Use the least permission that works
Read-only inspection, local patching, command execution, network access, and production write actions are different risk levels. A task should not receive broad permissions only because it is inconvenient to narrow them.
For many coding tasks, local file edits and project commands are enough. Production credentials, destructive database access, and cloud write permissions should require explicit purpose and review.
Make risky commands explicit
Commands such as deleting files, resetting git state, force-pushing branches, changing infrastructure, or modifying production data should be treated differently from builds and tests.
The prompt should state which operations require confirmation. If the environment enforces approvals, the user still benefits from knowing why the operation is needed.
- Prefer reversible changes during exploration.
- Keep generated artifacts out of final diffs unless they are intended output.
- Report skipped or blocked verification honestly.
Audit external integrations
External connectors should expose only the data and actions needed for the workflow. Logs, links, and stable identifiers make later review easier.
When Codex uses external data to make a decision, ask it to cite the source. When it writes to an external system, require a clear final note of what changed.