How to set Codex sandbox mode

Codex sandbox mode sets the local boundary for model-generated commands before a session starts. read-only fits planning and review work, while workspace-write lets Codex edit the current project without giving every command full host access.

The CLI accepts --sandbox for one launch and sandbox_mode in ~/.codex/config.toml for the default. The documented mode values are read-only, workspace-write, and danger-full-access, and the working directory from codex or -C defines the normal workspace for workspace-write.

Sandbox mode is separate from approval policy and command network access. Full local access means pairing danger-full-access with an approval policy such as never, while ordinary local automation usually pairs workspace-write with on-request and leaves sandbox_workspace_write.network_access off unless commands need outbound access.

Steps to set Codex sandbox mode:

Review the sandbox modes exposed by the installed Codex CLI.

$ codex --help
##### snipped #####
  -s, --sandbox <SANDBOX_MODE>
          Select the sandbox policy to use when executing model-generated shell commands
          
          [possible values: read-only, workspace-write, danger-full-access]
##### snipped #####

The current top-level codex command exposes --sandbox as a launch flag, so there is no separate sandbox-mode subcommand.

Start a read-only session when the task only needs inspection or planning.
```
$ codex --sandbox read-only --ask-for-approval on-request
```
read-only lets Codex inspect files, but edits and commands that need more access must go through the approval flow.

Related: How to set Codex approval policy
Start a workspace-write session for normal project edits.
```
$ codex --sandbox workspace-write --ask-for-approval on-request
```
workspace-write can edit inside the active workspace. Use -C to choose the primary working root before launch.

Related: How to set the working directory for Codex
Related: How to set Codex approval policy
Use full access only inside an externally isolated environment.
```
$ codex --sandbox danger-full-access --ask-for-approval never
```
danger-full-access removes the filesystem and network sandbox. If the session only needs one extra path, add that path instead of removing the sandbox boundary.

Related: How to add a writable directory for Codex
Related: How to run Codex with the Auto preset
Create the user config directory when it does not exist.
```
$ mkdir -p ~/.codex
```
Open the Codex config file.
```
$ vi ~/.codex/config.toml
```
Use a project .codex/config.toml only when the default should apply to one trusted project instead of every local Codex session.
Set the saved sandbox mode and its paired local controls.
```
sandbox_mode = "workspace-write"
approval_policy = "on-request"
 
[sandbox_workspace_write]
network_access = false
```
For reusable filesystem and network profiles, use permission profiles instead of mixing them with sandbox_mode and [sandbox_workspace_write] in the same session.

Related: How to set Codex approval policy

Check the saved config values.

$ cat ~/.codex/config.toml
sandbox_mode = "workspace-write"
approval_policy = "on-request"

[sandbox_workspace_write]
network_access = false

Check that Codex loads the saved configuration.
```
$ codex doctor --summary --ascii --no-color
Codex Doctor v0.139.0
##### snipped #####
Configuration
  [ok] config       loaded
  [ok] sandbox      restricted fs + restricted network - approval OnRequest
##### snipped #####
```
Authentication or connectivity notes can appear when login or network access is missing. For this check, confirm the Configuration section reports a loaded config and the expected sandbox boundary.
Start a new Codex session so the saved mode loads.
```
$ codex
```
Already-running sessions keep their current permissions until they are changed inside the session or restarted.

Related: How to start a Codex interactive session
Change the active session without restarting when the task boundary changes.
```
/permissions
```
The permissions picker updates the active sandbox and approval behavior for the current session.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.