What problem are you trying to solve?
When Codex uses delegated sub-agents, a child agent can hit a sandbox escalation prompt, for example while running a safe verification command such as uv run .... In the main agent loop, the auto-approval mechanism can classify and approve safe recurring commands with narrow prefix rules, so the workflow remains autonomous.
For sub-agents, the same kind of escalation can block indefinitely because the parent agent does not appear to receive an actionable approval event, and the user is not necessarily watching the child thread. This makes review/exploration sub-agents less reliable, especially for long-running code review gates.
Desired behavior
Sub-agent escalation requests should be handled by the same approval policy available to the parent agent, or routed through the parent agent as an approval broker.
A useful behavior would be:
- Child agent requests escalation for a command.
- The request is evaluated by the inherited auto-approval classifier and existing approved prefix rules.
- If approved, the sub-agent continues without user intervention.
- If denied or ambiguous, the request is surfaced to the parent/main thread with the exact command, justification, and suggested prefix rule.
- The child should not silently block in a place where neither the parent nor the user can keep the task moving.
Why this matters
Delegated review agents are most valuable when they can run in parallel and stay autonomous. Today, a parent agent can preflight common commands, but it cannot predict every verification command a sub-agent may discover while reviewing. When that happens, the sub-agent may stall instead of returning useful partial findings.
This pushes users toward brittle prompting rules like "sub-agents must never request escalation," which avoids deadlocks but also reduces verification quality.
Possible implementation
Consider one of these models:
- Inherit the parent thread's auto-approval policy and approved prefix rules into child agents.
- Route child escalation requests to the parent agent loop for classification.
- Add a sub-agent setting such as
approval_policy = inherit | parent_brokered | never.
The key requirement is that sub-agent escalation should not create an unobserved blocking approval prompt.
Environment
Codex App with delegated sub-agents and sandboxed command execution.
What problem are you trying to solve?
When Codex uses delegated sub-agents, a child agent can hit a sandbox escalation prompt, for example while running a safe verification command such as
uv run .... In the main agent loop, the auto-approval mechanism can classify and approve safe recurring commands with narrow prefix rules, so the workflow remains autonomous.For sub-agents, the same kind of escalation can block indefinitely because the parent agent does not appear to receive an actionable approval event, and the user is not necessarily watching the child thread. This makes review/exploration sub-agents less reliable, especially for long-running code review gates.
Desired behavior
Sub-agent escalation requests should be handled by the same approval policy available to the parent agent, or routed through the parent agent as an approval broker.
A useful behavior would be:
Why this matters
Delegated review agents are most valuable when they can run in parallel and stay autonomous. Today, a parent agent can preflight common commands, but it cannot predict every verification command a sub-agent may discover while reviewing. When that happens, the sub-agent may stall instead of returning useful partial findings.
This pushes users toward brittle prompting rules like "sub-agents must never request escalation," which avoids deadlocks but also reduces verification quality.
Possible implementation
Consider one of these models:
approval_policy = inherit | parent_brokered | never.The key requirement is that sub-agent escalation should not create an unobserved blocking approval prompt.
Environment
Codex App with delegated sub-agents and sandboxed command execution.