Codex Security Model: What Code It Can Run And Where

Codex executes code on your behalf. Understanding the sandbox boundaries — and where they leak — is the difference between productivity and an outage.

10 min · Reviewed 2026

The agent can run code. That is the point and the risk

Most chatbots cannot touch your system. Codex can run shell commands, edit files, hit URLs, and start subprocesses. That is what makes it useful and dangerous. The security model is a layered set of constraints that try to keep the useful parts in and the catastrophic parts out.

The four boundary layers

Sandbox process — Codex Cloud runs in an OS-level sandbox; the CLI runs in your shell
Permission prompts — destructive operations should require human approval before execution
Network policy — outbound HTTP can be allowlisted by domain
Credential isolation — secrets injected at task start, never leaked into outputs

Surface	Process isolation	Network policy	Credential exposure
Codex Cloud	Strong (per-task container)	Configurable allowlist	Per-task secrets
Codex CLI	Your shell	Your machine's	Your env vars
IDE plugin	Your shell	Your machine's	Your env vars
GitHub action	GitHub runner	GitHub config	GitHub secrets

Common security mistakes

Using production credentials in a Codex CLI session
Allowlisting all outbound HTTP because configuration is hard
Auto-approving destructive commands because the prompts are annoying
Sharing AGENTS.md with secrets baked in
Connecting Codex to a VCS account with admin permissions on every repo

Applied exercise

Identify the highest-permission account Codex currently uses on your stack
Ask: does it need that level for daily work?
If not, downgrade — create a Codex-specific principal with least privilege
Keep the high-permission flow behind a human-only break-glass approval

The big idea: security is a defense in depth. Sandboxes, permissions, network policy, and credential isolation each catch what the others miss.

End-of-lesson check

15 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-codex-security-model-creators

What is the core idea behind "Codex Security Model: What Code It Can Run And Where"?
1. Codex executes code on your behalf. Understanding the sandbox boundaries — and where they leak — is the difference between productivity and an outage.
2. read-only authorization
3. Pick a small slice — 5-10 files — and migrate it manually first
4. migrate-component — move a UI component to the new design system
Which term best describes a foundational idea in "Codex Security Model: What Code It Can Run And Where"?
1. least privilege
2. sandbox
3. permission prompt
4. audit log
A learner studying Codex Security Model: What Code It Can Run And Where would need to understand which concept?
1. sandbox
2. permission prompt
3. least privilege
4. audit log
Which of these is directly relevant to Codex Security Model: What Code It Can Run And Where?
1. sandbox
2. least privilege
3. audit log
4. permission prompt
Which of the following is a key point about Codex Security Model: What Code It Can Run And Where?
1. Sandbox process — Codex Cloud runs in an OS-level sandbox; the CLI runs in your shell
2. Permission prompts — destructive operations should require human approval before execution
3. Network policy — outbound HTTP can be allowlisted by domain
4. Credential isolation — secrets injected at task start, never leaked into outputs
Which of these does NOT belong in a discussion of Codex Security Model: What Code It Can Run And Where?
1. read-only authorization
2. Permission prompts — destructive operations should require human approval before execution
3. Network policy — outbound HTTP can be allowlisted by domain
4. Sandbox process — Codex Cloud runs in an OS-level sandbox; the CLI runs in your shell
Which statement is accurate regarding Codex Security Model: What Code It Can Run And Where?
1. Allowlisting all outbound HTTP because configuration is hard
2. Auto-approving destructive commands because the prompts are annoying
3. Using production credentials in a Codex CLI session
4. Sharing AGENTS.md with secrets baked in
Which of these does NOT belong in a discussion of Codex Security Model: What Code It Can Run And Where?
1. read-only authorization
2. Using production credentials in a Codex CLI session
3. Allowlisting all outbound HTTP because configuration is hard
4. Auto-approving destructive commands because the prompts are annoying
What is the key insight about "The CLI sees your laptop" in the context of Codex Security Model: What Code It Can Run And Where?
1. If you accept a Codex CLI command without reading it, you are accepting it as if you ran it yourself.
2. read-only authorization
3. Pick a small slice — 5-10 files — and migrate it manually first
4. migrate-component — move a UI component to the new design system
What is the key insight about "Audit logs are your insurance" in the context of Codex Security Model: What Code It Can Run And Where?
1. read-only authorization
2. Every Codex run produces a log. Keep them. The first time something weird happens, you will want to read them in detail.
3. Pick a small slice — 5-10 files — and migrate it manually first
4. migrate-component — move a UI component to the new design system
What is the key insight about "From the community" in the context of Codex Security Model: What Code It Can Run And Where?
1. read-only authorization
2. Pick a small slice — 5-10 files — and migrate it manually first
3. Codex is unusual among coding agents in shipping with sandbox features (Landlock and seccomp on Linux) enabled by defaul…
4. migrate-component — move a UI component to the new design system
Which statement accurately describes an aspect of Codex Security Model: What Code It Can Run And Where?
1. read-only authorization
2. Pick a small slice — 5-10 files — and migrate it manually first
3. migrate-component — move a UI component to the new design system
4. Most chatbots cannot touch your system. Codex can run shell commands, edit files, hit URLs, and start subprocesses.
What does working with Codex Security Model: What Code It Can Run And Where typically involve?
1. The big idea: security is a defense in depth. Sandboxes, permissions, network policy, and credential isolation each catch what the others mi…
2. read-only authorization
3. Pick a small slice — 5-10 files — and migrate it manually first
4. migrate-component — move a UI component to the new design system
Which best describes the scope of "Codex Security Model: What Code It Can Run And Where"?
1. It is unrelated to tools workflows
2. It focuses on Codex executes code on your behalf. Understanding the sandbox boundaries — and where they leak — is
3. It applies only to the opposite beginner tier
4. It was deprecated in 2024 and no longer relevant
Which section heading best belongs in a lesson about Codex Security Model: What Code It Can Run And Where?
1. read-only authorization
2. Pick a small slice — 5-10 files — and migrate it manually first
3. The four boundary layers
4. migrate-component — move a UI component to the new design system

