Not specific to OpenAI / Codex, but I'm curious what people are doing to protect themselves from any destructive actions by their coding agents? Just install and pray? Explicity approve all actions? Reconfigure for safety? Run in a sandbox (Docker) ?
I run codex in a dedicated vm, I have a cronjob which resets it to clean installed state every week. Nothing too fancy just bhyve and debian, 8gb mem. It has root access there, can install stuff, no permissions to push to protected branches etc. It didn't take very long to setup, and I can sleep a bit better...
I use the auto-reviewer for actions outside the builtin sandbox.
So far this has been rock solid, and tens of millions of developers use this setup without issue.
It is not going to wipe our hard disks. At least I hope so. Fable and GPT 5.6 have been ever more proactive, and GPT 5.6 is automating the AppStore on my machine to download an Xcode update while I am typing this.
Typically I just want to isolate the agent disallowing it from accessing other parts of the filesystem. Using a different user might be enough, but I typically use [bubblewrap](https://github.com/containers/bubblewrap).
I live in fear lol.
More seriously, I was blindly trusting the auto-classifier from claude code (same as the middle option when you do `/permissions` in codex), and it actually allowed the agent to do pretty hardcore `rm` and `git push --force-with-lease` commands, which I would have expected to have to approve manually. Luckily no major issue from those yet.
The best option imo is the integrated cloud environments from claude code (not sure yet if there's a codex equivalent). It spawns a VM in the cloud where the agent runs, and you can open a PR from the app when it's done. Very smooth experience
I still just explicitly approve all actions and review all code (unless it's a personal/throwaway project no one else will ever touch/use/see). I know a lot of people that run in a sandbox though. That said, I'm sure there are lots of people that just yolo it and hope for the best.
What destructive actions are you afraid of in particular? Honestly the models are pretty smart, I let the agents go --yolo and nothing bad has ever happened (yet) that couldn't be solved with git.
Don't let it outside the sandbox. Don't let it have access to anything but dev environments. Continue using git.
Never had any issues.
YOLO.
Btw for real tho, if you don't have the time or means to mess with full sandboxed environments, just working within a git repo and instructing on your agents.md project level that the agent should back up dirty files (local changes that were not yet committed) before changing them is enough and super fast and easy to set up. And by back up I just mean a simple instruction to back up to some temp location under random named, but rembered during one "turn" of agent thinking, subfolder ( .../temp/{random}/orginal/tree/file.xyz )
This is so the agent (or you later) can recover even locally changed files if it messes them up for whatever reason.
As for the rest you gotta watch what you're asking for, but generally speaking, these SOTA models are smart, none of them will just delete your stuff even with full access. I've been raw dogging multiple projects on my work machine with zero issues of this kind for months. I created codex_reader read only acccounts for my local databases and just add that to agents.md with a note its allowed to only use that and never had a problem.