agent-approvals-security.md Codex Docs, 2026-04-23 12:28 UTC → 2026-04-23 18:31 UTC

103 103 

104For a middle ground, `approval_policy = { granular = { ... } }` lets you keep specific approval prompt categories interactive while automatically rejecting others. The granular policy covers sandbox approvals, execpolicy-rule prompts, MCP prompts, `request_permissions` prompts, and skill-script approvals.104For a middle ground, `approval_policy = { granular = { ... } }` lets you keep specific approval prompt categories interactive while automatically rejecting others. The granular policy covers sandbox approvals, execpolicy-rule prompts, MCP prompts, `request_permissions` prompts, and skill-script approvals.

105 105 

106Set `approvals_reviewer = "guardian_subagent"` to route eligible approval reviews through the Guardian reviewer subagent instead of prompting the user directly. Admin requirements can constrain this with `allowed_approvals_reviewers`.106### Automatic approval reviews

107 

108By default, approval requests route to you:

109 

110```toml

111approvals_reviewer = "user"

112```

113 

114Automatic approval reviews apply when approvals are interactive, such as

115`approval_policy = "on-request"` or a granular approval policy. Set

116`approvals_reviewer = "auto_review"` to route eligible approval requests

117through a reviewer agent before Codex runs the request:

118 

119```toml

120approval_policy = "on-request"

121approvals_reviewer = "auto_review"

122```

123 

124The reviewer evaluates only actions that already need approval, such as sandbox

125escalations, network requests, `request_permissions` prompts, or side-effecting

126app and MCP tool calls. Actions that stay inside the sandbox continue without an

127extra review step.

128 

129The reviewer policy checks for data exfiltration, credential probing, persistent

130security weakening, and destructive actions. Low-risk and medium-risk actions

131can proceed when policy allows them. The policy denies critical-risk actions.

132High-risk actions require enough user authorization and no matching deny rule.

133Timeouts, parse failures, and review errors fail closed.

134 

135The [default reviewer policy](https://github.com/openai/codex/blob/main/codex-rs/core/src/guardian/policy.md)

136is in the open-source Codex repository. Enterprises can replace its

137tenant-specific section with `guardian_policy_config` in managed requirements.

138Local `[auto_review].policy` text is also supported, but managed requirements

139take precedence. For setup details, see

140[Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration#configure-automatic-review-policy).

141 

142In the Codex app, these reviews appear as automatic review items with a status such

143as Reviewing, Approved, Denied, Stopped, or Timed out. They can also include a

144risk level for the reviewed request.

145 

146Automatic review uses extra model calls, so it can add to Codex usage. Admins

147can constrain it with `allowed_approvals_reviewers`.

107 148 

108### Common sandbox and approval combinations149### Common sandbox and approval combinations

109 150