← Back to interactive lesson

Tendril · Creators · Tools Literacy

Codex Security Model: What Code It Can Run And Where

Codex executes code on your behalf. Understanding the sandbox boundaries — and where they leak — is the difference between productivity and an outage.

10 min · Reviewed 2026

The agent can run code. That is the point and the risk

The four boundary layers

Sandbox process — Codex Cloud runs in an OS-level sandbox; the CLI runs in your shell
Permission prompts — destructive operations should require human approval before execution
Network policy — outbound HTTP can be allowlisted by domain
Credential isolation — secrets injected at task start, never leaked into outputs

Surface	Process isolation	Network policy	Credential exposure
Codex Cloud	Strong (per-task container)	Configurable allowlist	Per-task secrets
Codex CLI	Your shell	Your machine's	Your env vars
IDE plugin	Your shell	Your machine's	Your env vars
GitHub action	GitHub runner	GitHub config	GitHub secrets

Common security mistakes

Using production credentials in a Codex CLI session
Allowlisting all outbound HTTP because configuration is hard
Auto-approving destructive commands because the prompts are annoying
Sharing AGENTS.md with secrets baked in
Connecting Codex to a VCS account with admin permissions on every repo

Applied exercise

Identify the highest-permission account Codex currently uses on your stack
Ask: does it need that level for daily work?
If not, downgrade — create a Codex-specific principal with least privilege
Keep the high-permission flow behind a human-only break-glass approval

The big idea: security is a defense in depth. Sandboxes, permissions, network policy, and credential isolation each catch what the others miss.

