Btw for real tho, if you don't have the time or means to mess with full sandboxed environments, just working within a git repo and instructing on your agents.md project level that the agent should back up dirty files (local changes that were not yet committed) before changing them is enough and super fast and easy to set up. And by back up I just mean a simple instruction to back up to some temp location under random named, but rembered during one "turn" of agent thinking, subfolder ( .../temp/{random}/orginal/tree/file.xyz )
This is so the agent (or you later) can recover even locally changed files if it messes them up for whatever reason.
As for the rest you gotta watch what you're asking for, but generally speaking, these SOTA models are smart, none of them will just delete your stuff even with full access. I've been raw dogging multiple projects on my work machine with zero issues of this kind for months. I created codex_reader read only acccounts for my local databases and just add that to agents.md with a note its allowed to only use that and never had a problem.
So yeah, it won't go on a spree outside of its lane even with full access, but if you give it a box and tell it to go ham, it's on you to make sure you didn't leave precious unrecoverable assets in that box.
So far this has been rock solid, and tens of millions of developers use this setup without issue.
It is not going to wipe our hard disks. At least I hope so. Fable and GPT 5.6 have been ever more proactive, and GPT 5.6 is automating the AppStore on my machine to download an Xcode update while I am typing this.
I believe in both cases it is prompting a model with a fresh context that is tasked with reviewing the reason for the action.
With Claude, I have seen that if the reviewer does reject the proposed action, it responds with a long text about how the Agent should not try to work around this rejection, and instead prompt the user for an explicit approval of the proposed action.
More seriously, I was blindly trusting the auto-classifier from claude code (same as the middle option when you do `/permissions` in codex), and it actually allowed the agent to do pretty hardcore `rm` and `git push --force-with-lease` commands, which I would have expected to have to approve manually. Luckily no major issue from those yet.
The best option imo is the integrated cloud environments from claude code (not sure yet if there's a codex equivalent). It spawns a VM in the cloud where the agent runs, and you can open a PR from the app when it's done. Very smooth experience
Does it auto install all the dev/test tools it needs, maybe including things like web server & browser? Does your code live in the VM, or in some external repository? Is the lifetime of the VM the same as the agent, or does it persist until you remove it?
Where can I find documentation on this?
Never had any issues.