Skip to content

vanzan01/codex-protect

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Codex Protect — Destructive Command Guardrails for OpenAI Codex

Codex Protect architecture

Codex Protect is my personal Codex safety setup for macOS and Windows. It blocks a focused set of destructive shell, Git, and GitHub commands for primary agents and subagents while leaving normal workspace development alone.

Important

This is a personal configuration, not an official OpenAI project or a complete security boundary. Review the policy and validate it in your own environment before relying on it.

What it does

  • Blocks recursive deletion such as rm -rf, rmdir, and Remove-Item -Recurse.
  • Blocks destructive Git operations such as git reset --hard, git clean, git restore, rebase, force deletion, and push.
  • Blocks hook bypasses and selected GitHub remote-write operations.
  • Applies globally to Codex primary agents and subagents.
  • Keeps normal editing, testing, commits, network access, and read-only GitHub work available.

It uses two layers: native Codex prefix rules and a trusted PreToolUse hook for compound or wrapped commands.

Requirements

Confirm both are available:

bun --version
codex --version

Set it up with Codex

Clone this repository, open the folder in Codex, and paste:

Set up Codex Protect on this machine from the current repository.

Read docs/AGENT_SETUP.md completely and follow it exactly. Inspect my existing global Codex configuration, preserve everything unrelated, prepare backups, run the appropriate repository checks, and show me the exact proposed diff before changing any global file. Stop and wait for my approval.

After I approve, merge only the Codex Protect-owned sections, validate the result, then stop and tell me how to trust the hook through Codex CLI /hooks and restart Codex. Do not run live or destructive tests until I confirm the restart.

After approving the proposed diff:

  1. Open a terminal and run codex.
  2. Run /hooks inside Codex CLI and trust the Codex Protect hook.
  3. Exit the CLI and restart Codex.
  4. Return to the setup task and ask Codex to run the harmless installed-policy checks.

The Codex app does not currently expose /hooks; hook trust must be completed through the CLI.

Blocked by default

Category Examples
Recursive deletion rm -r, rm -rf, rm -fr, rmdir, Remove-Item -Recurse
Destructive Git git reset --hard, git clean, git restore, destructive checkout
History and branches rebase, forced branch deletion, upstream changes, tracked branch creation
Publishing git push, force variants, selected gh api writes, PR merge, release mutation
Verification bypass --no-verify, git commit -n

The exact policy is in config/dangerous-commands.rules and hooks/command-policy.mjs.

Recommended Codex settings

approval_policy = "on-request"
sandbox_mode = "workspace-write"

[sandbox_workspace_write]
network_access = true

These settings let Codex work autonomously inside the workspace while retaining an approval path outside it.

Limits

This is defence in depth, not a guarantee against every equivalent deletion path, custom script, API, or future Codex execution mechanism. Use least-privilege credentials, protected branches, and backups as additional safeguards.

Setup details are in docs/AGENT_SETUP.md. Test scripts are in tests/.

License

MIT

About

Destructive command guardrails for OpenAI Codex agents and subagents. Blocks rm -rf, dangerous Git operations, pushes, and selected GitHub writes without sacrificing workspace autonomy.

Topics

Resources

License

Security policy

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors