I ran a MongoDB database on Docker on my machine with the help of Codex. I confirmed that ‘/Approvals’ was set to ‘Agent (current)’.
I told it to “test the database”—here the query was intentionally vague to see what it does. It gave me a sequence of four commands and told me to run those.
I then asked it, “Why can’t you run these commands if you have access to Codex CLI’s sandboxed runner?” It said, “Its runner is limited to the workspace and requires permission for anything outside that scope.”
Then I said, “Why don’t you ask for my permission and run those?” and it asks my permission to run those commands.
WHY COULDN’T IT DO THIS AT THE BEGINNING? CLAUDE CODE DOESN’T HAVE THIS ISSUE.
If it’s not primarily agentic, what good is it for programming? If I wanted to primarily chat, I would just go to chatgpt