How to set Codex sandbox mode
Codex sandbox mode sets the local boundary for model-generated commands before a session starts. read-only fits planning and review work, while workspace-write lets Codex edit the current project without giving every command full host access.
The CLI accepts --sandbox for one launch and sandbox_mode in ~/.codex/config.toml for the default. The documented mode values are read-only, workspace-write, and danger-full-access, and the working directory from codex or -C defines the normal workspace for workspace-write.
Sandbox mode is separate from approval policy and command network access. Full local access means pairing danger-full-access with an approval policy such as never, while ordinary local automation usually pairs workspace-write with on-request and leaves sandbox_workspace_write.network_access off unless commands need outbound access.
Related: How to set Codex approval policy
Related: How to add a writable directory for Codex
Steps to set Codex sandbox mode:
- Review the sandbox modes exposed by the installed Codex CLI.
$ codex --help ##### snipped ##### -s, --sandbox <SANDBOX_MODE> Select the sandbox policy to use when executing model-generated shell commands [possible values: read-only, workspace-write, danger-full-access] ##### snipped #####The current top-level codex command exposes --sandbox as a launch flag, so there is no separate sandbox-mode subcommand.
- Start a read-only session when the task only needs inspection or planning.
$ codex --sandbox read-only --ask-for-approval on-request
read-only lets Codex inspect files, but edits and commands that need more access must go through the approval flow.
Related: How to set Codex approval policy
- Start a workspace-write session for normal project edits.
$ codex --sandbox workspace-write --ask-for-approval on-request
workspace-write can edit inside the active workspace. Use -C to choose the primary working root before launch.
Related: How to set the working directory for Codex
Related: How to set Codex approval policy - Use full access only inside an externally isolated environment.
$ codex --sandbox danger-full-access --ask-for-approval never
danger-full-access removes the filesystem and network sandbox. If the session only needs one extra path, add that path instead of removing the sandbox boundary.
- Create the user config directory when it does not exist.
$ mkdir -p ~/.codex
- Open the Codex config file.
$ vi ~/.codex/config.toml
Use a project .codex/config.toml only when the default should apply to one trusted project instead of every local Codex session.
- Set the saved sandbox mode and its paired local controls.
sandbox_mode = "workspace-write" approval_policy = "on-request" [sandbox_workspace_write] network_access = false
For reusable filesystem and network profiles, use permission profiles instead of mixing them with sandbox_mode and [sandbox_workspace_write] in the same session.
Related: How to set Codex approval policy
- Check the saved config values.
$ cat ~/.codex/config.toml sandbox_mode = "workspace-write" approval_policy = "on-request" [sandbox_workspace_write] network_access = false
- Check that Codex loads the saved configuration.
$ codex doctor --summary --ascii --no-color Codex Doctor v0.139.0 ##### snipped ##### Configuration [ok] config loaded [ok] sandbox restricted fs + restricted network - approval OnRequest ##### snipped #####
Authentication or connectivity notes can appear when login or network access is missing. For this check, confirm the Configuration section reports a loaded config and the expected sandbox boundary.
- Start a new Codex session so the saved mode loads.
$ codex
Already-running sessions keep their current permissions until they are changed inside the session or restarted.
- Change the active session without restarting when the task boundary changes.
/permissions
The permissions picker updates the active sandbox and approval behavior for the current session.