From 677999e6830e7ea5ced90ae520a258a2d5959b60 Mon Sep 17 00:00:00 2001 From: "openclaw-docs-sync[bot]" Date: Wed, 22 Apr 2026 08:54:39 +0000 Subject: [PATCH] chore(sync): mirror docs from openclaw/openclaw@abf940db61876ff3bca1d51b777cfc9a55e6d726 --- .openclaw-sync/source.json | 4 ++-- docs/plugins/codex-harness.md | 13 ++++++++----- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json index 44facd4a7..f6d48e158 100644 --- a/.openclaw-sync/source.json +++ b/.openclaw-sync/source.json @@ -1,5 +1,5 @@ { "repository": "openclaw/openclaw", - "sha": "43a941b51c16e32246314a905864e188865d5d1a", - "syncedAt": "2026-04-22T08:31:59.807Z" + "sha": "abf940db61876ff3bca1d51b777cfc9a55e6d726", + "syncedAt": "2026-04-22T08:54:39.030Z" } diff --git a/docs/plugins/codex-harness.md b/docs/plugins/codex-harness.md index bcd750e53..8ba4a80bc 100644 --- a/docs/plugins/codex-harness.md +++ b/docs/plugins/codex-harness.md @@ -263,9 +263,12 @@ By default, the plugin starts Codex locally with: codex app-server --listen stdio:// ``` -By default, OpenClaw asks Codex to request native approvals. You can tune that -policy further, for example by tightening it and routing reviews through the -guardian: +By default, OpenClaw starts local Codex harness sessions fully unchained: +`approvalPolicy: "never"` and `sandbox: "danger-full-access"`. That matches the +trusted local operator posture used by the Codex CLI and lets autonomous +heartbeats use network and shell tools without waiting on an invisible native +approval path. You can tighten that policy, for example by routing reviews +through the guardian: ```json5 { @@ -320,8 +323,8 @@ Supported `appServer` fields: | `authToken` | unset | Bearer token for WebSocket transport. | | `headers` | `{}` | Extra WebSocket headers. | | `requestTimeoutMs` | `60000` | Timeout for app-server control-plane calls. | -| `approvalPolicy` | `"on-request"` | Native Codex approval policy sent to thread start/resume/turn. | -| `sandbox` | `"workspace-write"` | Native Codex sandbox mode sent to thread start/resume. | +| `approvalPolicy` | `"never"` | Native Codex approval policy sent to thread start/resume/turn. | +| `sandbox` | `"danger-full-access"` | Native Codex sandbox mode sent to thread start/resume. | | `approvalsReviewer` | `"user"` | Use `"guardian_subagent"` to let Codex guardian review native approvals. | | `serviceTier` | unset | Optional Codex service tier, for example `"priority"`. |