> approvals & sandbox

Codex has two independent safety dials: the sandbox decides what commands can technically touch (files, network), and the approval policy decides when Codex pauses to ask you. This section covers both, the --full-auto and --yolo presets, and how to widen access deliberately. The mental model is that the sandbox is the fence and approvals are the checkpoints — set them together, because "never ask" inside a read-only sandbox is still safe, while --yolo removes both.

// approvals & sandbox

6 commands

// faq

What are the sandbox modes?

read-only lets Codex read and answer but not edit or run mutating commands; workspace-write lets it edit files and run commands inside the project, with network off by default; danger-full-access removes all OS-level restrictions. Set per run with --sandbox or persist with sandbox_mode in config.toml.

What do the approval policies mean?

untrusted asks before anything not known-safe; on-request (the repo default) works freely inside the sandbox and asks only to step outside it or use the network; never never prompts. The sandbox still constrains never, so it is not a blank check on its own.

What does --full-auto do, and how is it different from --yolo?

--full-auto is shorthand for --sandbox workspace-write --ask-for-approval on-request: hands-off inside the workspace, asks to leave it. --yolo (alias for --dangerously-bypass-approvals-and-sandbox) removes the sandbox and all approvals entirely, so it is only for throwaway containers.

Why do network commands fail even in workspace-write?

Because workspace-write disables outbound network by default. Enable it with the sandbox_workspace_write.network_access = true config key (or -c sandbox_workspace_write.network_access=true), so package installs and fetches can reach the network.