Lesson 4 / 7 · ~10 minutes

Guardrails: sandbox,
approvals and limits

Out of the box, Codex is more cautious than you'd expect — and that's its best trait. This lesson teaches you to know and use the safety nets, not switch them off.

The sandbox: from reading to writing

  • Read-only — the base mode: the agent may read and analyse the project, but changes nothing. While building this course's calculator, Codex refused to create files in this mode — until we explicitly allowed writing.
  • Workspace-write — it may write, but only inside the project folder. This is the everyday working mode.
  • Cloud — the task runs in an isolated environment with a copy of the repo; it never touches your computer at all.

Approvals: what the agent brings you to sign

Even with writing allowed, Codex asks about exceptional things: network access, changes outside the project folder, installations. The same golden rule as with any agent applies: don't understand = don't approve — have it explain what will happen first.

Limits: 5-hour windows

Your subscription gives you a bundle of cloud tasks per 5-hour window (Plus: dozens; Pro: multiples of that). The practical takeaway: split big plans into smaller tasks over time instead of burning the whole window at once — and handle small things locally, those don't count against cloud limits.

A true story to finish: in early 2026 it turned out that maliciously named branches in other people's GitHub repos could smuggle commands to agents. The lesson: don't clone unknown repos and run an agent over them blindly — the content of somebody else's repo is input to the agent like any other. (The bug was fixed; the principle of caution remains.)

Exercise: spot the risky steps

Seven situations. Click the risky ones (there may be several), then evaluate.

You download an unknown repo from the internet and immediately run the agent over it — let it explore for you.

RISK: the content of a foreign repo is input to the agent — it can carry smuggled instructions (exactly what happened with GitHub branch names). Look at what you're downloading first.

Before running, you check which sandbox mode the agent is in.

The right habit — read-only for exploring, workspace-write for working. You know what the agent may do before it starts.

You put a production API key into AGENTS.md — so the agent has it handy for every task.

RISK: AGENTS.md travels with the project and every tool reads it. Keys never belong there — secrets have safe workflows outside the repo.

A cloud task only gets the repo you assigned to it yourself.

That's exactly how it works — an isolated environment with a copy of one specific project. That's why the cloud is a safe place to experiment.

The agent asks for network access — you click through without reading, you're in a hurry.

RISK: a network approval is exactly the moment to pay attention. Where is it connecting and why? Don't understand = don't approve.

You split a big rework into smaller tasks and send them throughout the day.

Sensible — smaller diffs are easier to review and you won't burn the 5-hour window at once.

You go through every diff before accepting — even when the tests are green.

The foundation of the craft — tests verify nothing broke; whether the changes do what you want, only you can judge.

Summary

  • Sandbox: read-only for exploring, workspace-write for working, cloud = full isolation.
  • Read approvals — network and out-of-project changes are your call.
  • Limits run in 5-hour windows — delegate steadily.
  • Foreign repos = foreign input. Don't clone and run blindly.