mirror of
https://github.com/openai/codex.git
synced 2026-04-25 15:15:15 +00:00
bc24017d64
## Summary
- add `approvals_reviewer = "user" | "guardian_subagent"` as the runtime
control for who reviews approval requests
- route Smart Approvals guardian review through core for command
execution, file changes, managed-network approvals, MCP approvals, and
delegated/subagent approval flows
- expose guardian review in app-server with temporary unstable
`item/autoApprovalReview/{started,completed}` notifications carrying
`targetItemId`, `review`, and `action`
- update the TUI so Smart Approvals can be enabled from `/experimental`,
aligned with the matching `/approvals` mode, and surfaced clearly while
reviews are pending or resolved
## Runtime model
This PR does not introduce a new `approval_policy`.
Instead:
- `approval_policy` still controls when approval is needed
- `approvals_reviewer` controls who reviewable approval requests are
routed to:
- `user`
- `guardian_subagent`
`guardian_subagent` is a carefully prompted reviewer subagent that
gathers relevant context and applies a risk-based decision framework
before approving or denying the request.
The `smart_approvals` feature flag is a rollout/UI gate. Core runtime
behavior keys off `approvals_reviewer`.
When Smart Approvals is enabled from the TUI, it also switches the
current `/approvals` settings to the matching Smart Approvals mode so
users immediately see guardian review in the active thread:
- `approval_policy = on-request`
- `approvals_reviewer = guardian_subagent`
- `sandbox_mode = workspace-write`
Users can still change `/approvals` afterward.
Config-load behavior stays intentionally narrow:
- plain `smart_approvals = true` in `config.toml` remains just the
rollout/UI gate and does not auto-set `approvals_reviewer`
- the deprecated `guardian_approval = true` alias migration does
backfill `approvals_reviewer = "guardian_subagent"` in the same scope
when that reviewer is not already configured there, so old configs
preserve their original guardian-enabled behavior
ARC remains a separate safety check. For MCP tool approvals, ARC
escalations now flow into the configured reviewer instead of always
bypassing guardian and forcing manual review.
## Config stability
The runtime reviewer override is stable, but the config-backed
app-server protocol shape is still settling.
- `thread/start`, `thread/resume`, and `turn/start` keep stable
`approvalsReviewer` overrides
- the config-backed `approvals_reviewer` exposure returned via
`config/read` (including profile-level config) is now marked
`[UNSTABLE]` / experimental in the app-server protocol until we are more
confident in that config surface
## App-server surface
This PR intentionally keeps the guardian app-server shape narrow and
temporary.
It adds generic unstable lifecycle notifications:
- `item/autoApprovalReview/started`
- `item/autoApprovalReview/completed`
with payloads of the form:
- `{ threadId, turnId, targetItemId, review, action? }`
`review` is currently:
- `{ status, riskScore?, riskLevel?, rationale? }`
- where `status` is one of `inProgress`, `approved`, `denied`, or
`aborted`
`action` carries the guardian action summary payload from core when
available. This lets clients render temporary standalone pending-review
UI, including parallel reviews, even when the underlying tool item has
not been emitted yet.
These notifications are explicitly documented as `[UNSTABLE]` and
expected to change soon.
This PR does **not** persist guardian review state onto `thread/read`
tool items. The intended follow-up is to attach guardian review state to
the reviewed tool item lifecycle instead, which would improve
consistency with manual approvals and allow thread history / reconnect
flows to replay guardian review state directly.
