Not specific to OpenAI / Codex, but I'm curious what people are doing to protect themselves from any destructive actions by their coding agents? Just install and pray? Explicity approve all actions? Reconfigure for safety? Run in a sandbox (Docker) ?
Typically I just want to isolate the agent disallowing it from accessing other parts of the filesystem. Using a different user might be enough, but I typically use [bubblewrap](https://github.com/containers/bubblewrap).
I live in fear lol.
More seriously, I was blindly trusting the auto-classifier from claude code (same as the middle option when you do `/permissions` in codex), and it actually allowed the agent to do pretty hardcore `rm` and `git push --force-with-lease` commands, which I would have expected to have to approve manually. Luckily no major issue from those yet.
The best option imo is the integrated cloud environments from claude code (not sure yet if there's a codex equivalent). It spawns a VM in the cloud where the agent runs, and you can open a PR from the app when it's done. Very smooth experience
I use the auto-reviewer for actions outside the builtin sandbox.
So far this has been rock solid, and tens of millions of developers use this setup without issue.
It is not going to wipe our hard disks. At least I hope so. Fable and GPT 5.6 have been ever more proactive, and GPT 5.6 is automating the AppStore on my machine to download an Xcode update while I am typing this.
I still just explicitly approve all actions and review all code (unless it's a personal/throwaway project no one else will ever touch/use/see). I know a lot of people that run in a sandbox though. That said, I'm sure there are lots of people that just yolo it and hope for the best.
What destructive actions are you afraid of in particular? Honestly the models are pretty smart, I let the agents go --yolo and nothing bad has ever happened (yet) that couldn't be solved with git.
Don't let it outside the sandbox. Don't let it have access to anything but dev environments. Continue using git.
Never had any issues.
I run codex in a dedicated vm, I have a cronjob which resets it to clean installed state every week. Nothing too fancy just bhyve and debian, 8gb mem. It has root access there, can install stuff, no permissions to push to protected branches etc. It didn't take very long to setup, and I can sleep a bit better...