OpenAI Codex CLI provides granular control over how it interacts with your system through approval modes and sandbox settings. Understanding these controls is essential for balancing productivity with safety, whether you are experimenting with generated code or deploying in production environments.
Understanding Approval Modes
Approval modes determine how much autonomy Codex has when making changes to your files and executing commands. Codex CLI offers three distinct modes, each with different levels of human oversight.
Mode Comparison Table
| Mode | File Edits | Command Execution | Best For |
|---|---|---|---|
| suggest | Requires approval | Requires approval | Production work, learning, sensitive code |
| auto-edit | Auto-approved | Requires approval | Development work, trusted file changes |
| full-auto | Auto-approved | Auto-approved | CI/CD pipelines, isolated containers, demos |
Suggest Mode (Default)
Suggest mode is the safest option and the default setting. Every action requires your explicit approval before execution.
Behavior:
- Shows proposed file changes in a diff view
- Waits for confirmation before writing any files
- Displays commands before running them
- Allows you to edit or reject any proposed changes
When to use:
- Working with production code
- Learning how Codex operates
- Reviewing AI-generated code before applying
- Any situation where mistakes are costly
Auto-Edit Mode
Auto-edit mode automatically applies file changes but still requires approval for shell commands. This strikes a balance between speed and safety.
Behavior:
- Applies file edits immediately without prompting
- Still requires approval for shell commands
- Shows a summary of changes made
- Allows undo via Git if needed
When to use:
- Active development with version control
- Trusted refactoring tasks
- When you want faster iteration on code changes
- Projects where you can easily revert changes
Full-Auto Mode
Full-auto mode gives Codex complete autonomy to execute both file changes and commands without any confirmation. Use this mode with extreme caution.
Behavior:
- Applies all file edits automatically
- Executes all shell commands without prompting
- Operates completely autonomously
- No human intervention in the loop
When to use:
- Disposable development containers
- Isolated CI/CD pipeline environments
- Demonstration or testing scenarios
- When you fully trust the operations being performed
Configuring Approval Modes
Command Line Flag
Set the approval mode for a single session using the --approval-mode flag:
# Use suggest mode (most restrictive)
codex --approval-mode suggest "refactor the authentication module"
# Use auto-edit mode (balanced)
codex --approval-mode auto-edit "add error handling to all functions"
# Use full-auto mode (least restrictive)
codex --approval-mode full-auto "run the test suite and fix failures"
Global Configuration
Set a default approval mode in your global config file.
Location: ~/.codex/config.toml
# Set default approval mode
approval_mode = "auto-edit"
Project-Level Configuration
Override the global setting for specific projects by creating a config file in the project directory.
Location: <project-root>/.codex/config.toml
# This project uses stricter controls
approval_mode = "suggest"
Project configuration takes precedence over global configuration, allowing you to enforce stricter controls on sensitive projects.
Sandbox Mode Configuration
The sandbox isolates Codex's operations to prevent unintended changes to your system. This is particularly important when running shell commands.
Sandbox Options
| Sandbox Setting | Description | Use Case |
|---|---|---|
| docker | Runs commands in a Docker container | Maximum isolation, testing untrusted code |
| none | Commands run directly on your system | Full system access, trusted operations |
Configuring the Sandbox
In config.toml:
# Use Docker sandbox for command execution
sandbox = "docker"
# Or disable sandbox for full system access
sandbox = "none"
Via command line:
# Run with Docker sandbox
codex --sandbox docker "install dependencies and run tests"
# Run without sandbox
codex --sandbox none "deploy to production"
When to Use the Sandbox
Enable sandbox (docker) when:
- Testing AI-generated scripts for the first time
- Working with unfamiliar codebases
- Running commands that could modify system state
- In shared development environments
- Learning or experimenting with Codex
Disable sandbox (none) when:
- You need access to system tools not available in Docker
- Running trusted, well-understood commands
- Working with local services (databases, servers)
- Performance is critical
Switching Modes During Sessions
You can change approval modes mid-session using the /mode command without restarting Codex.
# Inside an active Codex session
/mode suggest # Switch to suggest mode
/mode auto-edit # Switch to auto-edit mode
/mode full-auto # Switch to full-auto mode
This is useful when you want to start conservatively and then speed up once you trust the direction of the work.
Security Best Practices
General Recommendations
- Start with suggest mode until you understand Codex behavior in your codebase
- Use version control (Git) so you can easily revert unintended changes
- Enable the sandbox when running commands from AI-generated code
- Review generated code before running it, even in auto-edit mode
- Never use full-auto on production systems or with sensitive data
Recommended Configurations by Scenario
Personal development machine:
approval_mode = "auto-edit"
sandbox = "none"
Shared team environment:
approval_mode = "suggest"
sandbox = "docker"
CI/CD pipeline (isolated container):
approval_mode = "full-auto"
sandbox = "none"
Learning and experimentation:
approval_mode = "suggest"
sandbox = "docker"
Environment-Specific Configurations
Consider maintaining different config files for different contexts:
# Development config
~/.codex/config.toml
# Strict config for production work
~/.codex/config-production.toml
# Use the production config
CODEX_CONFIG=~/.codex/config-production.toml codex "review security"
Combining Approval and Sandbox Settings
The approval mode and sandbox settings work together to create your overall safety profile:
| Approval Mode | Sandbox | Safety Level | Description |
|---|---|---|---|
| suggest | docker | Maximum | All changes confirmed, commands isolated |
| suggest | none | High | All changes confirmed, full system access |
| auto-edit | docker | Medium | File changes auto-approved, commands isolated |
| auto-edit | none | Low | File changes auto-approved, full system access |
| full-auto | docker | Very Low | Autonomous but isolated |
| full-auto | none | Minimal | Full autonomy, full system access |
Troubleshooting
Approval Mode Not Applying
- Check for project-level config overriding global settings:
cat .codex/config.toml
- Verify your global config syntax:
cat ~/.codex/config.toml
- Use explicit flag to override both:
codex --approval-mode suggest "task"
Sandbox Issues
If Docker sandbox is not working:
- Verify Docker is installed and running:
docker --version
docker ps
- Check Codex has permission to use Docker:
docker run hello-world
- Fall back to no sandbox if Docker is unavailable:
codex --sandbox none "task"
Next Steps
- Learn where configuration files are stored in Configuration File Locations
- Set up project-specific instructions with How to Set Up MCP Servers
- Explore code review workflows with How to Use Codex for Code Review
- Compare with Claude Code CLI for alternative AI coding assistants