How those two settings related to command approval? As I understand sandbox is related to filesystem and network access so I don't think it controls the approvals for commands, right? Also I can't find the trust_level config in the config reference page. There is only a approval_policy setting.

From the docs: approval_policy

When to ask for command approval:

- untrusted: only known-safe read-only commands auto-run; others prompt

- on-request: model decides when to ask (default)

- never: never prompt (risky)

So no option for always ask?

Oh I gotcha, I got it backwards. approval_policy = "untrusted" would be what you're looking for. Then you would use

https://developers.openai.com/codex/rules

Rules. By default I think read-only commands like ls or rg are allowed, but you can write rules that require approval for all commands to harden the approval_policy beyond default

Thanks. I didn't look into the rules section of the docs. In other agents I've used, rules refer to agent instructions, not to configs like it looks to be in codex.

Do you happen to know where can I find the list of commands that are deemed safe to run by codex, when using the "untrusted" setting?