How to set Codex sandbox mode

Sandbox mode controls what Codex is allowed to change when it runs model-generated shell commands. Picking the right mode keeps routine work inside a predictable boundary and reduces the chance of unintended edits or network access.

Current Codex releases expose three sandbox modes: read-only, workspace-write, and danger-full-access. Use the dedicated --sandbox flag to set the mode for a session, or save a default with sandbox_mode in ~/.codex/config.toml.

Sandbox mode does not change approval prompts by itself. workspace-write is the normal local editing boundary, while danger-full-access removes the filesystem and network restrictions entirely and should be reserved for already isolated environments such as a disposable VM or container.

Steps to set Codex sandbox mode:

Review the sandbox modes exposed by the installed Codex CLI.

$ codex --help
##### snipped #####
  -s, --sandbox <SANDBOX_MODE>
          Select the sandbox policy to use when executing model-generated shell commands
          
          [possible values: read-only, workspace-write, danger-full-access]
##### snipped #####

The current top-level codex command exposes the dedicated --sandbox flag, so there is no separate sandbox-mode subcommand.

Start Codex with the default read-only sandbox when the task only needs inspection, planning, or proposed patches.
```
$ codex --sandbox read-only
```
read-only blocks file edits and keeps command execution behind approvals, which fits repo walkthroughs and review work.
Start Codex with workspace-write when the session needs to edit files inside the current working root.
```
$ codex --sandbox workspace-write
```
The writable boundary follows the directory where Codex starts, or the path passed with -C. The current --full-auto preset also uses workspace-write.

Related: How to run Codex in full-auto mode
Related: How to set the working directory for Codex
Start Codex with danger-full-access only when the host is already isolated and the task really needs unrestricted commands.
```
$ codex --sandbox danger-full-access
```
danger-full-access removes the sandbox boundary entirely, including the normal network restriction. If the only missing capability is writing to another path, prefer --add-dir instead of disabling the sandbox.

Related: How to add a writable directory for Codex
Set a persistent default mode in ~/.codex/config.toml.
```
sandbox_mode = 'workspace-write'
```
Replace workspace-write with read-only or danger-full-access when that better matches the default operating boundary.
Start a new Codex session after saving the config file.
```
$ codex
```
The next session loads the saved sandbox_mode value from ~/.codex/config.toml unless a CLI flag or profile overrides it.
Verify the saved default mode from the config file.
```
$ grep '^sandbox_mode' ~/.codex/config.toml
sandbox_mode = 'workspace-write'
```
Sandbox mode and approval policy are separate settings, so change approval_policy as well when the session should also stop asking more or less often.

Related: approval-policy-set

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.