Codex CLI: Runtime Permission Requests During Agent Turns
CodexCodex CLI 0.113.0 introduced a built-in request_permissions tool that allows running agent turns to request additional sandbox permissions at runtime, rather than requiring the user to pre-configure access upfront. Alongside this, OpenAI added a new permission-profile config language with split filesystem and network sandbox policy plumbing, enabling developers to define fine-grained, composable access rules per tool invocation. Together, these changes give teams far more precise control over what agents can access β and when β without resorting to blanket privilege escalation.
Sources & Mentions
3 external resources covering this update
Runtime Permission Requests in Codex CLI
Codex CLI 0.113.0 introduced a significant evolution in how agents handle access control during active sessions. The release adds a built-in request_permissions tool that enables running agent turns to request additional sandbox permissions at runtime β complete with new TUI rendering to surface those approval calls to the user in real time.
How Runtime Permission Requests Work
Previously, sandbox permissions in Codex CLI were configured upfront: developers set a sandbox mode (read-only, workspace-write, or danger-full-access) and the agent operated within those bounds for the entire session. If a task required elevated access partway through a workflow, there was no mechanism for the agent to ask dynamically β the user had to manually adjust the configuration.
With the request_permissions tool, Codex agents can now pause mid-turn and explicitly request expanded access for a specific operation. The request surfaces in the TUI as a structured approval prompt, giving the user full visibility into what is being asked and why. The user can grant or deny the request without interrupting the broader session flow.
Permission-Profile Config Language
Beyond runtime requests, 0.113.0 also introduces a new permission-profile config language that brings split filesystem and network sandbox policy plumbing to the Codex configuration layer. Developers can now define separate, composable policies for filesystem access and network access, rather than applying a single unified sandbox mode across both dimensions.
This split-policy approach allows more precise control: permitting workspace-wide filesystem writes while keeping network access restricted to a specific allow-list of domains, for example. The configuration also supports additive privilege handling β when a plugin or skill requires elevated permissions, those can be scoped to individual tool calls rather than elevating the entire session.
Bug Fixes Related to Permissions
The release also fixed network proxy policy parsing to reject global wildcard (*) domains while preserving scoped wildcard support, and corrected approval payload compatibility for macOS automation permissions to accept both supported input shapes β resolving edge cases that previously produced silent failures.
Impact for Developers
For teams running Codex in CI pipelines, enterprise environments, or multi-agent workflows, these permission improvements meaningfully reduce the tradeoff between autonomy and security. Agents can now operate with minimal standing permissions and escalate only when a specific task demands it β applying the principle of least privilege dynamically to AI-assisted workflows.