End-of-lesson check

15 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-codex-security-model-creators

What is the core idea behind "Codex Security Model: What Code It Can Run And Where"?
1. Codex executes code on your behalf. Understanding the sandbox boundaries — and where they leak — is the difference between productivity and an outage.
2. read-only authorization
3. Pick a small slice — 5-10 files — and migrate it manually first
4. migrate-component — move a UI component to the new design system
Which term best describes a foundational idea in "Codex Security Model: What Code It Can Run And Where"?
1. least privilege
2. sandbox
3. permission prompt
4. audit log
A learner studying Codex Security Model: What Code It Can Run And Where would need to understand which concept?
1. sandbox
2. permission prompt
3. least privilege
4. audit log
Which of these is directly relevant to Codex Security Model: What Code It Can Run And Where?
1. sandbox
2. least privilege
3. audit log
4. permission prompt
Which of the following is a key point about Codex Security Model: What Code It Can Run And Where?
1. Sandbox process — Codex Cloud runs in an OS-level sandbox; the CLI runs in your shell
2. Permission prompts — destructive operations should require human approval before execution
3. Network policy — outbound HTTP can be allowlisted by domain
4. Credential isolation — secrets injected at task start, never leaked into outputs
Which of these does NOT belong in a discussion of Codex Security Model: What Code It Can Run And Where?
1. read-only authorization
2. Permission prompts — destructive operations should require human approval before execution
3. Network policy — outbound HTTP can be allowlisted by domain
4. Sandbox process — Codex Cloud runs in an OS-level sandbox; the CLI runs in your shell
Which statement is accurate regarding Codex Security Model: What Code It Can Run And Where?
1. Allowlisting all outbound HTTP because configuration is hard
2. Auto-approving destructive commands because the prompts are annoying
3. Using production credentials in a Codex CLI session
4. Sharing AGENTS.md with secrets baked in
Which of these does NOT belong in a discussion of Codex Security Model: What Code It Can Run And Where?
1. read-only authorization
2. Using production credentials in a Codex CLI session
3. Allowlisting all outbound HTTP because configuration is hard
4. Auto-approving destructive commands because the prompts are annoying
What is the key insight about "The CLI sees your laptop" in the context of Codex Security Model: What Code It Can Run And Where?
1. If you accept a Codex CLI command without reading it, you are accepting it as if you ran it yourself.
2. read-only authorization
3. Pick a small slice — 5-10 files — and migrate it manually first
4. migrate-component — move a UI component to the new design system
What is the key insight about "Audit logs are your insurance" in the context of Codex Security Model: What Code It Can Run And Where?
1. read-only authorization
2. Every Codex run produces a log. Keep them. The first time something weird happens, you will want to read them in detail.
3. Pick a small slice — 5-10 files — and migrate it manually first
4. migrate-component — move a UI component to the new design system
What is the key insight about "From the community" in the context of Codex Security Model: What Code It Can Run And Where?
1. read-only authorization
2. Pick a small slice — 5-10 files — and migrate it manually first
3. Codex is unusual among coding agents in shipping with sandbox features (Landlock and seccomp on Linux) enabled by defaul…
4. migrate-component — move a UI component to the new design system
Which statement accurately describes an aspect of Codex Security Model: What Code It Can Run And Where?
1. read-only authorization
2. Pick a small slice — 5-10 files — and migrate it manually first
3. migrate-component — move a UI component to the new design system
4. Most chatbots cannot touch your system. Codex can run shell commands, edit files, hit URLs, and start subprocesses.
What does working with Codex Security Model: What Code It Can Run And Where typically involve?
1. The big idea: security is a defense in depth. Sandboxes, permissions, network policy, and credential isolation each catch what the others mi…
2. read-only authorization
3. Pick a small slice — 5-10 files — and migrate it manually first
4. migrate-component — move a UI component to the new design system
Which best describes the scope of "Codex Security Model: What Code It Can Run And Where"?
1. It is unrelated to tools workflows
2. It focuses on Codex executes code on your behalf. Understanding the sandbox boundaries — and where they leak — is
3. It applies only to the opposite beginner tier
4. It was deprecated in 2024 and no longer relevant
Which section heading best belongs in a lesson about Codex Security Model: What Code It Can Run And Where?
1. read-only authorization
2. Pick a small slice — 5-10 files — and migrate it manually first
3. The four boundary layers
4. migrate-component — move a UI component to the new design system

← Back to interactive lesson