displayName
Codex workspace-write sandbox
filesystemPolicy
sandboxed
networkPolicy
none
description
Codex CLI sandbox mode `workspace-write`: shell commands can write inside the workspace while access outside the configured workspace/additional writable roots remains restricted.
fsAllowList
- <workspace>/**
- <add-dir>/**
fsDenyList
- <outside-workspace>/**:write
netAllowList
[]
netDenyList
execAllowedBinaries
[]
execDeniedBinaries
[]
envVarScope
inherit-allowlist
secretAccessScope
named
auditLogPolicy
structured-jsonl
policyEvaluationPoint
continuous