Codex CLI: Smart Approvals with Guardian Subagent Routing
CodexCodex CLI 0.115.0 introduces Smart Approvals guardian routing, allowing review requests to be handled by a dedicated guardian subagent rather than interrupting the primary agent on every turn. Available across core, app-server, and TUI, the feature reduces repetitive approval setup in long-running sessions where the same permission types recur. This brings Codex's approval model closer to the structured, context-aware delegation frameworks common in enterprise security tooling.
Sources & Mentions
3 external resources covering this update
Smart Approvals: Guardian Subagent Routing
Codex CLI 0.115.0 overhauls how Smart Approvals are handled during agent sessions. Previously, approval requests β such as permission grants for network access, filesystem writes, or shell commands β would interrupt the current agent turn and require direct user input each time they arose. In long-running sessions involving repeated operations of the same type, this created friction: the same decision had to be made multiple times with no memory of prior grants.
With 0.115.0, Smart Approvals can now route review requests through a guardian subagent. The guardian handles approval decision-making independently, preserving context from prior approvals and reducing repeated setup work on follow-up turns. Per the release notes, this specifically targets scenarios where "repeated setup work on follow-up approvals" was the friction point.
Scope Across Deployment Surfaces
The guardian routing feature is available across all three Codex deployment contexts:
- Core agent β for developers running Codex interactively in the terminal
- App-server β for programmatic clients integrating over JSON-RPC
- TUI β for terminal user interface sessions
Consistent availability across all three surfaces means the improvement applies regardless of how Codex is invoked, whether in interactive development sessions or automated pipelines.
A More Structured Approval Model
The guardian subagent model introduces a layer of programmatic delegation between the human operator and the agent's approval requests. Rather than all decisions flowing directly to the user, the guardian can resolve certain approvals based on established session context β a pattern familiar from enterprise security tooling where trust and delegation frameworks handle permission escalation.
For developers using Codex in agentic, long-running contexts β automated code review, multi-file refactoring, CI-adjacent tasks β this significantly reduces the approval-related interruptions that previously disrupted flow. The guardian does not bypass security; it batches and contextualizes approvals rather than eliminating the approval step entirely.