Why does Codex keep stalling when the approval mode is "Read Only"?

[funct7]

I usually try to approve the code changes instead of letting AI agents run wild,
so my go-to approval mode is "Read Only."

Now, sometimes Codex doesn't complain and gets the work done, But more often than not, it will just stall and complain that because it is in the sandbox mode, it can't make any changes. And then I tell it that it can actually make changes, but it just needs my approval. I tell it to change the code and ask for my approval, and then it will start working.

Sometimes the bash commands, fail, but sometimes they succeed. And whenever the commands fail, it complains about the approval mode being read-only, that it needs to be able to write to the workspace when my experience tells me that if I gaslight Codex into thinking that it can actually make changes, it will actually make changes.

So I'm wondering what's going on here.

Codex is my favorite agentic coding AI, but whenever it complains about read-only mode, it really gets frustrating.

[etraut-openai]

Read-only mode is designed for cases where you don't want the agent to make modifications to your code. It's useful for operations like planning or "explain this code base to me". It's not intended to be used for code generation. For code generation, you should typically use the "Agent" sandboxing mode.

The model learns to work differently based on the sandbox mode that you specify. You might be able to steer it somewhat based on prompting, but you will be working against its trained behaviors if you use read-only mode for code generation tasks.

[funct7]

Hmm.. If that's the case, I feel like we need a better description of what "read-only" mode is or another mode.

Approval policies states:

Codex starts conservatively. Until you explicitly tell it a working directory is trusted, the CLI defaults to read-only. Codex can inspect files and answer questions, but every edit or command requires approval.

which is exactly what I want.

Also in the CLI:

Select Approval Mode
 
› 1. Read Only (current)  Requires approval to edit files and run commands.

I don't want Codex to make changes without approval and have me review after all the damage is done.
This is also the default behavior of most AI CLI tools for coding: ask for approval of the user each step of the way.

I'm pretty sure developers who use AI for coding want this instead of the full-on vibe coding mode.