Codex agent host: forking, subagent rendering, single approvals chip, auto-review denial surfacing#325263
Merged
Merged
Conversation
eef6bba to
1375a45
Compare
54bc9c3 to
b94ba41
Compare
1375a45 to
516fd61
Compare
b94ba41 to
3ba296c
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Adds the hand-written Codex agent-host features built on the 0.142.0 protocol regeneration.
Changes:
- Adds session forking and subagent transcript rendering.
- Introduces unified Codex permission presets and pickers.
- Surfaces guardian denials and improves attachment/terminal rendering.
Show a summary per file
| File | Description |
|---|---|
src/vs/platform/agentHost/common/agentService.ts |
Defines the Codex provider ID. |
src/vs/platform/agentHost/common/codexSessionConfigKeys.ts |
Defines permission presets and validation. |
src/vs/platform/agentHost/node/codex/codexAgent.ts |
Implements forking, permissions, and denial handling. |
src/vs/platform/agentHost/node/codex/codexGuardianReview.ts |
Converts guardian reviews into notices and approvals. |
src/vs/platform/agentHost/node/codex/codexMapAppServerEvents.ts |
Maps updated Codex and subagent events. |
src/vs/platform/agentHost/node/codex/codexPromptResolver.ts |
Handles embedded textual resources. |
src/vs/platform/agentHost/node/codex/codexProxyService.ts |
Routes guardian requests to a primary model. |
src/vs/platform/agentHost/node/codex/codexSessionConfigKeys.ts |
Resolves permission presets into Codex axes. |
src/vs/platform/agentHost/node/codex/codexShellCommand.ts |
Unwraps shell command wrappers. |
src/vs/platform/agentHost/test/node/codex/codexGuardianReview.test.ts |
Tests guardian review parsing. |
src/vs/platform/agentHost/test/node/codex/codexMapAppServerEvents.test.ts |
Tests event and subagent mapping. |
src/vs/platform/agentHost/test/node/codex/codexPromptResolver.test.ts |
Tests embedded-resource prompts. |
src/vs/platform/agentHost/test/node/codex/codexProxyService.test.ts |
Tests reviewer-model routing. |
src/vs/platform/agentHost/test/node/codex/codexSessionConfigKeys.test.ts |
Tests permission preset resolution. |
src/vs/sessions/contrib/providers/agentHost/browser/agentHostCodexApprovalsPicker.ts |
Adds the Codex approvals picker. |
src/vs/sessions/contrib/providers/agentHost/browser/agentHostPermissionPickerDelegate.ts |
Recognizes Codex preset schemas. |
src/vs/sessions/contrib/providers/agentHost/browser/agentHostSessionConfigPicker.ts |
Registers Codex approval chips. |
src/vs/workbench/contrib/chat/browser/agentSessions/agentHost/agentHostChatInputPicker.ts |
Adds preset icons and descriptions. |
src/vs/workbench/contrib/chat/browser/agentSessions/agentHost/agentHostSessionHandler.ts |
Inlines dirty editor content for Codex. |
src/vs/workbench/contrib/chat/browser/widget/chatContentParts/toolInvocationParts/chatTerminalToolProgressPart.ts |
Corrects denied-command terminal styling. |
Review details
- Files reviewed: 20/20 changed files
- Comments generated: 7
- Review effort level: Medium
lszomoru
previously approved these changes
Jul 10, 2026
516fd61 to
2b8da97
Compare
6c9fa17 to
34183c6
Compare
cc58068 to
d000d79
Compare
… auto-review denial surfacing The Codex agent-host feature work, stacked on top of the 0.142.0 protocol regeneration. This PR is the hand-written half of the stack — the generated protocol client lives in the PR below and is excluded from this diff. Highlights: - Forking: create-chat fork source wired through the Codex agent so a session can be forked from a prior turn. - Subagent results render properly in the chat transcript of a Codex session. - A single "approvals" permission chip replacing the sprawl of per-axis pickers, mapping to the documented Codex presets (Default permissions / Auto-review / Full access) across the sandbox + approval-policy + reviewer axes. - Auto-review (guardian) denials are surfaced as a durable, reload-safe notice plus an "Approve anyway" card, attributed to the correct turn, with the OS shell wrapper unwrapped so the command matches the terminal pill. - Consumer adaptations required by the 0.142.0 breaking protocol changes (discriminated DynamicToolSpec, the new `openai/form` elicitation mode, required userMessage.clientId / McpServerStatus.serverInfo). - Inline unsaved/dirty editor content as textual embedded resources; drop the no-op Autopilot mode; terminal tool-call rendering cleanup; AHP protocol state bump for the new session-config keys. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Address Copilot code-review findings on the Codex agent host forking and permission-resolution paths: - Resolve session permissions from the RAW persisted config rather than the validated config (which always materializes the default PermissionsPreset), so a legacy session that only stored sandboxMode/approvalPolicy axes is not silently escalated (e.g. read-only -> workspace-write) on resume. - Fork now inherits the source session's effective permissions instead of resetting to the Default preset; an explicit fork override still wins. - Reject an unresolvable fork boundary instead of silently keeping the full history and branching from the thread tip. - Seed the forked session's host->codex turn-id map from the forked thread's authoritative kept turns so a later edit/truncate of an inherited turn can resolve its app-server turn id and roll back correctly. Extract the pure fork decision logic into codexForkPlan.ts and cover it with codexForkPlan.test.ts (10 unit tests). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
resolveSessionConfig previously returned only the visible {Mode,
PermissionsPreset} keys. Since that return REPLACES the stored session
config on restore, a pre-preset session that persisted only the raw
sandboxMode/approvalPolicy axes (e.g. read-only) had a materialized
permissionsPreset='default' inserted on top of it and lost its legacy
axes, silently resuming as workspace-write. It also dropped every other
persisted setting (reasoning effort, personality, …) back to defaults.
Fix: preserve the full persisted config and migrate only the permission
axes. An explicit preset is kept; legacy axes that map exactly onto a
preset are migrated to it; legacy axes with no equivalent preset (e.g.
read-only) are preserved verbatim with no preset so resolveCodexPermissions
keeps applying the legacy fallback (no escalation).
Adds presetForResolvedPermissions (common, protocol-free) and
migrateCodexPermissionValues (node) plus regression tests.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…bagent rendering - Default-permission sessions no longer inherit a stale 'never' approval policy, so commands correctly hit the workspace-write sandbox approval prompt instead of running unsandboxed. - Coalesce a sandbox pre-flight command with its post-approval re-run so the terminal box renders once instead of twice, and preserve command boxes across a session switch (replay/rehydrate parity). - Render Codex subagents as nested read-only peer chats and route their tool calls through the shared approval flow, matching the Copilot agent host. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Command/tool output that an agent pastes into a fenced code block no longer overflows horizontally off the right edge. Thread an optional codeBlockRenderOptions through the chat list renderer options and enable word-wrap for response code blocks in the Agents window, so long single-line output wraps within the block instead of requiring horizontal scrolling. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1ea358d to
cc055b2
Compare
benvillalobos
previously approved these changes
Jul 10, 2026
roblourens
previously approved these changes
Jul 10, 2026
Monaco's default wrappingIndent ('same') prepends the source line's
leading indentation to each wrapped continuation as real whitespace.
For indented tool-output lines (e.g. pretty-printed JSON values) this
injects spaces into the rendered code block's DOM textContent at every
wrap boundary, splitting tokens mid-word. That broke the Agents Window
AgentHost sandbox smoke tests, which match the reply token in the
serialized response text (deterministically on Linux, where font
metrics wrap those lines). Set wrappingIndent to 'none' so wrapped
continuations start at column 1 with no injected whitespace, while
still wrapping long lines to fix horizontal overflow.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
roblourens
approved these changes
Jul 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The hand-written half of the Codex agent-host work. The large generated protocol client is in #325262 and is excluded from this diff, so what remains here is the actual logic.
Highlights
DynamicToolSpec, the newopenai/formelicitation mode, requireduserMessage.clientId/McpServerStatus.serverInfo.Validation
npm run typecheck-clientclean; full node unit suite green (Codex guardian/proxy/prompt/config suites included).