February 2026 Latest Update
Compatible with Codex CLI v0.101.0+ / GPT-5.3-Codex. Sandbox capabilities have been enhanced, and --full-auto mode is now recommended in more use cases.
Safe Ops Checklist for Codex CLI --dangerously-skip-permissions¶
Target Audience
- Mid-level SRE/DevOps engineers who need Codex CLI automation speed without losing control of dangerous permissions
Outcomes After 5 Minutes¶
- Stand up mandatory audit logging and alerts before the dangerous mode runs
- Template temporary profile switching plus rollback instructions for repetitive work
- Track safety with three metrics so stakeholders approve the workflow
Why This Matters Now¶
The --dangerously-skip-permissions flag is one of the most searched Codex CLI topics, yet no comprehensive runbook explains how to validate the dangerous override safely. Many developers use it without proper audit logging or rollback procedures.
Step Summary¶
| Step | Action | Success Metric |
|---|---|---|
| 1 | Enable audit toggles before flipping to dangerous mode | /status exposes danger flags |
| 2 | Register a temporary profile plus notifications | Slack/Webhook alert fires on execution |
| 3 | Lock rollback and log archiving in place | Each run saves a JSON snapshot |
Step 1: Document prerequisites and switch on auditing¶
Start with codex /status to capture sandbox_mode and approval_policy before the override. Write down the allowed host, repo, and time window; if the checklist fails, fall back to the default profile. Publish the path to CODEX_HOME/history.jsonl so reviewers can replay the activity.
codex /status
# sandbox_mode: danger-full-access
# approval_policy: never
# log_path: ~/.codex/history.jsonl
Keeping this snapshot inside the execution log lets auditors confirm that --dangerously-skip-permissions was intentional. Verify disk space as well; an interrupted session without room for logs defeats the guardrail.
Step 2: Use a temporary profile and wire up alerts¶
Never leave the override active permanently. Create a profile inside ~/.codex/config.toml, bundle every dangerous parameter there, and invoke it only right before the task. Pair the profile with a Slack webhook script so the team knows who enabled the override and why.
[profiles.danger_run]
sandbox_mode = "danger-full-access"
approval_policy = "never"
post_run_hook = "bash ~/.codex/hooks/notify_danger.sh"
The hook should post the operator, command, and Git revision. After the run, require codex --profile default so the session drops back to safe settings without relying on human memory.
Step 3: Execute rollback and archive evidence immediately¶
Close every dangerous run with a cleanup template such as scripts/post_danger_cleanup.sh. Inside it, call git status, git diff --stat, and extract the relevant rows from history.jsonl into a hardened bucket. Run the cleanup under a restricted sandbox to avoid further accidental writes.
codex --sandbox read-only "git status --short && git diff --stat"
Define rollback branches like "unexpected delete -> git restore" and "external API call -> rotate tokens". Append outcomes to the template after every incident so the next operator inherits real data.
Common Pitfalls and Fixes¶
| Symptom | Cause | Immediate Fix |
|---|---|---|
| Audit logs go missing | history.jsonl rotated before copy | Hook uploads to S3 or equivalent right after the run |
| Engineers leave the override always-on | Switching profiles feels costly | Add a logout hook that auto-runs codex --profile default |
| Unapproved domains are touched | No allowlist enforced | Hook inspects outbound domains and alerts when offlist access appears |