Lesson 4 / 7 · ~10 minutes
Guardrails: sandbox,
approvals and limits
Out of the box, Codex is more cautious than you'd expect — and that's its best trait. This lesson teaches you to know and use the safety nets, not switch them off.
The sandbox: from reading to writing
- Read-only — the base mode: the agent may read and analyse the project, but changes nothing. While building this course's calculator, Codex refused to create files in this mode — until we explicitly allowed writing.
- Workspace-write — it may write, but only inside the project folder. This is the everyday working mode.
- Cloud — the task runs in an isolated environment with a copy of the repo; it never touches your computer at all.
Approvals: what the agent brings you to sign
Even with writing allowed, Codex asks about exceptional things: network access, changes outside the project folder, installations. The same golden rule as with any agent applies: don't understand = don't approve — have it explain what will happen first.
Limits: 5-hour windows
Your subscription gives you a bundle of cloud tasks per 5-hour window (Plus: dozens; Pro: multiples of that). The practical takeaway: split big plans into smaller tasks over time instead of burning the whole window at once — and handle small things locally, those don't count against cloud limits.
Exercise: spot the risky steps
Seven situations. Click the risky ones (there may be several), then evaluate.
RISK: the content of a foreign repo is input to the agent — it can carry smuggled instructions (exactly what happened with GitHub branch names). Look at what you're downloading first.
The right habit — read-only for exploring, workspace-write for working. You know what the agent may do before it starts.
RISK: AGENTS.md travels with the project and every tool reads it. Keys never belong there — secrets have safe workflows outside the repo.
That's exactly how it works — an isolated environment with a copy of one specific project. That's why the cloud is a safe place to experiment.
RISK: a network approval is exactly the moment to pay attention. Where is it connecting and why? Don't understand = don't approve.
Sensible — smaller diffs are easier to review and you won't burn the 5-hour window at once.
The foundation of the craft — tests verify nothing broke; whether the changes do what you want, only you can judge.
Summary
- Sandbox: read-only for exploring, workspace-write for working, cloud = full isolation.
- Read approvals — network and out-of-project changes are your call.
- Limits run in 5-hour windows — delegate steadily.
- Foreign repos = foreign input. Don't clone and run blindly.