## TUI behavior
- `/experimental` exposes the rollout gate as `Smart Approvals`
- enabling it in the TUI enables the feature and switches the current
session to the matching Smart Approvals `/approvals` mode
- disabling it in the TUI clears the persisted `approvals_reviewer`
override when appropriate and returns the session to default manual
review when the effective reviewer changes
- `/approvals` still exposes the reviewer choice directly
- the TUI renders:
- pending guardian review state in the live status footer, including
parallel review aggregation
- resolved approval/denial state in history
## Scope notes
This PR includes the supporting core/runtime work needed to make Smart
Approvals usable end-to-end:
- shell / unified-exec / apply_patch / managed-network / MCP guardian
review
- delegated/subagent approval routing into guardian review
- guardian review risk metadata and action summaries for app-server/TUI
- config/profile/TUI handling for `smart_approvals`, `guardian_approval`
alias migration, and `approvals_reviewer`
- a small internal cleanup of delegated approval forwarding to dedupe
fallback paths and simplify guardian-vs-parent approval waiting (no
intended behavior change)
Out of scope for this PR:
- redesigning the existing manual approval protocol shapes
- persisting guardian review state onto app-server `ThreadItem`s
- delegated MCP elicitation auto-review (the current delegated MCP
guardian shim only covers the legacy `RequestUserInput` path)
---------
Co-authored-by: Codex <noreply@openai.com>
619 lines
15 KiB
JSON
619 lines
15 KiB
JSON
{
|
|
"$schema": "http://json-schema.org/draft-07/schema#",
|
|
"definitions": {
|
|
"AbsolutePathBuf": {
|
|
"description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
|
|
"type": "string"
|
|
},
|
|
"ApprovalsReviewer": {
|
|
"description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
|
|
"enum": [
|
|
"user",
|
|
"guardian_subagent"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"AskForApproval": {
|
|
"oneOf": [
|
|
{
|
|
"enum": [
|
|
"untrusted",
|
|
"on-failure",
|
|
"on-request",
|
|
"never"
|
|
],
|
|
"type": "string"
|
|
},
|
|
{
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"granular": {
|
|
"properties": {
|
|
"mcp_elicitations": {
|
|
"type": "boolean"
|
|
},
|
|
"request_permissions": {
|
|
"default": false,
|
|
"type": "boolean"
|
|
},
|
|
"rules": {
|
|
"type": "boolean"
|
|
},
|
|
"sandbox_approval": {
|
|
"type": "boolean"
|
|
},
|
|
"skill_approval": {
|
|
"default": false,
|
|
"type": "boolean"
|
|
}
|
|
},
|
|
"required": [
|
|
"mcp_elicitations",
|
|
"rules",
|
|
"sandbox_approval"
|
|
],
|
|
"type": "object"
|
|
}
|
|
},
|
|
"required": [
|
|
"granular"
|
|
],
|
|
"title": "GranularAskForApproval",
|
|
"type": "object"
|
|
}
|
|
]
|
|
},
|
|
"ByteRange": {
|
|
"properties": {
|
|
"end": {
|
|
"format": "uint",
|
|
"minimum": 0.0,
|
|
"type": "integer"
|
|
},
|
|
"start": {
|
|
"format": "uint",
|
|
"minimum": 0.0,
|
|
"type": "integer"
|
|
}
|
|
},
|
|
"required": [
|
|
"end",
|
|
"start"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"CollaborationMode": {
|
|
"description": "Collaboration mode for a Codex session.",
|
|
"properties": {
|
|
"mode": {
|
|
"$ref": "#/definitions/ModeKind"
|
|
},
|
|
"settings": {
|
|
"$ref": "#/definitions/Settings"
|
|
}
|
|
},
|
|
"required": [
|
|
"mode",
|
|
"settings"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"ModeKind": {
|
|
"description": "Initial collaboration mode to use when the TUI starts.",
|
|
"enum": [
|
|
"plan",
|
|
"default"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"NetworkAccess": {
|
|
"enum": [
|
|
"restricted",
|
|
"enabled"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"Personality": {
|
|
"enum": [
|
|
"none",
|
|
"friendly",
|
|
"pragmatic"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"ReadOnlyAccess": {
|
|
"oneOf": [
|
|
{
|
|
"properties": {
|
|
"includePlatformDefaults": {
|
|
"default": true,
|
|
"type": "boolean"
|
|
},
|
|
"readableRoots": {
|
|
"default": [],
|
|
"items": {
|
|
