From be0b8a19471d47860476261e04185669fc833cf6 Mon Sep 17 00:00:00 2001 From: NagyVikt Date: Sun, 10 May 2026 01:37:17 +0200 Subject: [PATCH] Clarify approval limits for finish automation Guardex owns the repo-side finish flow, but Codex host policy still controls external remote side effects. The managed AGENTS block now tells agents to request one narrow finish-flow approval instead of retrying raw push or PR commands. Constraint: Codex host approval policy cannot be bypassed from repo code Rejected: Add a push bypass in gx | host-side policy intercepts commands before repo code can run Confidence: high Scope-risk: narrow Directive: Keep publish guidance routed through gx branch finish; do not teach raw git push retries as the workaround Tested: node --test test/setup.test.js Tested: openspec validate --specs Co-authored-by: OmX --- AGENTS.md | 6 ++++++ .../.openspec.yaml | 4 ++++ .../notes.md | 16 ++++++++++++++++ templates/AGENTS.multiagent-safety.md | 6 ++++++ test/setup.test.js | 3 +++ 5 files changed, 35 insertions(+) create mode 100644 openspec/changes/agent-codex-codex-approval-policy-guidance-2026-05-10-01-30/.openspec.yaml create mode 100644 openspec/changes/agent-codex-codex-approval-policy-guidance-2026-05-10-01-30/notes.md diff --git a/AGENTS.md b/AGENTS.md index 157ac67..af3c8c1 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -650,6 +650,12 @@ If anything blocks, append a `BLOCKED:` note and stop. Do not half-finish. OMX completion policy: when a task is done, the agent must run `gx branch finish --branch "" --via-pr --wait-for-merge --cleanup` (or `gx finish --all`) instead of standalone `git push` / `gh pr` commands. The finish flow owns commit, push, PR creation/update, merge wait, and sandbox cleanup. +External approval boundary: + +- Guardex cannot bypass Codex host approval prompts or external-remote policy decisions. +- When the host blocks a publish or finish command, request approval for the narrow `gx branch finish ...` command, or for the exact session wrapper that invokes it, and continue after approval. +- Do not replace the finish flow with repeated standalone `git push` / `gh pr` attempts. That increases approval churn and can strand PR, merge, or cleanup state. + ### Parallel safety Assume other agents edit nearby. diff --git a/openspec/changes/agent-codex-codex-approval-policy-guidance-2026-05-10-01-30/.openspec.yaml b/openspec/changes/agent-codex-codex-approval-policy-guidance-2026-05-10-01-30/.openspec.yaml new file mode 100644 index 0000000..eb8bbd1 --- /dev/null +++ b/openspec/changes/agent-codex-codex-approval-policy-guidance-2026-05-10-01-30/.openspec.yaml @@ -0,0 +1,4 @@ +id: agent-codex-codex-approval-policy-guidance-2026-05-10-01-30 +tier: T1 +kind: docs +status: active diff --git a/openspec/changes/agent-codex-codex-approval-policy-guidance-2026-05-10-01-30/notes.md b/openspec/changes/agent-codex-codex-approval-policy-guidance-2026-05-10-01-30/notes.md new file mode 100644 index 0000000..83bbf3a --- /dev/null +++ b/openspec/changes/agent-codex-codex-approval-policy-guidance-2026-05-10-01-30/notes.md @@ -0,0 +1,16 @@ +# Codex Approval Policy Guidance + +## Problem + +Agents can mistake Guardex finish automation for permission to bypass Codex host approval gates when pushing to external remotes. + +## Change + +- Clarify the managed AGENTS completion policy: Guardex cannot bypass Codex host approvals or external-remote policy decisions. +- Route blocked publish work through one narrow `gx branch finish ...` approval instead of repeated standalone `git push` / `gh pr` attempts. +- Add setup coverage so generated AGENTS blocks keep this wording. + +## Verification + +- `node --test test/setup.test.js` - pass, 43 tests +- `openspec validate --specs` - pass, no spec items to validate diff --git a/templates/AGENTS.multiagent-safety.md b/templates/AGENTS.multiagent-safety.md index 0af48dc..bf86b77 100644 --- a/templates/AGENTS.multiagent-safety.md +++ b/templates/AGENTS.multiagent-safety.md @@ -317,6 +317,12 @@ If anything blocks, append a `BLOCKED:` note and stop. Do not half-finish. OMX completion policy: when a task is done, the agent must run `gx branch finish --branch "" --via-pr --wait-for-merge --cleanup` (or `gx finish --all`) instead of standalone `git push` / `gh pr` commands. The finish flow owns commit, push, PR creation/update, merge wait, and sandbox cleanup. +External approval boundary: + +- Guardex cannot bypass Codex host approval prompts or external-remote policy decisions. +- When the host blocks a publish or finish command, request approval for the narrow `gx branch finish ...` command, or for the exact session wrapper that invokes it, and continue after approval. +- Do not replace the finish flow with repeated standalone `git push` / `gh pr` attempts. That increases approval churn and can strand PR, merge, or cleanup state. + ### Parallel safety Assume other agents edit nearby. diff --git a/test/setup.test.js b/test/setup.test.js index f51f7ca..426fd81 100644 --- a/test/setup.test.js +++ b/test/setup.test.js @@ -871,6 +871,9 @@ test('install configures AGENTS managed policy block with GX contract wording', /OMX completion policy: when a task is done, the agent must run `gx branch finish --branch "" --via-pr --wait-for-merge --cleanup`/, ); assert.match(agentsContent, /instead of standalone `git push` \/ `gh pr` commands/); + assert.match(agentsContent, /External approval boundary:/); + assert.match(agentsContent, /Guardex cannot bypass Codex host approval prompts/); + assert.match(agentsContent, /request approval for the narrow `gx branch finish \.\.\.` command/); assert.match(agentsContent, /### Colony coordination loop/); assert.match(agentsContent, /### Token \/ context budget/); assert.match(agentsContent, /### Caveman style/);