CDX-301b · Module 1

Tool Allowlists & Deny Rules

4 min read

The Codex exec policy system is a command-level firewall. Every command Codex attempts to run is matched against the execpolicy rules in config.toml before execution. Rules use glob-style patterns and resolve to one of three verdicts: allow (run locally, no network), allow-network (run with network access), or deny (block entirely). Unmatched commands fall back to the sandbox mode default — which in workspace-write mode means allow without network. This default-allow fallback is why explicit deny rules matter.

Allowlist design follows the principle of least privilege. Start with a minimal set of allowed commands — your build tool, test runner, linter, and version control. Add commands only when Codex needs them for a specific workflow. Every allow-network entry is a potential data exfiltration path. Every allow entry is a potential filesystem mutation. Treat each rule as a security decision, not a convenience feature.

# Production-grade exec policy
[execpolicy]
# Build tools — local only
"npm test" = "allow"
"npm run build" = "allow"
"npm run lint" = "allow"
"npx tsc *" = "allow"
"npx vitest *" = "allow"

# Package management — needs network
"npm install" = "allow-network"
"npm ci" = "allow-network"

# Version control — needs network for push/fetch
"git pull" = "allow-network"
"git push" = "allow-network"
"git fetch" = "allow-network"
"git add *" = "allow"
"git commit *" = "allow"
"git diff *" = "allow"
"git log *" = "allow"
"git status" = "allow"

# Explicitly blocked — dangerous operations
"rm -rf *" = "deny"
"rm -r *" = "deny"
"curl * | sh" = "deny"
"curl * | bash" = "deny"
"wget * | sh" = "deny"
"eval *" = "deny"
"sudo *" = "deny"
"chmod 777 *" = "deny"
  1. Inventory needed commands List every command Codex needs to run for your project. Categorize each as local-only or needs-network. This is your allowlist.
  2. Write explicit deny rules Identify dangerous commands for your environment (rm -rf, publish, deploy) and add explicit deny rules. Do not rely on the sandbox to catch everything.
  3. Audit quarterly Review exec policy logs. Remove commands that were never used. Add commands that were repeatedly blocked but needed. The policy should evolve with your workflow.