Cli Safe Flags
codex.cli-safe-flags
Ensures Codex CLI invocations in CI do not use dangerous permission-bypassing flags. Flags like --full-auto remove safety guardrails that prevent the AI from executing arbitrary code without human approval.
Compatible Integrations
This guardrail works with the following integrations. Click to see how to use Cli Safe Flags with each collector.
Enable This Guardrail
Add the parent policy to your lunar-config.yml to enable this guardrail.
policies:
- uses: github://earthly/lunar-lib/policies/codex@v1.0.5
include: [cli-safe-flags]
# with: ...How This Guardrail Works
This guardrail is part of the Codex Guardrails policy. It evaluates data collected by integrations and produces a pass/fail check with actionable feedback.
When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement of your engineering standards.
Learn How Lunar Works →Configuration Options
These inputs can be configured in your lunar-config.yml to customize
how the parent policy (and this guardrail) behaves.
| Input | Required | Default | Description |
|---|---|---|---|
dangerous_flags
|
Optional |
--dangerously-bypass-approvals-and-sandbox,--yolo,--full-auto
|
Comma-separated dangerous flags for Codex CLI |
Codex Guardrails
This guardrail is part of the Codex Guardrails policy, which includes 2 guardrails for devex build and ci.
Ready to Automate Your Standards?
See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.
AI agent rules & prompt files
Post-mortem action items
Security & compliance policies
Testing & quality requirements