Sandbox and approval policies are currently controlled by 3 pre-defined modes via INITIAL_AGENT_MODE, but this lacks support for granular policy eg:
sandbox_mode = "danger-full-access"
approval_policy = { granular = {
rules = true
} }
This is very useful for running Codex in isolated environments where sandboxing mechanisms like bubble wrap are not supported. Natively with the configuration above, Codex has no workspace sandbox, but requires approvals for commands and tool executions. Combined with .rules files, this allows for unrestricted read+writes, with commands and tools calls to be allowedlisted and the rest - go through approvals
This setup is currently not possible if codex-acp is used because sandbox and approval policies are enforced by INITIAL_AGENT_MODE
Sandbox and approval policies are currently controlled by 3 pre-defined modes via
INITIAL_AGENT_MODE, but this lacks support for granular policy eg:This is very useful for running Codex in isolated environments where sandboxing mechanisms like bubble wrap are not supported. Natively with the configuration above, Codex has no workspace sandbox, but requires approvals for commands and tool executions. Combined with
.rulesfiles, this allows for unrestricted read+writes, with commands and tools calls to be allowedlisted and the rest - go through approvalsThis setup is currently not possible if codex-acp is used because sandbox and approval policies are enforced by
INITIAL_AGENT_MODE