Codex CLI Dangerous Command Detection Guide (2026): Safer AI Agents After 0.144.5

On July 16, 2026, OpenAI shipped Codex CLI 0.144.5. It wasn't a flashy model launch. It was better: a safety patch that improves dangerous-command detection, including more forced rm forms, and gives clearer rejection reasons when commands are denied.

That matters because coding agents are no longer cute autocomplete toys. They run shell commands, edit repos, install packages, start services, and sometimes try to clean up after themselves. The difference between “helpful cleanup” and “deleted the wrong directory” can be one poorly scoped command.

TL;DR / Key Takeaways

  • OpenAI Codex CLI 0.144.5 was released on July 16, 2026 and improved dangerous-command detection for forced rm command forms.
  • Codex CLI 0.144.5 provides clearer rejection reasons when commands are denied, which helps developers debug approval policies.
  • GPT-5.6 Sol costs $5.00 per million input tokens and $30.00 per million output tokens with a 1,050,000-token context window.
  • GPT-5.6 Terra costs $2.50 per million input tokens and $15.00 per million output tokens with a 1,050,000-token context window.
  • GPT-5.6 Luna costs $1.00 per million input tokens and $6.00 per million output tokens with a 1,050,000-token context window.

Why this patch deserves attention

Most production incidents caused by coding agents are boring. Not sci-fi. Not “the model became sentient.” Usually the agent had too much file-system access, the instruction was vague, and a shell command did exactly what the shell was told to do.

Codex rejecting more dangerous command forms is a useful guardrail. But don't read it as permission to loosen your setup. The right lesson is the opposite: agent safety should be layered. The model should avoid risky actions, the CLI should detect risky commands, your approval mode should block writes when needed, and your repo should make rollback easy.

Pricing table: models commonly used with Codex workflows

ModelInput priceOutput priceContext window
GPT-5.6 Sol$5.00 per 1M tokens$30.00 per 1M tokens1,050,000 tokens
GPT-5.6 Terra$2.50 per 1M tokens$15.00 per 1M tokens1,050,000 tokens
GPT-5.6 Luna$1.00 per 1M tokens$6.00 per 1M tokens1,050,000 tokens
GPT-5.3-Codex$1.75 per 1M tokens$14.00 per 1M tokens400,000 tokens

One pricing detail is easy to miss: GPT-5.6 requests with more than 272,000 input tokens are priced at 2x input and 1.5x output for the full request. If your agent casually drags a whole monorepo into context, your safety and cost problems become the same problem.

Model comparison for Codex-style work

OptionBest forKey limitationPractical routing rule
GPT-5.6 SolComplex refactors, computer use, security review, ambiguous tasksHighest GPT-5.6 cost at $5.00 input and $30.00 output per 1M tokensUse when mistakes are expensive or the task needs judgment.
GPT-5.6 TerraEveryday coding, tests, medium-difficulty debuggingLess depth than Sol on hard multi-step workUse as the default for most agent runs.
GPT-5.6 LunaExtraction, formatting, simple edits, repeatable CI tasksNot the model to trust with risky architecture changesUse for high-volume tasks with clear acceptance criteria.
GPT-5.3-CodexAgentic coding tasks where a 400,000-token context is enoughSmaller context than GPT-5.6 modelsUse when you want coding-focused behavior and predictable cost.

Upgrade first, then tighten your policy

Start with the simple upgrade:

npm install -g @openai/[email protected]
codex --version

Then run your normal workflow on a clean branch. Don't test a safety release on a dirty working tree. That sounds obvious until a tool tries to “remove generated files” and you realize your uncommitted changes were sitting in the same path.

git status --short
git switch -c test/codex-0-144-5-safety
codex

If you're using API-key authentication through an OpenAI-compatible gateway, keep the base URL and key in environment variables rather than hardcoding them in scripts:

export OPENAI_API_KEY="$YOUR_API_KEY"
export OPENAI_BASE_URL="https://api.kissapi.ai/v1"
codex -m gpt-5.6-terra

KissAPI can be useful here if you want one OpenAI-compatible endpoint for GPT-style models and fallback routing experiments. Keep it boring: one endpoint, explicit model names, logs you can inspect, and no magic in the shell script.

Safer approval modes: what to allow automatically

A good default is to let the agent read freely and ask before writing. Reads are still sensitive in private repos, but they don't destroy state. Writes do.

Codex CLI 0.144.5 can reject more dangerous command shapes, but your approval policy should make the bad path hard to reach in the first place.

A small wrapper that stops sloppy agent runs

This wrapper is intentionally dull. It checks for a clean repo, starts a branch, and makes the model explicit.

#!/usr/bin/env bash
set -euo pipefail

if [[ -n "$(git status --porcelain)" ]]; then
  echo "Stop: commit or stash local changes before running Codex."
  exit 1
fi

branch="agent/$(date +%Y%m%d-%H%M%S)"
git switch -c "$branch"

export OPENAI_BASE_URL="${OPENAI_BASE_URL:-https://api.kissapi.ai/v1}"
exec codex -m "${CODEX_MODEL:-gpt-5.6-terra}"

That one check has saved more teams than clever prompt engineering. Agents are easier to trust when every run starts from a recoverable state.

Use model routing as a safety control

Model routing is usually discussed as a cost trick. It is also a safety trick. Don't send a risky database migration to a cheap model just because the prompt is short. Don't send 200 tiny rename tasks to Sol just because it's the strongest model.

def choose_model(task_type: str, risk: str) -> str:
    if risk == "high":
        return "gpt-5.6-sol"
    if task_type in {"format", "extract", "rename", "summarize"}:
        return "gpt-5.6-luna"
    return "gpt-5.6-terra"

Pair that with approval levels. High-risk tasks get Sol and manual approval. Low-risk tasks get Luna and a narrow writable root. Most normal work gets Terra.

What to log

Log rejected commands. Log approved commands. Log the model, reasoning effort, working directory, and token usage. When a command is denied, keep the rejection reason. OpenAI explicitly improved clearer rejection reasons in 0.144.5; don't throw that signal away.

{
  "agent": "codex-cli",
  "version": "0.144.5",
  "model": "gpt-5.6-terra",
  "command": "rm -rf build/",
  "decision": "denied",
  "reason": "dangerous command pattern",
  "repo": "billing-service",
  "branch": "agent/20260717-0800"
}

This is also where a gateway helps. With KissAPI, you can keep model usage in one place while you test routing rules across development workflows.

Build safer AI coding workflows with one API endpoint

Use KissAPI to test GPT-5.6 model routing, fallback behavior, and token costs through an OpenAI-compatible API.

Start Free

FAQ

What changed in Codex CLI 0.144.5?

OpenAI says Codex CLI 0.144.5 improved dangerous-command detection, including more forced rm forms, and gives clearer rejection reasons when commands are denied.

Does this mean Codex CLI is safe to run without approvals?

No. It is safer than before, not risk-free. Keep approvals for writes and destructive commands, use version control, and isolate writable paths for agent runs.

Which GPT-5.6 model should I use with Codex?

Use GPT-5.6 Terra as the daily default, GPT-5.6 Sol for high-risk or ambiguous work, and GPT-5.6 Luna for cheap repeatable tasks with clear expected output.