Context
PR #270 introduced AutoApprovePolicy (agentd_protocol::adapter::policy) — a single agentd-side rule (exposed as AGENTD_AUTO_APPROVE_PATHS, currently seeded with the per-session widgets dir) that each adapter translates into its harness's native permission mechanism.
Today:
- Zarvis (native) — fully wired via
tools::effective_risk.
- Claude (wrapper) — fully wired via
--allowed-tools "Write(<dir>/**)" / "Edit(...)" / "MultiEdit(...)" at spawn.
- Codex (wrapper) — not honored (this issue).
- Antigravity (wrapper) — not honored in interactive mode (this issue). Headless already auto-approves globally via
--dangerously-skip-permissions.
Documented in docs/harnesses.md § Auto-approval policy. Inline TODO comments point back at policy.rs from each adapter.
Why it's a gap
agentd doesn't sit in the tool-call loop for wrapper harnesses — Claude/Codex/Antigravity make tool calls inside their own processes — so the only lever agentd has is what the upstream CLI accepts at spawn time:
- Codex — exposes mode-based (
approval_policy = "auto-edit" | "untrusted" | "on-failure" | "never") and sandbox-based (sandbox_workspace_write) knobs, but no path-scoped allow-list.
- Antigravity (
agy) — exposes only --dangerously-skip-permissions (global). No per-path option.
Result: a harness writing a widget into $AGENTD_SESSION_WIDGETS_DIR still triggers an in-CLI approval prompt under codex or antigravity-interactive, even though the daemon's policy says it shouldn't.
Possible approaches
In rough order of escalation:
- Wait for upstream — add a path-scoped allow-list to codex and
agy. Cleanest long-term; out of our hands.
- Per-session
CODEX_HOME / antigravity home with injected config — agentd writes a fresh config file per session. Already-tracked-by-adapter for resume-id capture; would need to also write the config. Risk: cuts the session off from the user's global config (login, model prefs, etc.) unless we copy/merge.
--config key=value injection at spawn — codex's CLI accepts -c key=value overrides. We could flip codex into --auto-edit when the policy is non-empty. Trade-off: broader than the policy intends (auto-approves all edits, not just under the allowed dirs).
- Intercept tool calls in agentd — wrap the harness's stdio/PTY and enforce the policy ourselves. Big surface, brittle against upstream output changes; not realistic for the PTY-driven interactive paths.
Acceptance
Any one of:
- An upstream codex / antigravity feature for path-scoped permissions, wired through the existing
AutoApprovePolicy helpers — preferred.
- A documented opt-in (e.g.
agentd config flag) that flips codex into --auto-edit when the policy is non-empty, with an explicit warning that the broadening is global per session.
References
Context
PR #270 introduced
AutoApprovePolicy(agentd_protocol::adapter::policy) — a single agentd-side rule (exposed asAGENTD_AUTO_APPROVE_PATHS, currently seeded with the per-session widgets dir) that each adapter translates into its harness's native permission mechanism.Today:
tools::effective_risk.--allowed-tools "Write(<dir>/**)" / "Edit(...)" / "MultiEdit(...)"at spawn.--dangerously-skip-permissions.Documented in
docs/harnesses.md§ Auto-approval policy. Inline TODO comments point back atpolicy.rsfrom each adapter.Why it's a gap
agentd doesn't sit in the tool-call loop for wrapper harnesses — Claude/Codex/Antigravity make tool calls inside their own processes — so the only lever agentd has is what the upstream CLI accepts at spawn time:
approval_policy = "auto-edit" | "untrusted" | "on-failure" | "never") and sandbox-based (sandbox_workspace_write) knobs, but no path-scoped allow-list.agy) — exposes only--dangerously-skip-permissions(global). No per-path option.Result: a harness writing a widget into
$AGENTD_SESSION_WIDGETS_DIRstill triggers an in-CLI approval prompt under codex or antigravity-interactive, even though the daemon's policy says it shouldn't.Possible approaches
In rough order of escalation:
agy. Cleanest long-term; out of our hands.CODEX_HOME/ antigravity home with injected config — agentd writes a fresh config file per session. Already-tracked-by-adapter for resume-id capture; would need to also write the config. Risk: cuts the session off from the user's global config (login, model prefs, etc.) unless we copy/merge.--config key=valueinjection at spawn — codex's CLI accepts-c key=valueoverrides. We could flip codex into--auto-editwhen the policy is non-empty. Trade-off: broader than the policy intends (auto-approves all edits, not just under the allowed dirs).Acceptance
Any one of:
AutoApprovePolicyhelpers — preferred.agentdconfig flag) that flips codex into--auto-editwhen the policy is non-empty, with an explicit warning that the broadening is global per session.References
crates/protocol/src/adapter/policy.rsdocs/harnesses.md§ Auto-approval policycrates/adapter-codex/src/main.rs(inrun_interactive),crates/adapter-antigravity/src/main.rs(abovecommand_override)