Safe full-auto setup
Published Jul 15, 2026 · Verified against the official config docs
The keys people set together to stop approval prompts without handing Codex the keys to everything. Set sandbox_mode = "workspace-write" (shipped default is read-only), sandbox_workspace_write.network_access = true (default false), and approval_policy = "on-request" or "never". You get a writable repo plus outbound network while everything outside the workspace stays walled off. Skip danger-full-access; this pairing covers almost every real workflow.
Values
Full-auto comes down to four or five keys you set together. Here’s what each does and the value it ships with.
| Key | Set to | Shipped default |
|---|---|---|
sandbox_mode |
"workspace-write" |
"read-only" |
sandbox_workspace_write.network_access |
true |
false |
approval_policy |
"on-request" or "never" |
on-request (per config sample) |
windows.sandbox (Windows-native) |
"unelevated" or "elevated" |
unset |
workspace-write makes your repo writable and blocks writes everywhere else. network_access = true opens outbound traffic, which npm, pip, and git all need. approval_policy still governs when Codex pauses to ask; keep on-request when a human is at the keyboard, drop to never for CI. Extra directories beyond the repo go in sandbox_workspace_write.writable_roots.
# ~/.codex/config.toml
approval_policy = "on-request" # "never" for unattended CI
sandbox_mode = "workspace-write"
[sandbox_workspace_write]
network_access = true # default is false
writable_roots = ["/home/me/scratch"] # extra paths beyond the repo
[windows] # native Windows only
sandbox = "unelevated" # or "elevated"
sandbox_private_desktop = true # default true
When to change it
Reach for this the moment prompts start drowning the session. Two threads pushed it to the top of the request pile: Windows users hit an approval prompt on every PowerShell command (#2860), and a 0.115.0 Linux regression prompted for nearly every command, even find and ls (#14936). Set the bundle above once you’ve ruled out a version-specific bug.
For CI or any unattended run, pair approval_policy = "never" with sandbox_mode = "workspace-write". Nobody is there to answer prompts, and the sandbox still walls off everything outside the repo.
Gotchas
.git/ and .codex/ stay read-only even inside a writable workspace, so Codex can’t rewrite git history or edit its own config on its own. The docs note some environments keep those paths locked regardless of your writable roots.
default_permissions = ":workspace" is the newer way to express the same setup, but don’t combine it with sandbox_mode or [sandbox_workspace_write] — the reference says pick one path or the other. Built-in profiles are :read-only, :workspace, and :danger-full-access.
The trap people fall into is jumping straight to danger-full-access, which turns the sandbox off entirely. workspace-write plus network covers almost every real build, so save full access for a throwaway container you don’t mind losing.
Related settings
sandbox_modeis the core switch this recipe flips toworkspace-write.sandbox_workspace_write_network_accessandsandbox_workspace_write_writable_rootstune the writable sandbox.approval_policysets when Codex asks;default_permissionsis the alternative profile-based path.- On Windows,
windows.sandboxpicks the enforcement mechanism. - If commands still get blocked, see Sandbox error: retrying without sandbox.