Bounded Execution Enables Frictionless Low-Risk Actions
OpenAI confines Codex to a sandbox defining write access (e.g., read-only or workspace-write modes via allowed_sandbox_modes = ["read-only", "workspace-write"] in config.toml), network reach, and protected paths. Approvals gate actions outside the sandbox; users approve once or per session. Auto-review mode routes planned actions to a subagent that auto-approves low-risk requests (set via approvals_reviewer = "auto_review"), keeping routine tasks uninterrupted while halting higher-risk ones. This balances productivity—routine dev work flows seamlessly—with safety.
Identity ties Codex to ChatGPT enterprise workspaces (forced_chatgpt_workspace_id = "<workspace-uuid>", credentials in OS keyring). Network policy blocks open outbound access: uses cached web search (allowed_web_search_modes = ["cached"]), enables proxy (experimental_network.enabled = true), allows localhost and whitelisted domains like *.openai.com, denies others like pastebin.com. Command rules allow benign patterns without approval outside sandbox (e.g., prefix_rule(pattern = ["gh", "pr", ["view", "list"]], decision = "allow") for GitHub PR inspection; ["kubectl", ["get", "describe", "logs"]] for K8s debugging) while blocking or requiring review for dangerous ones. Managed configs (cloud requirements, macOS prefs, local files) enforce baselines across desktop app, CLI, IDE, unoverrideable by users.
Agent-Native Logs Provide Intent Visibility
Beyond traditional logs showing 'what' (process start, file change), Codex exports agent-aware OpenTelemetry events: user prompts, tool approvals, executions, MCP usage, network decisions ([otel] log_user_prompt = true; endpoint = "http://localhost:14318/v1/logs"). Enterprise/Edu users access via OpenAI Compliance Platform. Internally, OpenAI pairs these with endpoint alerts; an AI triage agent analyzes prompt context, approvals, results, and policies to explain 'why'—distinguishing expected behavior from issues—for security review. Operationally, logs track adoption, tool usage, sandbox blocks, tuning needs, integrable into SIEM/compliance systems.
Forward Path for Secure Agent Adoption
These controls—sandboxing, policies, telemetry—let security teams confidently enable Codex, prioritizing developer speed on safe actions while governing risks. Configuration details at developers.openai.com/codex/config-basic; Compliance API at help.openai.com/en/articles/9261474.