Codex Protect is my personal Codex safety setup for macOS and Windows. It blocks a focused set of destructive shell, Git, and GitHub commands for primary agents and subagents while leaving normal workspace development alone.
Important
This is a personal configuration, not an official OpenAI project or a complete security boundary. Review the policy and validate it in your own environment before relying on it.
- Blocks recursive deletion such as
rm -rf,rmdir, andRemove-Item -Recurse. - Blocks destructive Git operations such as
git reset --hard,git clean,git restore, rebase, force deletion, and push. - Blocks hook bypasses and selected GitHub remote-write operations.
- Applies globally to Codex primary agents and subagents.
- Keeps normal editing, testing, commits, network access, and read-only GitHub work available.
It uses two layers: native Codex prefix rules and a trusted PreToolUse hook for compound or wrapped commands.
Confirm both are available:
bun --version
codex --version
Clone this repository, open the folder in Codex, and paste:
Set up Codex Protect on this machine from the current repository.
Read docs/AGENT_SETUP.md completely and follow it exactly. Inspect my existing global Codex configuration, preserve everything unrelated, prepare backups, run the appropriate repository checks, and show me the exact proposed diff before changing any global file. Stop and wait for my approval.
After I approve, merge only the Codex Protect-owned sections, validate the result, then stop and tell me how to trust the hook through Codex CLI /hooks and restart Codex. Do not run live or destructive tests until I confirm the restart.
After approving the proposed diff:
- Open a terminal and run
codex. - Run
/hooksinside Codex CLI and trust the Codex Protect hook. - Exit the CLI and restart Codex.
- Return to the setup task and ask Codex to run the harmless installed-policy checks.
The Codex app does not currently expose /hooks; hook trust must be completed through the CLI.
| Category | Examples |
|---|---|
| Recursive deletion | rm -r, rm -rf, rm -fr, rmdir, Remove-Item -Recurse |
| Destructive Git | git reset --hard, git clean, git restore, destructive checkout |
| History and branches | rebase, forced branch deletion, upstream changes, tracked branch creation |
| Publishing | git push, force variants, selected gh api writes, PR merge, release mutation |
| Verification bypass | --no-verify, git commit -n |
The exact policy is in config/dangerous-commands.rules and hooks/command-policy.mjs.
approval_policy = "on-request"
sandbox_mode = "workspace-write"
[sandbox_workspace_write]
network_access = trueThese settings let Codex work autonomously inside the workspace while retaining an approval path outside it.
This is defence in depth, not a guarantee against every equivalent deletion path, custom script, API, or future Codex execution mechanism. Use least-privilege credentials, protected branches, and backups as additional safeguards.
Setup details are in docs/AGENT_SETUP.md. Test scripts are in tests/.
