recodeee · NagyVikt · May 9, 2026 · May 9, 2026
@@ -650,6 +650,12 @@ If anything blocks, append a `BLOCKED:` note and stop. Do not half-finish.
 
 OMX completion policy: when a task is done, the agent must run `gx branch finish --branch "<agent-branch>" --via-pr --wait-for-merge --cleanup` (or `gx finish --all`) instead of standalone `git push` / `gh pr` commands. The finish flow owns commit, push, PR creation/update, merge wait, and sandbox cleanup.
 
+External approval boundary:
+
+- Guardex cannot bypass Codex host approval prompts or external-remote policy decisions.
+- When the host blocks a publish or finish command, request approval for the narrow `gx branch finish ...` command, or for the exact session wrapper that invokes it, and continue after approval.
+- Do not replace the finish flow with repeated standalone `git push` / `gh pr` attempts. That increases approval churn and can strand PR, merge, or cleanup state.
+
 ### Parallel safety
 
 Assume other agents edit nearby.

@@ -0,0 +1,4 @@
+id: agent-codex-codex-approval-policy-guidance-2026-05-10-01-30
+tier: T1
+kind: docs
+status: active
@@ -0,0 +1,16 @@
+# Codex Approval Policy Guidance
+
+## Problem
+
+Agents can mistake Guardex finish automation for permission to bypass Codex host approval gates when pushing to external remotes.
+
+## Change
+
+- Clarify the managed AGENTS completion policy: Guardex cannot bypass Codex host approvals or external-remote policy decisions.
+- Route blocked publish work through one narrow `gx branch finish ...` approval instead of repeated standalone `git push` / `gh pr` attempts.
+- Add setup coverage so generated AGENTS blocks keep this wording.
+
+## Verification
+
+- `node --test test/setup.test.js` - pass, 43 tests
+- `openspec validate --specs` - pass, no spec items to validate
@@ -317,6 +317,12 @@ If anything blocks, append a `BLOCKED:` note and stop. Do not half-finish.
 
 OMX completion policy: when a task is done, the agent must run `gx branch finish --branch "<agent-branch>" --via-pr --wait-for-merge --cleanup` (or `gx finish --all`) instead of standalone `git push` / `gh pr` commands. The finish flow owns commit, push, PR creation/update, merge wait, and sandbox cleanup.
 
+External approval boundary:
+
+- Guardex cannot bypass Codex host approval prompts or external-remote policy decisions.
+- When the host blocks a publish or finish command, request approval for the narrow `gx branch finish ...` command, or for the exact session wrapper that invokes it, and continue after approval.
+- Do not replace the finish flow with repeated standalone `git push` / `gh pr` attempts. That increases approval churn and can strand PR, merge, or cleanup state.
+
 ### Parallel safety
 
 Assume other agents edit nearby.

@@ -871,6 +871,9 @@ test('install configures AGENTS managed policy block with GX contract wording',
     /OMX completion policy: when a task is done, the agent must run `gx branch finish --branch "<agent-branch>" --via-pr --wait-for-merge --cleanup`/,
   );
   assert.match(agentsContent, /instead of standalone `git push` \/ `gh pr` commands/);
+  assert.match(agentsContent, /External approval boundary:/);
+  assert.match(agentsContent, /Guardex cannot bypass Codex host approval prompts/);
+  assert.match(agentsContent, /request approval for the narrow `gx branch finish \.\.\.` command/);
   assert.match(agentsContent, /### Colony coordination loop/);
   assert.match(agentsContent, /### Token \/ context budget/);
   assert.match(agentsContent, /### Caveman style/);