Skip to content

Auto-approve policy: extend to codex and antigravity (interactive) #271

Description

@edwin-zvs

Context

PR #270 introduced AutoApprovePolicy (agentd_protocol::adapter::policy) — a single agentd-side rule (exposed as AGENTD_AUTO_APPROVE_PATHS, currently seeded with the per-session widgets dir) that each adapter translates into its harness's native permission mechanism.

Today:

  • Zarvis (native) — fully wired via tools::effective_risk.
  • Claude (wrapper) — fully wired via --allowed-tools "Write(<dir>/**)" / "Edit(...)" / "MultiEdit(...)" at spawn.
  • Codex (wrapper)not honored (this issue).
  • Antigravity (wrapper)not honored in interactive mode (this issue). Headless already auto-approves globally via --dangerously-skip-permissions.

Documented in docs/harnesses.md § Auto-approval policy. Inline TODO comments point back at policy.rs from each adapter.

Why it's a gap

agentd doesn't sit in the tool-call loop for wrapper harnesses — Claude/Codex/Antigravity make tool calls inside their own processes — so the only lever agentd has is what the upstream CLI accepts at spawn time:

  • Codex — exposes mode-based (approval_policy = "auto-edit" | "untrusted" | "on-failure" | "never") and sandbox-based (sandbox_workspace_write) knobs, but no path-scoped allow-list.
  • Antigravity (agy) — exposes only --dangerously-skip-permissions (global). No per-path option.

Result: a harness writing a widget into $AGENTD_SESSION_WIDGETS_DIR still triggers an in-CLI approval prompt under codex or antigravity-interactive, even though the daemon's policy says it shouldn't.

Possible approaches

In rough order of escalation:

  1. Wait for upstream — add a path-scoped allow-list to codex and agy. Cleanest long-term; out of our hands.
  2. Per-session CODEX_HOME / antigravity home with injected config — agentd writes a fresh config file per session. Already-tracked-by-adapter for resume-id capture; would need to also write the config. Risk: cuts the session off from the user's global config (login, model prefs, etc.) unless we copy/merge.
  3. --config key=value injection at spawn — codex's CLI accepts -c key=value overrides. We could flip codex into --auto-edit when the policy is non-empty. Trade-off: broader than the policy intends (auto-approves all edits, not just under the allowed dirs).
  4. Intercept tool calls in agentd — wrap the harness's stdio/PTY and enforce the policy ourselves. Big surface, brittle against upstream output changes; not realistic for the PTY-driven interactive paths.

Acceptance

Any one of:

  • An upstream codex / antigravity feature for path-scoped permissions, wired through the existing AutoApprovePolicy helpers — preferred.
  • A documented opt-in (e.g. agentd config flag) that flips codex into --auto-edit when the policy is non-empty, with an explicit warning that the broadening is global per session.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions