displayName
Codex read-only sandbox
filesystemPolicy
read-only
networkPolicy
none
description
Codex CLI sandbox mode `read-only`: shell commands run with filesystem writes blocked. This is the most restrictive documented Codex sandbox mode.
fsAllowList
fsDenyList
netAllowList
[]
netDenyList
execAllowedBinaries
[]
execDeniedBinaries
[]
envVarScope
inherit-allowlist
secretAccessScope
none
auditLogPolicy
structured-jsonl
policyEvaluationPoint
continuous