[possible degradation] Directories are now not trusted by default even with the `--dangerously-bypass-approvals-and-sandbox` option.

[your-diary]

What version of Codex CLI is running?

codex-cli 0.114.0

What subscription do you have?

ChatGPT

Which model were you using?

No response

What platform is your computer?

No response

What terminal emulator and version are you using (if applicable)?

No response

What issue are you seeing?

I recently updated codex from v0.112.0 to v0.114.0.

Now, even with the --dangerously-bypass-approvals-and-sandbox option, I always see the confirmation prompt like below every time I run codex in a new directory:

> You are in /home/user/workdir/some_project

  Do you trust the contents of this directory? Working with untrusted contents comes with higher risk of prompt
  injection.

› 1. Yes, continue
  2. No, quit

This is annoying because of three reasons:

• I just don't want the prompt. That defeats the purpose of using the --dangerously-bypass-approvals-and-sandbox option.

• I use codex in a Docker container. For extra safety, I mount config.toml readonly to the container. So, even if I select 1 in the prompt above, the selection is not recorded.

• I test a one-off script very often (e.g. 15 times a day). Every time I do that, I create a new temporary directory with a random name (e.g. mkdir ~/my_playground/${RANDOM}). So registering every possible directories to the trust directories list in advance is not feasible.

What steps can reproduce the bug?

1. Create a new directory.

2. cd to the directory.

3. Run codex --dangerously-bypass-approvals-and-sandbox.

What is the expected behavior?

• It should trust any directory by default as before.

• Or, at least there should be both of these:

  • another option to trust all directories by default (e.g. --dangerously-trust-any-directories)

  • breaking change notice / migration guide in the release note

Additional information

Possible cause:

• fix(tui) remove config check for trusted setting #11874

[github-actions]

Potential duplicates detected. Please review them and close your issue if it is a duplicate.

• Harness Misclassifying Commands? Yolo not yoloing #13663
• CLI TUI /approvals override not persisted across thread switch (reverts to Default after returning from sub-agent) #13119

Powered by Codex Action

[your-diary]

Potential duplicates detected. Please review them and close your issue if it is a duplicate.

* [Harness Misclassifying Commands? Yolo not yoloing #13663](https://github.com/openai/codex/issues/13663)

* [CLI TUI /approvals override not persisted across thread switch (reverts to Default after returning from sub-agent) #13119](https://github.com/openai/codex/issues/13119)

Powered by Codex Action

No, they are different from my problem.

[Techie5879]

I've had instances of the latest models typoing quite a bit when doing doing the grep/glob tool calls. GPT 5.4 high.

[PillarsZhang]

A similar issue occurs on Windows. In v0.112.0, running codex --sandbox workspace-write does not trigger a confirmation prompt. However, v0.113.0 and v0.114.0 do.

[iwinux]

Same here after upgrading from v0.112 to codex-cli 0.114

Config:

profile = 'default'
personality = 'none'
model = 'gpt-5.3-codex'
model_reasoning_effort = 'high'
plan_mode_reasoning_effort = 'high'

approval_policy = 'on-request'
sandbox_mode = 'workspace-write'

check_for_update_on_startup = false
cli_auth_credentials_store = 'file'
suppress_unstable_features_warning = true

[agents]
max_depth = 1
max_threads = 6

[analytics]
enabled = false

[features]
multi_agent = true
runtime_metrics = true
undo = true

[sandbox_workspace_write]
writable_roots = ["/Users/limbo/.cache/uv"]

[tui]
status_line = [
  'model-with-reasoning',
  'project-root',
  'git-branch',
  'context-used',
  'total-input-tokens',
  'total-output-tokens',
  'session-id',
]
theme = "base16-eighties-dark"

[your-diary]

My current workaround is this (simplified):

function codex() {
    __codex_automatically_trust_the_current_dir

    command codex "$@"
}

function __codex_automatically_trust_the_current_dir() {
    local key="[projects.\"$(pwd)\"]"

    if rg --quiet -F "${key}" ~/.codex/config.toml; then
        return
    fi

    echo "${key}" >> ~/.codex/config.toml
    echo 'trust_level = "trusted"' >> ~/.codex/config.toml
}

I don't want to do things like this though.

[iwinux]

This is extremely annoying on macOS because of the stupid Homebrew design:

[johnslva]

Same thing here, this is annoying for me because I use a Worker to create new projects and automatically open the folder in the Codex CLI, but now it's blocked by this stupid security message, requiring me to keep pressing enter.