How to set Codex sandbox mode

Sandbox mode controls what Codex is allowed to change when it runs model-generated shell commands. Picking the right mode keeps routine work inside a predictable boundary and reduces the chance of unintended edits or network access.

Current Codex releases expose three sandbox modes: read-only, workspace-write, and danger-full-access. Use the dedicated --sandbox flag to set the mode for a session, or save a default with sandbox_mode in ~/.codex/config.toml.

Sandbox mode does not change approval prompts by itself. workspace-write is the normal local editing boundary, while danger-full-access removes the filesystem and network restrictions entirely and should be reserved for already isolated environments such as a disposable VM or container.

Related: approval-policy-set
Related: How to add a writable directory for Codex

Steps to set Codex sandbox mode:

  1. Review the sandbox modes exposed by the installed Codex CLI. 
    $ codex --help
##### snipped #####
  -s, --sandbox <SANDBOX_MODE>
          Select the sandbox policy to use when executing model-generated shell commands
          
          [possible values: read-only, workspace-write, danger-full-access]
##### snipped #####

    The current top-level codex command exposes the dedicated --sandbox flag, so there is no separate sandbox-mode subcommand.

  2. Start Codex with the default read-only sandbox when the task only needs inspection, planning, or proposed patches. 
    $ codex --sandbox read-only

    read-only blocks file edits and keeps command execution behind approvals, which fits repo walkthroughs and review work.

  3. Start Codex with workspace-write when the session needs to edit files inside the current working root. 
    $ codex --sandbox workspace-write

    The writable boundary follows the directory where Codex starts, or the path passed with -C. The current --full-auto preset also uses workspace-write.

    Related: How to run Codex in full-auto mode
    Related: How to set the working directory for Codex

  4. Start Codex with danger-full-access only when the host is already isolated and the task really needs unrestricted commands. 
    $ codex --sandbox danger-full-access

    danger-full-access removes the sandbox boundary entirely, including the normal network restriction. If the only missing capability is writing to another path, prefer --add-dir instead of disabling the sandbox.

    Related: How to add a writable directory for Codex

  5. Set a persistent default mode in ~/.codex/config.toml. 
    sandbox_mode = 'workspace-write'

    Replace workspace-write with read-only or danger-full-access when that better matches the default operating boundary.

  6. Start a new Codex session after saving the config file. 
    $ codex

    The next session loads the saved sandbox_mode value from ~/.codex/config.toml unless a CLI flag or profile overrides it.

  7. Verify the saved default mode from the config file. 
    $ grep '^sandbox_mode' ~/.codex/config.toml
sandbox_mode = 'workspace-write'

    Sandbox mode and approval policy are separate settings, so change approval_policy as well when the session should also stop asking more or less often.

    Related: approval-policy-set