LIVE|CLI v0.144.0·model GPT-5.6 Sol·verified 2026-07-09
Codex Insider
The unofficial wire for OpenAI Codex.
config.toml recipe

Safe full-auto setup

Published Jul 15, 2026 · Verified against the official config docs

What it does

The keys people set together to stop approval prompts without handing Codex the keys to everything. Set sandbox_mode = "workspace-write" (shipped default is read-only), sandbox_workspace_write.network_access = true (default false), and approval_policy = "on-request" or "never". You get a writable repo plus outbound network while everything outside the workspace stays walled off. Skip danger-full-access; this pairing covers almost every real workflow.

Values

Full-auto comes down to four or five keys you set together. Here’s what each does and the value it ships with.

Key Set to Shipped default
sandbox_mode "workspace-write" "read-only"
sandbox_workspace_write.network_access true false
approval_policy "on-request" or "never" on-request (per config sample)
windows.sandbox (Windows-native) "unelevated" or "elevated" unset

workspace-write makes your repo writable and blocks writes everywhere else. network_access = true opens outbound traffic, which npm, pip, and git all need. approval_policy still governs when Codex pauses to ask; keep on-request when a human is at the keyboard, drop to never for CI. Extra directories beyond the repo go in sandbox_workspace_write.writable_roots.

# ~/.codex/config.toml
approval_policy = "on-request"        # "never" for unattended CI
sandbox_mode   = "workspace-write"

[sandbox_workspace_write]
network_access = true                 # default is false
writable_roots = ["/home/me/scratch"] # extra paths beyond the repo

[windows]                             # native Windows only
sandbox = "unelevated"                # or "elevated"
sandbox_private_desktop = true        # default true

When to change it

Reach for this the moment prompts start drowning the session. Two threads pushed it to the top of the request pile: Windows users hit an approval prompt on every PowerShell command (#2860), and a 0.115.0 Linux regression prompted for nearly every command, even find and ls (#14936). Set the bundle above once you’ve ruled out a version-specific bug.

For CI or any unattended run, pair approval_policy = "never" with sandbox_mode = "workspace-write". Nobody is there to answer prompts, and the sandbox still walls off everything outside the repo.

Gotchas

.git/ and .codex/ stay read-only even inside a writable workspace, so Codex can’t rewrite git history or edit its own config on its own. The docs note some environments keep those paths locked regardless of your writable roots.

default_permissions = ":workspace" is the newer way to express the same setup, but don’t combine it with sandbox_mode or [sandbox_workspace_write] — the reference says pick one path or the other. Built-in profiles are :read-only, :workspace, and :danger-full-access.

The trap people fall into is jumping straight to danger-full-access, which turns the sandbox off entirely. workspace-write plus network covers almost every real build, so save full access for a throwaway container you don’t mind losing.

Sources