Add Smart Approvals guardian review across core, app-server, and TUI

[charley-oai]

Summary

• add approvals_reviewer = "user" | "guardian_subagent" as the runtime control for who reviews approval requests
• route Smart Approvals guardian review through core for command execution, file changes, managed-network approvals, MCP approvals, and delegated/subagent approval flows
• expose guardian review in app-server with temporary unstable item/autoApprovalReview/{started,completed} notifications carrying targetItemId, review, and action
• update the TUI so Smart Approvals can be enabled from /experimental, aligned with the matching /approvals mode, and surfaced clearly while reviews are pending or resolved

Runtime model

This PR does not introduce a new approval_policy.

Instead:

• approval_policy still controls when approval is needed
• approvals_reviewer controls who reviewable approval requests are routed to:
  • user
  • guardian_subagent

guardian_subagent is a carefully prompted reviewer subagent that gathers relevant context and applies a risk-based decision framework before approving or denying the request.

The smart_approvals feature flag is a rollout/UI gate. Core runtime behavior keys off approvals_reviewer.

When Smart Approvals is enabled from the TUI, it also switches the current /approvals settings to the matching Smart Approvals mode so users immediately see guardian review in the active thread:

• approval_policy = on-request
• approvals_reviewer = guardian_subagent
• sandbox_mode = workspace-write

Users can still change /approvals afterward.

Config-load behavior stays intentionally narrow:

• plain smart_approvals = true in config.toml remains just the rollout/UI gate and does not auto-set approvals_reviewer
• the deprecated guardian_approval = true alias migration does backfill approvals_reviewer = "guardian_subagent" in the same scope when that reviewer is not already configured there, so old configs preserve their original guardian-enabled behavior

ARC remains a separate safety check. For MCP tool approvals, ARC escalations now flow into the configured reviewer instead of always bypassing guardian and forcing manual review.

Config stability

The runtime reviewer override is stable, but the config-backed app-server protocol shape is still settling.

• thread/start, thread/resume, and turn/start keep stable approvalsReviewer overrides
• the config-backed approvals_reviewer exposure returned via config/read (including profile-level config) is now marked [UNSTABLE] / experimental in the app-server protocol until we are more confident in that config surface

App-server surface

This PR intentionally keeps the guardian app-server shape narrow and temporary.

It adds generic unstable lifecycle notifications:

• item/autoApprovalReview/started
• item/autoApprovalReview/completed

with payloads of the form:

• { threadId, turnId, targetItemId, review, action? }

review is currently:

• { status, riskScore?, riskLevel?, rationale? }
• where status is one of inProgress, approved, denied, or aborted

action carries the guardian action summary payload from core when available. This lets clients render temporary standalone pending-review UI, including parallel reviews, even when the underlying tool item has not been emitted yet.

These notifications are explicitly documented as [UNSTABLE] and expected to change soon.

This PR does not persist guardian review state onto thread/read tool items. The intended follow-up is to attach guardian review state to the reviewed tool item lifecycle instead, which would improve consistency with manual approvals and allow thread history / reconnect flows to replay guardian review state directly.

TUI behavior

• /experimental exposes the rollout gate as Smart Approvals
• enabling it in the TUI enables the feature and switches the current session to the matching Smart Approvals /approvals mode
• disabling it in the TUI clears the persisted approvals_reviewer override when appropriate and returns the session to default manual review when the effective reviewer changes
• /approvals still exposes the reviewer choice directly
• the TUI renders:
  • pending guardian review state in the live status footer, including parallel review aggregation
  • resolved approval/denial state in history

Scope notes

This PR includes the supporting core/runtime work needed to make Smart Approvals usable end-to-end:

• shell / unified-exec / apply_patch / managed-network / MCP guardian review
• delegated/subagent approval routing into guardian review
• guardian review risk metadata and action summaries for app-server/TUI
• config/profile/TUI handling for smart_approvals, guardian_approval alias migration, and approvals_reviewer
• a small internal cleanup of delegated approval forwarding to dedupe fallback paths and simplify guardian-vs-parent approval waiting (no intended behavior change)

Out of scope for this PR:

• redesigning the existing manual approval protocol shapes
• persisting guardian review state onto app-server ThreadItems
• delegated MCP elicitation auto-review (the current delegated MCP guardian shim only covers the legacy RequestUserInput path)

codex resume 019ce3ee-69e2-7d62-bb67-0bc5792ebc31

[charley-oai]

@codex review this

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Chef's kiss.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[charley-oai]

@codex review this

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Nice work!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[charley-oai]

@codex review this

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c7cc80234b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[charley-oai]

@codex review this

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Hooray!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[charley-oai]

@codex review this

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Can't wait for the next one!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".