Codex CLI Dangerous Command Detection Guide (2026): Safer AI Agents After 0.144.5
On July 16, 2026, OpenAI shipped Codex CLI 0.144.5. It wasn't a flashy model launch. It was better: a safety patch that improves dangerous-command detection, including more forced rm forms, and gives clearer rejection reasons when commands are denied.
That matters because coding agents are no longer cute autocomplete toys. They run shell commands, edit repos, install packages, start services, and sometimes try to clean up after themselves. The difference between “helpful cleanup” and “deleted the wrong directory” can be one poorly scoped command.
TL;DR / Key Takeaways
- OpenAI Codex CLI 0.144.5 was released on July 16, 2026 and improved dangerous-command detection for forced
rmcommand forms. - Codex CLI 0.144.5 provides clearer rejection reasons when commands are denied, which helps developers debug approval policies.
- GPT-5.6 Sol costs $5.00 per million input tokens and $30.00 per million output tokens with a 1,050,000-token context window.
- GPT-5.6 Terra costs $2.50 per million input tokens and $15.00 per million output tokens with a 1,050,000-token context window.
- GPT-5.6 Luna costs $1.00 per million input tokens and $6.00 per million output tokens with a 1,050,000-token context window.
Why this patch deserves attention
Most production incidents caused by coding agents are boring. Not sci-fi. Not “the model became sentient.” Usually the agent had too much file-system access, the instruction was vague, and a shell command did exactly what the shell was told to do.
Codex rejecting more dangerous command forms is a useful guardrail. But don't read it as permission to loosen your setup. The right lesson is the opposite: agent safety should be layered. The model should avoid risky actions, the CLI should detect risky commands, your approval mode should block writes when needed, and your repo should make rollback easy.
Pricing table: models commonly used with Codex workflows
| Model | Input price | Output price | Context window |
|---|---|---|---|
| GPT-5.6 Sol | $5.00 per 1M tokens | $30.00 per 1M tokens | 1,050,000 tokens |
| GPT-5.6 Terra | $2.50 per 1M tokens | $15.00 per 1M tokens | 1,050,000 tokens |
| GPT-5.6 Luna | $1.00 per 1M tokens | $6.00 per 1M tokens | 1,050,000 tokens |
| GPT-5.3-Codex | $1.75 per 1M tokens | $14.00 per 1M tokens | 400,000 tokens |
One pricing detail is easy to miss: GPT-5.6 requests with more than 272,000 input tokens are priced at 2x input and 1.5x output for the full request. If your agent casually drags a whole monorepo into context, your safety and cost problems become the same problem.
Model comparison for Codex-style work
| Option | Best for | Key limitation | Practical routing rule |
|---|---|---|---|
| GPT-5.6 Sol | Complex refactors, computer use, security review, ambiguous tasks | Highest GPT-5.6 cost at $5.00 input and $30.00 output per 1M tokens | Use when mistakes are expensive or the task needs judgment. |
| GPT-5.6 Terra | Everyday coding, tests, medium-difficulty debugging | Less depth than Sol on hard multi-step work | Use as the default for most agent runs. |
| GPT-5.6 Luna | Extraction, formatting, simple edits, repeatable CI tasks | Not the model to trust with risky architecture changes | Use for high-volume tasks with clear acceptance criteria. |
| GPT-5.3-Codex | Agentic coding tasks where a 400,000-token context is enough | Smaller context than GPT-5.6 models | Use when you want coding-focused behavior and predictable cost. |
Upgrade first, then tighten your policy
Start with the simple upgrade:
npm install -g @openai/[email protected]
codex --version
Then run your normal workflow on a clean branch. Don't test a safety release on a dirty working tree. That sounds obvious until a tool tries to “remove generated files” and you realize your uncommitted changes were sitting in the same path.
git status --short
git switch -c test/codex-0-144-5-safety
codex
If you're using API-key authentication through an OpenAI-compatible gateway, keep the base URL and key in environment variables rather than hardcoding them in scripts:
export OPENAI_API_KEY="$YOUR_API_KEY"
export OPENAI_BASE_URL="https://api.kissapi.ai/v1"
codex -m gpt-5.6-terra
KissAPI can be useful here if you want one OpenAI-compatible endpoint for GPT-style models and fallback routing experiments. Keep it boring: one endpoint, explicit model names, logs you can inspect, and no magic in the shell script.
