diff --git a/packages/agent/src/adapters/codex-app-server/spawn.test.ts b/packages/agent/src/adapters/codex-app-server/spawn.test.ts index 402aaf2504..9e9f23f7f2 100644 --- a/packages/agent/src/adapters/codex-app-server/spawn.test.ts +++ b/packages/agent/src/adapters/codex-app-server/spawn.test.ts @@ -29,6 +29,9 @@ describe("buildAppServerArgs", () => { }); expect(args[0]).toBe("app-server"); + // Pin codex's guardian reviewer to the host default so it never calls the + // gateway-blocked `codex-auto-review` model. + expect(args).toContain('approvals_reviewer="user"'); expect(args).toContain('model_provider="posthog"'); expect(args).toContain( 'model_providers.posthog.base_url="https://gateway.example/v1"', diff --git a/packages/agent/src/adapters/codex-app-server/spawn.ts b/packages/agent/src/adapters/codex-app-server/spawn.ts index 2f0d81ed23..6d25686200 100644 --- a/packages/agent/src/adapters/codex-app-server/spawn.ts +++ b/packages/agent/src/adapters/codex-app-server/spawn.ts @@ -123,6 +123,13 @@ export function buildAppServerArgs( : `sandbox_mode="danger-full-access"`, ); + // The host owns approvals (surfaced via approvals.ts → requestPermission). Codex's + // guardian reviewer is on by default and routes approvals to its dedicated + // `codex-auto-review` model, which our gateway's posthog_code allowlist doesn't + // serve — so every review 403s. Default codex's own `user` reviewer; a caller can + // still override it via configOverrides, which the trailing loop appends last. + args.push("-c", `approvals_reviewer="user"`); + // Disable the user's ambient ~/.codex MCP servers so the adapter only exposes // MCP servers PostHog injects per-thread; otherwise codex fails connecting to them. for (const name of new CodexSettingsManager(