commands inside the project, with network off by default; danger-full-access removes all OS-level restrictions. Set per run with --sandbox or persist with sandbox_mode in config.toml.
What do the approval policies mean?
untrusted asks before anything not known-safe; on-request (the repo default) works freely inside the sandbox and asks only to step outside it or use the network; never never prompts. The sandbox still constrains never, so it is not a blank check on its own.
What does --full-auto do, and how is it different from --yolo?
--full-auto is shorthand for --sandbox workspace-write --ask-for-approval on-request: hands-off inside the workspace, asks to leave it. --yolo (alias for --dangerously-bypass-approvals-and-sandbox) removes the sandbox and all approvals entirely, so it is only for throwaway containers.
Why do network commands fail even in workspace-write?
Because workspace-write disables outbound network by default. Enable it with the sandbox_workspace_write.network_access = true config key (or -c sandbox_workspace_write.network_access=true), so package installs and fetches can reach the network.