The Sandbox System: How Codex Controls AI Permissions
Unlike inline completion tools like GitHub Copilot, Codex CLI is an AI agent that actually executes actions — it can modify files, run shell commands, and install dependencies. This means it needs a permission control layer to prevent the AI from acting beyond its intended scope.
Codex CLI implements this through approval modes, with three levels:
| Mode | File Edits | Shell Commands | Requires Approval | Best For |
|---|---|---|---|---|
| suggest default | Confirm each | Confirm each | All actions | Learning, production code review |
| auto-edit | Auto-apply | Confirm each | Shell commands only | Refactoring, bulk edits, daily development |
| full-auto | Auto-apply | Auto-execute | Nothing | CI/CD, Docker containers, trusted automation |
suggest Mode: Safest, Full Human Oversight
This is Codex CLI's default mode. Before every file edit or shell command, Codex displays the proposed change (a diff, or the command text) and waits for you to press y to apply or n to skip.
$ codex
# equivalent to:
$ codex --approval-mode suggestIn suggest mode, the interaction loop is:
- AI analyzes the task and generates an execution plan
- For each file change, a unified diff is shown — you choose Apply or Skip
- For each shell command, the command is shown — you choose Run or Skip
- You can also choose Edit to manually adjust the AI's suggestion before applying
Best suited for:
- First-time Codex users getting a feel for how the AI behaves
- Production code that needs line-by-line review before committing
- Learning a technology or code style through AI examples
- New projects where you haven't established trust with the AI's output yet
auto-edit Mode: Auto Files, Manual Shell Commands
auto-edit lets the AI automatically apply file changes, but still requires your confirmation before executing shell commands. This is the sweet spot for most experienced developers in day-to-day work.
$ codex --approval-mode auto-edit
# shorthand flag:
$ codex --auto-editWhy keep shell commands behind a confirmation? File changes are visible and reversible (Git rollback). Shell commands have broader potential impact — think rm -rf, npm publish, system config changes — so the human-in-the-loop guardrail stays for these.
Best suited for:
- Developers who've used Codex enough to trust its output patterns
- Bulk file modification tasks (refactoring, adding type annotations, JSDoc)
- Projects with solid Git history — mistakes can be rolled back
# Files updated automatically; npm run check still needs your OK
$ codex --auto-edit
# then type: add strict TypeScript types to all components in src/full-auto Mode: Fully Autonomous — For CI/CD
In full-auto mode, Codex completes all operations autonomously — file edits and shell commands alike — with no human confirmation. This is the standard mode for codex exec in CI/CD pipelines.
# Interactive mode (rarely used; be careful)
$ codex --approval-mode full-auto
# codex exec (common — non-interactive, good for scripts and CI)
$ codex exec --approval-mode full-auto "generate CHANGELOG entry"
# or using the shorthand flag:
$ codex exec --dangerously-auto-approve-everything "fix all lint errors"Use full-auto locally with care: full-auto means the AI can execute arbitrary commands on your machine. Recommended conditions: ① in a CI/CD container; ② project is under Git version control; ③ the task scope is clear and bounded. Avoid full-auto on local machines for vague or broad tasks with important data.
Best suited for:
- CI/CD pipelines (GitHub Actions, GitLab CI)
- Running in a Docker container or ephemeral environment
- Clear, well-bounded automation tasks (generate changelog, fix specific errors)
- Projects with a full test suite that can validate AI output
Sandbox Boundaries: What Codex Will Never Do
Regardless of approval mode, Codex CLI has built-in safety constraints:
- Won't access system directories outside
~/unless explicitly instructed - Won't initiate network connections beyond normal API calls
- Operating scope defaults to the current working directory
- On macOS, uses Apple Sandbox — system-level isolation even in full-auto mode
- Additional restrictions via AGENTS.md
disallow_commands
# Block high-risk commands via AGENTS.md
disallow_commands:
- rm -rf
- git push --force
- npm publish
- pip install # can be re-enabled in CIPersistent Approval Mode Configuration
Specifying the approval mode via command-line flags every time gets tedious. Set a persistent default instead:
Global Default (~/.codex/config.toml)
# Change global default to auto-edit (recommended for experienced users)
approval_mode = "auto-edit"
# Options: "suggest" | "auto-edit" | "full-auto"Project-Level Default (AGENTS.md)
# This project has full CI coverage — auto-edit is fine locally
approval_mode: auto-edit
## Project context...CI/CD Recommended Setup
name: AI Code Tasks
on:
push:
branches: [main]
jobs:
codex-tasks:
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Run Codex task
env:
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
run: |
npm install -g @openai/codex
# full-auto is safe in a CI container
codex exec --approval-mode full-auto "update CHANGELOG.md with latest changes"Side-by-Side Comparison
| Dimension | suggest | auto-edit | full-auto |
|---|---|---|---|
| File edits | Confirm each | Automatic | Automatic |
| Shell commands | Confirm each | Confirm each | Automatic |
| Interruptions | Many | Few (commands only) | None |
| Risk of unintended changes | Lowest | Low | Medium (local) / Low (CI container) |
| Suitable for codex exec | - | Usable | Recommended |
| Recommended scenario | Learning, production review | Daily development | CI/CD, automation |
Best Practices
Recommended progressive adoption strategy:
- Start with
suggest— observe how Codex behaves, build intuition - Once comfortable: switch to
auto-edit— faster flow, shell commands still confirmed - For CI/CD: use
full-auto— maximize automation in isolated environments
Regardless of mode, these habits reduce risk significantly:
- Keep the project under Git version control: every change has a rollback path
- Restrict high-risk commands in AGENTS.md: especially important in full-auto mode
- Use codex exec for full-auto: non-interactive exec is better suited for batch tasks and has natural isolation in CI
- Write precise task descriptions: vague tasks are riskier in full-auto because the scope is undefined
Using full-auto in CI/CD? See the complete integration guides: CI/CD Integration Guide and codex exec Guide.
Frequently Asked Questions
What is the default approval mode in Codex CLI?
The default is suggest mode — every file edit and shell command requires your confirmation. It's the safest mode and the right default for everyday development.
Is full-auto mode safe to use?
In CI/CD containers it's safe — actions are contained within the runner. On a local machine, use it carefully: make sure the project is under Git, the task is well-defined, and high-risk commands are blocked via AGENTS.md.
How do I set the approval mode in codex exec?
Use --approval-mode: codex exec --approval-mode full-auto "task". Shorthand flags: --auto-edit or --dangerously-auto-approve-everything. Set approval_mode = "full-auto" in config.toml for a persistent default.
What's the difference between auto-edit and full-auto?
auto-edit automatically applies file changes but still requires confirmation for shell commands (running tests, installing packages, etc.). full-auto executes all actions — including shell commands — automatically, suitable for fully automated CI/CD environments.
Codex deleted a file I didn't want deleted in full-auto. How do I recover?
If the project is under Git: run git diff to see all changes, then git checkout -- <file> to restore a specific file, or git reset --hard HEAD to roll back all uncommitted changes. This is exactly why "always commit before running full-auto" is a best practice.