agent-approvals-security.md +52 −9
24- **Codex cloud**: Runs in isolated OpenAI-managed containers, preventing access to your host system or unrelated data. Uses a two-phase runtime model: setup runs before the agent phase and can access the network to install specified dependencies, then the agent phase runs offline by default unless you enable internet access for that environment. Secrets configured for cloud environments are available only during setup and are removed before the agent phase starts.24- **Codex cloud**: Runs in isolated OpenAI-managed containers, preventing access to your host system or unrelated data. Uses a two-phase runtime model: setup runs before the agent phase and can access the network to install specified dependencies, then the agent phase runs offline by default unless you enable internet access for that environment. Secrets configured for cloud environments are available only during setup and are removed before the agent phase starts.
25- **Codex CLI / IDE extension**: OS-level mechanisms enforce sandbox policies. Defaults include no network access and write permissions limited to the active workspace. You can configure the sandbox, approval policy, and network settings based on your risk tolerance.25- **Codex CLI / IDE extension**: OS-level mechanisms enforce sandbox policies. Defaults include no network access and write permissions limited to the active workspace. You can configure the sandbox, approval policy, and network settings based on your risk tolerance.
26 26
2727In the `Auto` preset (for example, `--full-auto`), Codex can read files, make edits, and run commands in the working directory automatically.In the `Auto` preset (for example, `--sandbox workspace-write --ask-for-approval on-request`), Codex can read files, make edits, and run commands in the working directory automatically.
28 28
29Codex asks for approval to edit files outside the workspace or to run commands that require network access. If you want to chat or plan without making changes, switch to `read-only` mode with the `/permissions` command.29Codex asks for approval to edit files outside the workspace or to run commands that require network access. If you want to chat or plan without making changes, switch to `read-only` mode with the `/permissions` command.
30 30
31Codex can also elicit approval for app (connector) tool calls that advertise side effects, even when the action isn't a shell command or file change. Destructive app/MCP tool calls always require approval when the tool advertises a destructive annotation, even if it also advertises other hints (for example, read-only hints).31Codex can also elicit approval for app (connector) tool calls that advertise side effects, even when the action isn't a shell command or file change. Destructive app/MCP tool calls always require approval when the tool advertises a destructive annotation, even if it also advertises other hints (for example, read-only hints).
32 32
3333## Network access [Elevated Risk](https://help.openai.com/articles/20001061)## Network access <ElevatedRiskBadge class="ml-2" />
34 34
35For Codex cloud, see [agent internet access](https://developers.openai.com/codex/cloud/internet-access) to enable full internet access or a domain allow list.35For Codex cloud, see [agent internet access](https://developers.openai.com/codex/cloud/internet-access) to enable full internet access or a domain allow list.
36 36
103 103
104For a middle ground, `approval_policy = { granular = { ... } }` lets you keep specific approval prompt categories interactive while automatically rejecting others. The granular policy covers sandbox approvals, execpolicy-rule prompts, MCP prompts, `request_permissions` prompts, and skill-script approvals.104For a middle ground, `approval_policy = { granular = { ... } }` lets you keep specific approval prompt categories interactive while automatically rejecting others. The granular policy covers sandbox approvals, execpolicy-rule prompts, MCP prompts, `request_permissions` prompts, and skill-script approvals.
105 105
106106Set `approvals_reviewer = "guardian_subagent"` to route eligible approval reviews through the Guardian reviewer subagent instead of prompting the user directly. Admin requirements can constrain this with `allowed_approvals_reviewers`.### Automatic approval reviews
107
108By default, approval requests route to you:
109
110```toml
111approvals_reviewer = "user"
112```
113
114Automatic approval reviews apply when approvals are interactive, such as
115`approval_policy = "on-request"` or a granular approval policy. Set
116`approvals_reviewer = "auto_review"` to route eligible approval requests
117through a reviewer agent before Codex runs the request:
118
119```toml
120approval_policy = "on-request"
121approvals_reviewer = "auto_review"
122```
123
124The reviewer evaluates only actions that already need approval, such as sandbox
125escalations, network requests, `request_permissions` prompts, or side-effecting
126app and MCP tool calls. Actions that stay inside the sandbox continue without an
127extra review step.
128
129The reviewer policy checks for data exfiltration, credential probing, persistent
130security weakening, and destructive actions. Low-risk and medium-risk actions
131can proceed when policy allows them. The policy denies critical-risk actions.
132High-risk actions require enough user authorization and no matching deny rule.
133Timeouts, parse failures, and review errors fail closed.
134
135The [default reviewer policy](https://github.com/openai/codex/blob/main/codex-rs/core/src/guardian/policy.md)
136is in the open-source Codex repository. Enterprises can replace its
137tenant-specific section with `guardian_policy_config` in managed requirements.
