Codex on macOS, the negative list: what it refuses to do outside the browser.

No. The Codex Computer Use docs are explicit: it cannot automate terminal apps or Codex itself, since automating them could circumvent Codex security policies. That covers Terminal.app, iTerm2, Warp, Ghostty, Alacritty, kitty, Hyper, anything that registers as a terminal-class app. If your task is 'open Terminal and run xcode-select install', Codex will refuse the click. The Codex CLI is the OpenAI-blessed path for shell work, but the CLI runs inside its own Seatbelt sandbox and does not drive other GUI apps. So 'use Codex to operate Terminal' is a path that is closed at both ends.

OpenAI's launch documentation states: 'Computer use is currently available on macOS, except in the European Economic Area, the United Kingdom, and Switzerland at launch.' OpenAI has not published the underlying reasoning publicly, but the geo-fence pattern is consistent with how OpenAI staged ChatGPT memory, voice, and Advanced Data Analysis previously, where new agentic features wait on regional regulatory review. The practical consequence: a Mac user in Berlin, Dublin, London, or Zurich can install the Codex app and use the chat and CLI, but the Computer Use cursor will not move on their machine.

No. The doc states the feature 'cannot approve security and privacy permission prompts on the computer.' This means: when an app the user is touching pops up the standard macOS dialog asking for camera, microphone, files, contacts, calendar, accessibility, or screen recording access, Codex stops there. It will not move the cursor over Allow. The same applies to admin authentication prompts (the password dialog for sudo-class system changes); Codex will not authenticate as administrator. Both gates exist so a runaway agent cannot widen its own permissions, which is correct security policy but also a real workflow ceiling.

Once per app per machine, with an opt-out. From the docs: 'During a task, Codex asks for your permission before it can use an app on your computer. You can choose Always allow so Codex can use that app in the future without asking again.' The Always allow list is editable in the Computer Use section of Codex settings. So for a recurring workflow that touches Slack, Notes, and Mail, the friction is three approvals on the first run and zero on subsequent runs. For a one-off workflow that touches an unfamiliar app, you sit through one approval per app in real time.

It leaves your machine. The OpenAI docs state plainly: 'Screenshots and visible content become part of Codex's processing context and are subject to ChatGPT's data controls.' Codex Computer Use is screenshot-and-cursor: it captures pixels, sends them to OpenAI for the model to plan the next move, and dispatches the click or keystroke locally. That is a fundamentally different data-flow from a local accessibility-API agent, which reads the in-process AX tree and never leaves the machine for tool routing. If you are operating a CRM with customer PII, a finance app with account balances, or a 1Password panel, you are uploading those frames to ChatGPT for the duration of the task.

Sometimes, but with a documented gap. The Computer Use page calls this out explicitly: 'Desktop app modifications may not appear in review panels until saved to disk.' Codex's review and rollback tooling is built around file diffs, not in-memory state. If Codex types a paragraph into Notes or Pages and you have not saved, the review panel does not show that change, which means a 'rewind' may leave the typed content in the app. The pragmatic workaround is to ask Codex to save (Cmd-S) before approving any sensitive change.

Slack, Figma, Xcode, and the rest are bounded apps. The worst Codex can do is post a wrong message or move a Figma frame. Terminal is unbounded: a single line can rm -rf, exfiltrate data with curl, install a launchd job, or chain into another shell. Letting an agent type into Terminal hands it the keys to the OS. OpenAI's mitigation is to ban it at the agent layer and offer the Codex CLI as the audited alternative, which executes inside a sandbox-exec profile that limits filesystem and network reach. The sandbox-exec approach is itself imperfect (a developer's hands-on writeup at jhartman.pl/posts/macos/2026-02-02-codex-in-the-jail/ documents 'sandbox-exec is too brittle for this use case'), but it is at least introspectable.

Fazm uses macOS accessibility APIs to drive non-browser apps directly, without screenshot egress. The tool routing is in Desktop/Sources/Chat/ChatPrompts.swift around line 101 in the open source repo: desktop apps go through `mcp__macos-use__*` tools (Finder, Mail, Settings, Notes, Terminal), the browser goes through Playwright, WhatsApp goes through a native MCP that drives the Catalyst app, and Telegram goes through a Python telethon path that bypasses the GUI entirely. There is no per-app approval prompt because the macOS-level Accessibility permission granted once at install time covers every app. There is no geo-fence; the app runs locally and the model can be Claude, OpenAI, a local LLM via Ollama, or any Anthropic-compatible endpoint. There is no screenshot egress for the routing layer; AX tree dumps are text and stay on the machine. Terminal is a regular target, not a banned one.

Partly, and only if your work is shell-shaped. The Codex CLI is excellent at file edits, running tests, package installs, and anything you would otherwise do at a prompt. It does not click buttons in Mail, draft a Slack DM in the Slack app, edit a Figma frame, fill a form in Notion, or operate Settings. The split OpenAI ships is: 'use the CLI for code and shell, use the desktop app for GUI apps that have no API or CLI.' If your non-browser workflow is mostly typing and clicking inside GUI apps that the desktop app refuses (Terminal) or you are in a region the desktop app refuses (EEA/UK/Switzerland), neither half of Codex helps you on its own.

Three primary sources, all OpenAI-published as of May 2026: developers.openai.com/codex/app/computer-use is the Computer Use feature page, which contains the geographic exclusion, the terminal/Codex automation ban, the admin and Privacy and Security prompt restrictions, the per-app approval flow, the Always allow opt-out, and the screenshots-into-context disclosure. openai.com/index/introducing-the-codex-app/ is the launch announcement. developers.openai.com/codex/app is the broader app overview that names the platform constraint. Cross-checks: Help Net Security's April 17, 2026 piece 'Codex can now operate between apps, where are the boundaries?' and the LaoZhang AI walkthrough at blog.laozhang.ai/en/posts/codex-computer-use both confirm the same negative list, including the explicit Terminal and Codex bans.