The modern generation of coding agents are powerful in part because of their access permissions. They have a few built-in functions for the most obvious operations (writing files, editing strings) but other than that they mostly generate what they need adhoc. Their bash tool is by far their most powerful because it's the most expressive. You can run some adhoc python to test out some logic, run a compilation pass, or curl a website. It's turning complete for gosh sake.
It's also by far the most dangerous. You probably wouldn't give your new intern access to the prod credentials. But an arbitrary bash session could certainly provide that permissions escalation; if not fully delete your home directory from disk.
The safest way to run any coding agent is within virtualization. Boot up a container with a limited scope, a git branched workspace of what you're working on, and all the tools it will need to get the job done. I'm willing to wadger a large sum that almost no one does that. --dangerously-skip-permissions is well named but most people just shrug and let it run.
One solution to balance permissions and danger are the command whitelist. You see this in Claude Code and Cursor when run in the normal mode. Every command execution asks you, a real human being, if you feel comfortable with the agent doing that same command in the future. A swift build ? Perfectly safe. An rm -rf ? Nah let's skip that one for now. But command whitelists are brittle and a bit annoying. If you need to run the command in a new directory, sometimes the cd command will block because it hasn't been approved yet. It's fully impractical to run if you step away from your computer and you aren't available in the loop for the approval.
But the tides are a changing.
Codex Permissions
I've been trying out the Codex CLI with gpt-5-codex high for the last couple of weeks. So far I like it1. I was specifically having it iterate on a swift project to resolve some compilation issues by continuously running swift build before it yielded back. The command was running but it kept failing with a clang permissions error. Clang was installed and working fine when I ran it manually so I wasn't immediately sure what codepath or environment variable was causing the issue.
Turns out Codex default launches in the mode where it only has access to the current folder. Running /approvals shows you what mode you're actually in. It supports three different ones:
Read Only - Codex can read files and answer questions. Requires approval for edits, commands, or network access Auto (current) - Can read files, make edits, and run commands in the workspace. Requires approval for workspace-external or network access Full Access - Can read files, make edits, and run commands with network access, without approval
Read Only and Full Access are pretty obvious implementations. Read Only basically only allows access to grep and cat . And Full Access throws caution to the wind and just gives your Agent full access to the terminal.
... continue reading