Git Safety & Sandboxing

Codex takes a sandbox-first approach to safety. Every command execution runs inside an OS-native sandbox that restricts filesystem access and network calls. On macOS, this uses Apple's Seatbelt (sandbox-exec). On Linux, it uses Bubblewrap (bwrap). The sandbox ensures that even in full-auto mode, Codex cannot write outside your project directory or make arbitrary network requests.

# Allow specific commands to bypass sandbox restrictions
[execpolicy]
# Allow npm install with network access
"npm install" = "allow-network"
# Allow git operations
"git *" = "allow-network"

The workspace-write mode controls which directories Codex can modify. By default, Codex can only write to the current working directory and its children. This prevents accidental modifications to system files or other projects. Approval policies layer on top of sandboxing — in suggest mode, you see every change before it is applied, even within the allowed write scope.

Compared to Claude Code, which relies on a permission-grant system (you approve tool categories like Bash, file writes, etc. per session), Codex uses a more structured sandbox + execpolicy model. Both approaches achieve the same goal — controlled autonomy — but Codex's sandbox is more restrictive by default, which is a reasonable tradeoff for the open-source model where users may be less familiar with the tool's behavior.