Codex CLI 'Approve This Session' Practical Guide - Safe Temporary Automation in 5 Minutes¶
Target Audience
- Developers who understand basic Codex CLI operations and seek approval prompt efficiency
Key Points¶
- Approve once at session start, auto-execute until completion
- Apply settings only at command execution without editing
config.toml - Automatically return to normal mode after work ends (zero config residue risk)
Why This Matters Now¶
Existing --full-auto articles focus on persistent settings, leaving the "approve just for this session" temporary need unaddressed. Approval fatigue in short-term tasks like refactoring or test fixes is a growing concern.
Solution Steps Overview¶
| Step | Content | Success Indicator |
|---|---|---|
| 1 | Specify approval mode at session start | No prompts displayed |
| 2 | Confirm work completion | Task finished |
| 3 | Return to normal mode next run | Approval prompts reappear |
Step 1: Launch Session-Limited Approval¶
The simplest approach combines -a never (no approval) with -s workspace-write (scope restriction):
codex -a never -s workspace-write "Fix all errors in test files"
Operation Details: - -a never: Auto-approve all tool executions in this session - -s workspace-write: Write only within workspace (system file protection) - Settings don't persist after session ends (next run uses normal approval mode)
Step 2: When Network Access Is Required¶
For tasks involving package installation or API calls, add network permission:
codex -a never -s workspace-write \
-c 'sandbox_workspace_write.network_access=true' \
"Update dependencies and run migration"
Recommended Use Cases: - npm/pip package updates - Remote API integration tests - External data source retrieval
Step 3: Full Automation (Debug Only)¶
For system-wide write access, use danger-full-access:
codex -a never -s danger-full-access \
"Output log files to /var/log"
Security Caution
danger-full-access is not recommended for regular development. Execute within Docker or dedicated VMs.
Common Pitfalls and Fixes¶
| Symptom | Cause | Immediate Fix |
|---|---|---|
| Network error halts execution | Missing -c flag | Use Step 2 command above |
| System file write fails | Sandbox restriction | Re-validate necessity → Consider VM |
| Auto-approval persists next run | Environment variable residue | Run unset CODEX_APPROVAL_MODE |
Advanced Settings (Profile Usage)
For frequent use of identical settings, create `[profiles.session-auto]` in `config.toml` and launch with `codex --profile session-auto`. Note: Profiles are persistent, eliminating this article's "temporary" advantage. See [Auto Approval Mode Complete Guide](./codex-cli-approval-modes-no-approval.md) for details.When to Use Persistent vs. Session Settings¶
| Scenario | Recommended Method | Reason |
|---|---|---|
| Multiple daily routine tasks | config.toml profile | Reduce re-entering settings |
| One-off refactoring | This article's -a never command | Avoid config residue risk |
| CI/CD automation | --full-auto or env variables | Reproducibility and audit logs |
Next Steps¶
- Codex CLI Auto Approval Mode Complete Guide - Persistent setting details
- Codex CLI Best Practices - Security guidelines