138Local `[auto_review].policy` text is also supported, but managed requirements
139take precedence. For setup details, see
140[Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration#configure-automatic-review-policy).
141
142In the Codex app, these reviews appear as automatic review items with a status such
143as Reviewing, Approved, Denied, Stopped, or Timed out. They can also include a
144risk level for the reviewed request.
145
146Automatic review uses extra model calls, so it can add to Codex usage. Admins
147can constrain it with `allowed_approvals_reviewers`.
107 148
108### Common sandbox and approval combinations149### Common sandbox and approval combinations
109 150
110| Intent | Flags | Effect |151| Intent | Flags | Effect |
111| ----------------------------------------------------------------- | ------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------ |152| ----------------------------------------------------------------- | ------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------ |
112153| Auto (preset) | *no flags needed* or `--full-auto` | Codex can read files, make edits, and run commands in the workspace. Codex requires approval to edit outside the workspace or to access network. || Auto (preset) | _no flags needed_ or `--sandbox workspace-write --ask-for-approval on-request` | Codex can read files, make edits, and run commands in the workspace. Codex requires approval to edit outside the workspace or to access network. |
113| Safe read-only browsing | `--sandbox read-only --ask-for-approval on-request` | Codex can read files and answer questions. Codex requires approval to make edits, run commands, or access network. |154| Safe read-only browsing | `--sandbox read-only --ask-for-approval on-request` | Codex can read files and answer questions. Codex requires approval to make edits, run commands, or access network. |
114| Read-only non-interactive (CI) | `--sandbox read-only --ask-for-approval never` | Codex can only read files; never asks for approval. |155| Read-only non-interactive (CI) | `--sandbox read-only --ask-for-approval never` | Codex can only read files; never asks for approval. |
115| Automatically edit but ask for approval to run untrusted commands | `--sandbox workspace-write --ask-for-approval untrusted` | Codex can read and edit files but asks for approval before running untrusted commands. |156| Automatically edit but ask for approval to run untrusted commands | `--sandbox workspace-write --ask-for-approval untrusted` | Codex can read and edit files but asks for approval before running untrusted commands. |
116157| Dangerous full access | `--dangerously-bypass-approvals-and-sandbox` (alias: `--yolo`) | [Elevated Risk](https://help.openai.com/articles/20001061) No sandbox; no approvals *(not recommended)* || Dangerous full access | `--dangerously-bypass-approvals-and-sandbox` (alias: `--yolo`) | <ElevatedRiskBadge /> No sandbox; no approvals _(not recommended)_ |
117 158
118159`--full-auto` is a convenience alias for `--sandbox workspace-write --ask-for-approval on-request`.For non-interactive runs, use `codex exec --sandbox workspace-write`; Codex keeps older `codex exec --full-auto` invocations as a deprecated compatibility path and prints a warning.
119 160
120With `--ask-for-approval untrusted`, Codex runs only known-safe read operations automatically. Commands that can mutate state or trigger external execution paths (for example, destructive Git operations or Git output/config-override flags) require approval.161With `--ask-for-approval untrusted`, Codex runs only known-safe read operations automatically. Commands that can mutate state or trigger external execution paths (for example, destructive Git operations or Git output/config-override flags) require approval.
121 162
161 202
162```bash203```bash
163# macOS204# macOS
164205codex sandbox macos [--full-auto] [--log-denials] [COMMAND]...codex sandbox macos [--permissions-profile <name>] [--log-denials] [COMMAND]...
165# Linux206# Linux
166207codex sandbox linux [--full-auto] [COMMAND]...codex sandbox linux [--permissions-profile <name>] [COMMAND]...
208# Windows
209codex sandbox windows [--permissions-profile <name>] [COMMAND]...
167```210```
168 211
169The `sandbox` command is also available as `codex debug`, and the platform helpers have aliases (for example `codex sandbox seatbelt` and `codex sandbox landlock`).212The `sandbox` command is also available as `codex debug`, and the platform helpers have aliases (for example `codex sandbox seatbelt` and `codex sandbox landlock`).
225 268
2261. Install Visual Studio Code and the [Dev Containers extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers).2691. Install Visual Studio Code and the [Dev Containers extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers).
2272. Copy the Codex example `.devcontainer` setup into your repository, or start from the Codex repository directly.2702. Copy the Codex example `.devcontainer` setup into your repository, or start from the Codex repository directly.
2282713. In VS Code, run **Dev Containers: Open Folder in Container…** and select `.devcontainer/devcontainer.secure.json`.3. In VS Code, run **Dev Containers: Open Folder in Container...** and select `.devcontainer/devcontainer.secure.json`.
2294. After the container starts, open a terminal and run `codex`.2724. After the container starts, open a terminal and run `codex`.
230 273
231You can also start the container from the CLI:274You can also start the container from the CLI: