agent-approvals-security.md +62 −1
73- `<writable_root>/.codex` is protected as read-only when it exists as a directory.73- `<writable_root>/.codex` is protected as read-only when it exists as a directory.
74- Protection is recursive, so everything under those paths is read-only.74- Protection is recursive, so everything under those paths is read-only.
75 75
76### Deny reads with filesystem profiles
77
78Named permission profiles can also deny reads for exact paths or glob patterns.
79This is useful when a workspace should stay writable but specific sensitive
80files, such as local environment files, must stay unreadable:
81
82```toml
83default_permissions = "workspace"
84
85[permissions.workspace.filesystem]
86":project_roots" = { "." = "write", "**/*.env" = "none" }
87glob_scan_max_depth = 3
88```
89
90Use `"none"` for paths or globs that Codex shouldn't read. The sandbox policy
91evaluates globs for local macOS and Linux command execution. On platforms that
92pre-expand glob matches before the sandbox starts, set `glob_scan_max_depth` for
93unbounded `**` patterns, or list explicit depths such as `*.env`, `*/*.env`, and
94`*/*/*.env`.
95
76### Run without approval prompts96### Run without approval prompts
77 97
78You can disable approval prompts with `--ask-for-approval never` or `-a never` (shorthand).98You can disable approval prompts with `--ask-for-approval never` or `-a never` (shorthand).
83 103
84For a middle ground, `approval_policy = { granular = { ... } }` lets you keep specific approval prompt categories interactive while automatically rejecting others. The granular policy covers sandbox approvals, execpolicy-rule prompts, MCP prompts, `request_permissions` prompts, and skill-script approvals.104For a middle ground, `approval_policy = { granular = { ... } }` lets you keep specific approval prompt categories interactive while automatically rejecting others. The granular policy covers sandbox approvals, execpolicy-rule prompts, MCP prompts, `request_permissions` prompts, and skill-script approvals.
85 105
86106Set `approvals_reviewer = "guardian_subagent"` to route eligible approval reviews through the Guardian reviewer subagent instead of prompting the user directly. Admin requirements can constrain this with `allowed_approvals_reviewers`.### Automatic approval reviews
107
108By default, approval requests route to you:
109
110```toml
111approvals_reviewer = "user"
112```
113
114Automatic approval reviews apply when approvals are interactive, such as
115`approval_policy = "on-request"` or a granular approval policy. Set
116`approvals_reviewer = "auto_review"` to route eligible approval requests
117through a reviewer agent before Codex runs the request:
118
119```toml
120approval_policy = "on-request"
121approvals_reviewer = "auto_review"
122```
123
124The reviewer evaluates only actions that already need approval, such as sandbox
125escalations, network requests, `request_permissions` prompts, or side-effecting
126app and MCP tool calls. Actions that stay inside the sandbox continue without an
127extra review step.
128
129The reviewer policy checks for data exfiltration, credential probing, persistent
130security weakening, and destructive actions. Low-risk and medium-risk actions
131can proceed when policy allows them. The policy denies critical-risk actions.
132High-risk actions require enough user authorization and no matching deny rule.
133Timeouts, parse failures, and review errors fail closed.
134
135The [default reviewer policy](https://github.com/openai/codex/blob/main/codex-rs/core/src/guardian/policy.md)
136is in the open-source Codex repository. Enterprises can replace its
137tenant-specific section with `guardian_policy_config` in managed requirements.
138Local `[auto_review].policy` text is also supported, but managed requirements
139take precedence. For setup details, see
140[Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration#configure-automatic-review-policy).
141
142In the Codex app, these reviews appear as automatic review items with a status such
143as Reviewing, Approved, Denied, Stopped, or Timed out. They can also include a
144risk level for the reviewed request.
145
146Automatic review uses extra model calls, so it can add to Codex usage. Admins
147can constrain it with `allowed_approvals_reviewers`.
87 148
88### Common sandbox and approval combinations149### Common sandbox and approval combinations
89 150