Safer approval modes: what to allow automatically
A good default is to let the agent read freely and ask before writing. Reads are still sensitive in private repos, but they don't destroy state. Writes do.
- Safe to auto-allow:
git diff,git status,ls,cat, targeted test commands, and package-manager dry runs. - Ask first: file writes, dependency installs, migrations, service restarts, broad formatters, and commands that modify lockfiles.
- Block or isolate: destructive deletion, recursive permission changes, commands against home directories, production SSH, and anything touching secrets.
Codex CLI 0.144.5 can reject more dangerous command shapes, but your approval policy should make the bad path hard to reach in the first place.
A small wrapper that stops sloppy agent runs
This wrapper is intentionally dull. It checks for a clean repo, starts a branch, and makes the model explicit.
#!/usr/bin/env bash
set -euo pipefail
if [[ -n "$(git status --porcelain)" ]]; then
echo "Stop: commit or stash local changes before running Codex."
exit 1
fi
branch="agent/$(date +%Y%m%d-%H%M%S)"
git switch -c "$branch"
export OPENAI_BASE_URL="${OPENAI_BASE_URL:-https://api.kissapi.ai/v1}"
exec codex -m "${CODEX_MODEL:-gpt-5.6-terra}"
That one check has saved more teams than clever prompt engineering. Agents are easier to trust when every run starts from a recoverable state.
Use model routing as a safety control
Model routing is usually discussed as a cost trick. It is also a safety trick. Don't send a risky database migration to a cheap model just because the prompt is short. Don't send 200 tiny rename tasks to Sol just because it's the strongest model.
def choose_model(task_type: str, risk: str) -> str:
if risk == "high":
return "gpt-5.6-sol"
if task_type in {"format", "extract", "rename", "summarize"}:
return "gpt-5.6-luna"
return "gpt-5.6-terra"
Pair that with approval levels. High-risk tasks get Sol and manual approval. Low-risk tasks get Luna and a narrow writable root. Most normal work gets Terra.
What to log
Log rejected commands. Log approved commands. Log the model, reasoning effort, working directory, and token usage. When a command is denied, keep the rejection reason. OpenAI explicitly improved clearer rejection reasons in 0.144.5; don't throw that signal away.
{
"agent": "codex-cli",
"version": "0.144.5",
"model": "gpt-5.6-terra",
"command": "rm -rf build/",
"decision": "denied",
"reason": "dangerous command pattern",
"repo": "billing-service",
"branch": "agent/20260717-0800"
}
This is also where a gateway helps. With KissAPI, you can keep model usage in one place while you test routing rules across development workflows.
Build safer AI coding workflows with one API endpoint
Use KissAPI to test GPT-5.6 model routing, fallback behavior, and token costs through an OpenAI-compatible API.
Start FreeFAQ
What changed in Codex CLI 0.144.5?
OpenAI says Codex CLI 0.144.5 improved dangerous-command detection, including more forced rm forms, and gives clearer rejection reasons when commands are denied.
Does this mean Codex CLI is safe to run without approvals?
No. It is safer than before, not risk-free. Keep approvals for writes and destructive commands, use version control, and isolate writable paths for agent runs.
Which GPT-5.6 model should I use with Codex?
Use GPT-5.6 Terra as the daily default, GPT-5.6 Sol for high-risk or ambiguous work, and GPT-5.6 Luna for cheap repeatable tasks with clear expected output.