Choose what the sandbox can touch
approvals & sandbox
// what it does
-s/--sandbox sets what model-generated commands may touch. read-only inspects only; workspace-write lets Codex edit files and run commands inside the project (network off by default); danger-full-access removes every restriction. Persist the choice with sandbox_mode in config.toml.
// shell
$ codex --sandbox read-only "audit this code for injection bugs"$ codex --sandbox workspace-write "apply the fixes and run the tests"// gotcha
danger-full-access disables the OS sandbox entirely — only use it inside a container or VM you already trust. workspace-write blocks the network by default, so installs and fetches fail until you enable network access.