Choose what the sandbox can touch

approvals & sandbox

// what it does

-s/--sandbox sets what model-generated commands may touch. read-only inspects only; workspace-write lets Codex edit files and run commands inside the project (network off by default); danger-full-access removes every restriction. Persist the choice with sandbox_mode in config.toml.

// shell

$ codex --sandbox read-only "audit this code for injection bugs"
$ codex --sandbox workspace-write "apply the fixes and run the tests"

// gotcha

danger-full-access disables the OS sandbox entirely — only use it inside a container or VM you already trust. workspace-write blocks the network by default, so installs and fetches fail until you enable network access.

// resources