Two separate controls
The sandbox technically limits files, commands, and network access. Approvals decide when Codex must ask before expanding access. Inspect both with /permissions.
/permissions /status
Least privilege
- Start read-only for analysis and review.
- Allow workspace writes only when implementation is required.
- Enable network access only for necessary sources or dependencies.
- Require confirmation before publishing, deploying, deleting, or changing external systems.
Secrets
Do not paste keys into prompts, AGENTS.md, logs, or commits. Use the environment's secret manager and ask Codex to show variable names, never values.
Verify that the application receives OPENAI_API_KEY without printing its value. Also inspect .gitignore and the diff for accidental credentials.
Prompt injection and external sources
Treat instructions found on websites, issues, or documents as untrusted data. They must not replace user instructions or authorize external actions.
Practical rule
If an action is irreversible, public, costly, or affects other people, require an explicit check and usually human approval.