"$ref": "#/definitions/AbsolutePathBuf"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"type": {
|
|
"enum": [
|
|
"restricted"
|
|
],
|
|
"title": "RestrictedReadOnlyAccessType",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"type"
|
|
],
|
|
"title": "RestrictedReadOnlyAccess",
|
|
"type": "object"
|
|
},
|
|
{
|
|
"properties": {
|
|
"type": {
|
|
"enum": [
|
|
"fullAccess"
|
|
],
|
|
"title": "FullAccessReadOnlyAccessType",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"type"
|
|
],
|
|
"title": "FullAccessReadOnlyAccess",
|
|
"type": "object"
|
|
}
|
|
]
|
|
},
|
|
"ReasoningEffort": {
|
|
"description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
|
|
"enum": [
|
|
"none",
|
|
"minimal",
|
|
"low",
|
|
"medium",
|
|
"high",
|
|
"xhigh"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"ReasoningSummary": {
|
|
"description": "A summary of the reasoning performed by the model. This can be useful for debugging and understanding the model's reasoning process. See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#reasoning-summaries",
|
|
"oneOf": [
|
|
{
|
|
"enum": [
|
|
"auto",
|
|
"concise",
|
|
"detailed"
|
|
],
|
|
"type": "string"
|
|
},
|
|
{
|
|
"description": "Option to disable reasoning summaries.",
|
|
"enum": [
|
|
"none"
|
|
],
|
|
"type": "string"
|
|
}
|
|
]
|
|
},
|
|
"SandboxPolicy": {
|
|
"oneOf": [
|
|
{
|
|
"properties": {
|
|
"type": {
|
|
"enum": [
|
|
"dangerFullAccess"
|
|
],
|
|
"title": "DangerFullAccessSandboxPolicyType",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"type"
|
|
],
|
|
"title": "DangerFullAccessSandboxPolicy",
|
|
"type": "object"
|
|
},
|
|
{
|
|
"properties": {
|
|
"access": {
|
|
"allOf": [
|
|
{
|
|
"$ref": "#/definitions/ReadOnlyAccess"
|
|
}
|
|
],
|
|
"default": {
|
|
"type": "fullAccess"
|
|
}
|
|
},
|
|
"networkAccess": {
|
|
"default": false,
|
|
"type": "boolean"
|
|
},
|
|
"type": {
|
|
"enum": [
|
|
"readOnly"
|
|
],
|
|
"title": "ReadOnlySandboxPolicyType",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"type"
|
|
],
|
|
"title": "ReadOnlySandboxPolicy",
|
|
"type": "object"
|
|
},
|
|
{
|
|
"properties": {
|
|
"networkAccess": {
|
|
"allOf": [
|
|
{
|
|
"$ref": "#/definitions/NetworkAccess"
|
|
}
|
|
],
|
|
"default": "restricted"
|
|
},
|
|
"type": {
|
|
"enum": [
|
|
"externalSandbox"
|
|
],
|
|
"title": "ExternalSandboxSandboxPolicyType",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"type"
|
|
],
|
|
"title": "ExternalSandboxSandboxPolicy",
|
|
"type": "object"
|
|
},
|
|
{
|
|
"properties": {
|
|
"excludeSlashTmp": {
|
|
"default": false,
|
|
"type": "boolean"
|
|
},
|
|
"excludeTmpdirEnvVar": {
|
|
"default": false,
|
|
"type": "boolean"
|
|
},
|
|
"networkAccess": {
|
|
"default": false,
|
|
"type": "boolean"
|
|
},
|
|
"readOnlyAccess": {
|
|
"allOf": [
|
|
{
|
|
"$ref": "#/definitions/ReadOnlyAccess"
|
|
}
|
|
],
|
|
"default": {
|
|
"type": "fullAccess"
|
|
}
|
|
},
|
|
"type": {
|
|
"enum": [
|
|
"workspaceWrite"
|
|
],
|
|
"title": "WorkspaceWriteSandboxPolicyType",
|
|
"type": "string"
|
|
},
|
|
"writableRoots": {
|
|
"default": [],
|
|
"items": {
|
|
"$ref": "#/definitions/AbsolutePathBuf"
|
|
},
|
|
"type": "array"
|
|
}
|
|
},
|
|
"required": [
|
|
"type"
|
|
],
|
|
"title": "WorkspaceWriteSandboxPolicy",
|
|
"type": "object"
|
|
}
|
|
]
|
|
},
|
|
"ServiceTier": {
|
|
"enum": [
|
|
"fast",
|
|
"flex"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"Settings": {
|
|
"description": "Settings for a collaboration mode.",
|
|
"properties": {
|
|
"developer_instructions": {
|
|
"type": [
|
|
"string",
|
|
"null"
|
|
]
|
|
},
|
|
"model": {
|
|
"type": "string"
|
|
},
|
|
"reasoning_effort": {
|
|
"anyOf": [
|
|
{
|
|
"$ref": "#/definitions/ReasoningEffort"
|
|
},
|
|
{
|
|
"type": "null"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"required": [
|
|
"model"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"TextElement": {
|
|
"properties": {
|
|
"byteRange": {
|
|
"allOf": [
|
|
{
|
|
"$ref": "#/definitions/ByteRange"
|
|
}
|
|
],
|
|
"description": "Byte range in the parent `text` buffer that this element occupies."
|
|
},
|
|
"placeholder": {
|
|
"description": "Optional human-readable placeholder for the element, displayed in the UI.",
|
|
"type": [
|
|
"string",
|
|
"null"
|
|
]
|
|
}
|
|
},
|
|
"required": [
|
|
"byteRange"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"UserInput": {
|
|
"oneOf": [
|
|
{
|
|
"properties": {
|
|
"text": {
|
|
"type": "string"
|
|
},
|
|
"text_elements": {
|
|
"default": [],
|
|
"description": "UI-defined spans within `text` used to render or persist special elements.",
|
|
"items": {
|
|
"$ref": "#/definitions/TextElement"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"type": {
|
|
"enum": [
|
|
"text"
|
|
],
|
|
"title": "TextUserInputType",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"text",
|
|
"type"
|
|
],
|
|
"title": "TextUserInput",
|
|
"type": "object"
|
|
},
|
|
{
|
|
"properties": {
|
|
"type": {
|
|
"enum": [
|
|
"image"
|
|
],
|
|
"title": "ImageUserInputType",
|
|
"type": "string"
|
|
},
|
|
"url": {
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"type",
|
|
"url"
|
|
],
|
|
"title": "ImageUserInput",
|
|
"type": "object"
|
|
},
|
|
{
|
|
"properties": {
|
|
"path": {
|
|
"type": "string"
|
|
},
|
|
"type": {
|
|
"enum": [
|
|
"localImage"
|
|
],
|
|
"title": "LocalImageUserInputType",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"path",
|
|
"type"
|
|
],
|
|
"title": "LocalImageUserInput",
|
|
"type": "object"
|
|
},
|
|
{
|
|
"properties": {
|
|
"name": {
|
|
"type": "string"
|
|
},
|
|
"path": {
|
|
"type": "string"
|
|
},
|
|
"type": {
|
|
"enum": [
|
|
"skill"
|
|
],
|
|
"title": "SkillUserInputType",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"name",
|
|
"path",
|
|
"type"
|
|
],
|
|
"title": "SkillUserInput",
|
|
"type": "object"
|
|
},
|
|
{
|
|
"properties": {
|
|
"name": {
|
|
"type": "string"
|
|
},
|
|
"path": {
|
|
"type": "string"
|
|
},
|
|
"type": {
|
|
"enum": [
|
|
"mention"
|
|
],
|
|
"title": "MentionUserInputType",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"name",
|
|
"path",
|
|
"type"
|
|
],
|
|
"title": "MentionUserInput",
|
|
"type": "object"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"properties": {
|
|
"approvalPolicy": {
|
|
"anyOf": [
|
|
{
|
|
"$ref": "#/definitions/AskForApproval"
|
|
},
|
|
{
|
|
"type": "null"
|
|
}
|
|
],
|
|
"description": "Override the approval policy for this turn and subsequent turns."
|
|
},
|
|
"approvalsReviewer": {
|
|
"anyOf": [
|
|
{
|
|
"$ref": "#/definitions/ApprovalsReviewer"
|
|
},
|
|
{
|
|
"type": "null"
|
|
}
|
|
],
|
|
"description": "Override where approval requests are routed for review on this turn and subsequent turns."
|
|
},
|
|
"cwd": {
|
|
"description": "Override the working directory for this turn and subsequent turns.",
|
|
"type": [
|
|
"string",
|
|
"null"
|
|
]
|
|
},
|
|
"effort": {
|
|
"anyOf": [
|
|
{
|
|
"$ref": "#/definitions/ReasoningEffort"
|
|
},
|
|
{
|
|
"type": "null"
|
|
}
|
|
],
|
|
"description": "Override the reasoning effort for this turn and subsequent turns."
|
|
},
|
|
"input": {
|
|
"items": {
|
|
"$ref": "#/definitions/UserInput"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"model": {
|
|
"description": "Override the model for this turn and subsequent turns.",
|
|
"type": [
|
|
"string",
|
|
"null"
|
|
]
|
|
},
|
|
"outputSchema": {
|
|
"description": "Optional JSON Schema used to constrain the final assistant message for this turn."
|
|
},
|
|
"personality": {
|
|
"anyOf": [
|
|
{
|
|
"$ref": "#/definitions/Personality"
|
|
},
|
|
{
|
|
"type": "null"
|
|
}
|
|
],
|
|
"description": "Override the personality for this turn and subsequent turns."
|
|
},
|
|
"sandboxPolicy": {
|
|
"anyOf": [
|
|
{
|
|
"$ref": "#/definitions/SandboxPolicy"
|
|
},
|
|
{
|
|
"type": "null"
|
|
}
|
|
],
|
|
"description": "Override the sandbox policy for this turn and subsequent turns."
|
|
},
|
|
"serviceTier": {
|
|
"anyOf": [
|
|
{
|
|
"anyOf": [
|
|
{
|
|
"$ref": "#/definitions/ServiceTier"
|
|
},
|
|
{
|
|
"type": "null"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"type": "null"
|
|
}
|
|
],
|
|
"description": "Override the service tier for this turn and subsequent turns."
|
|
},
|
|
"summary": {
|
|
"anyOf": [
|
|
{
|
|
"$ref": "#/definitions/ReasoningSummary"
|
|
},
|
|
{
|
|
"type": "null"
|
|
}
|
|
],
|
|
"description": "Override the reasoning summary for this turn and subsequent turns."
|
|
},
|
|
"threadId": {
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"input",
|
|
"threadId"
|
|
],
|
|
"title": "TurnStartParams",
|
|
"type": "object"
|
|
} |