- Codex CLI 0.124.0 flips the old Guardian reviewer from experimental flag to stable.
- Approval prompts now go through an AI reviewer first, surfacing a risk level and one of four review statuses before the human clicks allow.
- It is OpenAI's answer to the core friction of long-running, multi-agent coding sessions.
TL;DR
On 2026-04-23, OpenAI shipped Auto-review as a stable Codex feature in codex-cli 0.124.0. Eligible approval prompts are now routed through an automatic reviewer agent before the action runs. The Codex app shows a risk level and one of four statuses — Approved, Denied, Stopped, or Timed out — so developers can judge the AI's assessment before they click allow. The goal: longer, safer autonomous workflows with dramatically fewer manual approvals.
What's new
Auto-review is the rebranded, stabilised version of what Codex used to ship as Guardian / approvals reviewer behind a feature flag. The key pull requests that flipped it stable:
#19063chore(auto-review) feature => stable— the flag flip itself.#18021Guardian → Auto-Review rename.#18504+#19056— config + variant rebrand toauto-review.#19113— protocol/SDK config compatibility.#18959feat(auto-review) policy config— policy-driven evaluation.#18890feat(auto-review) short-circuit— skip unnecessary reviews when the answer is obvious.#19050feat(request-permissions) approve with strict review— a stricter review path for higher-risk requests.
The flow is simple: Codex is about to run a permissioned action → the reviewer agent evaluates the action in an isolated session (MCPs, plugins and hooks are explicitly disabled inside the review per #18722) → the app surfaces a risk level plus status. A Timed out review is treated as distinct from a denial and gets its own guidance (#17381, #17486, #17521, #17557).
Why it matters
Every serious Codex workflow in 2026 — parallel cloud tasks, overnight thread automations, GitHub PR babysitters, the new macOS Computer Use mode — fights the same boss: the approval dialog. One permission pop-up can freeze a 7-hour run for hours. Queue five agents in parallel and you get five streams of pop-ups competing for your attention.
Auto-review replaces that tax with a pre-judgement. Instead of agent → human decision, it becomes agent → reviewer agent → human override. The human keeps final authority, but only on the subset of actions the reviewer cannot confidently approve. That is the whole reason the tweet framed this as "longer, safer autonomous workflows with fewer approvals".
Technical facts
- Stable version:
codex-cli 0.124.0, released 2026-04-23 (same release as GPT-5.5 + Codex app updates). - Statuses surfaced in the app: Approved, Denied, Stopped, Timed out.
- Isolation: MCP servers, plugins and hooks are disabled inside a review session to keep the reviewer from being influenced by external tools.
- Efficiency: follow-up reviews now send only transcript deltas instead of the full history (
#17269); stable review IDs across app-server events prevent lost or duplicated tracking (#17298). - Denied actions can be unstuck:
#18955added plumbing to manually approve stored Auto-Review denials. - Debug config:
guardian_policy_config(#18923) — the rename toauto-reviewis cosmetic, the internal machinery still uses Guardian naming in places. - Analytics: dedicated guardian-review event schema, truncation metrics, TTFT plumbing (
#17055,#17692,#17695,#17696).
The surrounding Codex numbers make Auto-review feel load-bearing: GPT-5.3-Codex hits 56.8% on SWE-Bench Pro, 77.3% on Terminal-Bench 2.0 (+13.3 pts over 5.2) and 64.7% on OSWorld-Verified (+26.5 pts), while running ~25% faster per task. More capability per turn means more turns, means more permission prompts — and Auto-review is the friction valve.
Comparison
The philosophical split with Claude Code is crisp:
| Approach | Claude Code | Codex Auto-review |
|---|---|---|
| Default autonomy posture | Full hand-off, --dangerously-skip-permissions / auto-approve | Human stays in loop, AI reviewer pre-judges each request |
| Who decides risk | The main agent, then the human post-hoc | A separate reviewer agent, before the action |
| Friction model | Low during task, high if it goes wrong | Moderate during task, lower blast radius |
| Best fit | Trusted deep runs, big refactors | Parallel queues, long-running autonomous loops, regulated environments |
Before Auto-review, a comparable Codex session required either (a) clicking through every prompt or (b) opting into full-access modes that OpenAI itself is uncomfortable with — GPT-5.3-Codex is the first model they classify as "High" cybersecurity risk. Auto-review is OpenAI's attempt to give developers long-run autonomy without forcing them into the unsafe default.
Use cases
- Overnight + scheduled threads. Thread automations wake the same thread on a schedule; Auto-review is what stops a run from stalling for 6 hours waiting on a single permission click.
- Parallel cloud tasks and multi-agent PR runs. Developers report queueing 4-5 Codex tasks before morning coffee; with Auto-review every action is pre-screened concurrently, and self-reported success rates on "well-scoped maintenance work" jump from roughly 40-60% to 85-90%.
- GitHub workflows.
@codexmentions on PRs/Issues plus the bundled PR babysitter skill now have a real safety net — autonomous edits get a pre-flight risk read before they ship. - Computer Use on macOS. When Codex is driving Figma, Xcode, Slack or the browser, the attack surface expands to the whole desktop. Pre-screening every click and keystroke is no longer optional.
- Teams with policy requirements.
guardian_policy_configplusapprove with strict reviewlet teams standardise what counts as low/high risk across shared worktrees.
Limitations & pricing
- Still failing half of professional tasks. 56.8% SWE-Bench Pro is best-in-class but also the same reality check as every prior model. Auto-review reduces click-tax, not reviewer responsibility.
- Reviewer can time out. A timeout is not an approval — it is its own status with its own UX path. Plan for it.
- MCPs, plugins and hooks are muted inside reviews. Intentional for isolation, but it means custom context your team relies on will not be visible to the reviewer agent.
- Computer Use limits. macOS-only at launch; not available in the EU, UK or Switzerland. The Codex app itself runs on Windows since 2026-03-04.
- No GPT-5.3-Codex API yet. OpenAI delayed API access because of the High cybersecurity classification. API users stay on
gpt-5.2-codex($1.25 / 1M input, $10 / 1M output). - Plans: bundled with ChatGPT — Plus $20/mo (30-150 msgs / 5hr window), Pro $200/mo (300-1,500 msgs), Business $25-30/user/mo, plus a new $100 Codex add-on (2× limits + GPT-5.3-Codex-Spark) live through at least 2026-05-31. Billing is token-based since 2026-04-02; agentic and image-gen tasks burn 3-5× faster than plain text.
What's next
Auto-review is the foundation, not the destination. What is signalled next:
- Full (non-localhost) in-app browser autonomy — the last gap between Codex and Claude Code's computer-use story.
- EU / UK / Switzerland rollout for Computer Use (no date committed).
- GPT-5.3-Codex API availability "once it's safely enabled."
- Enterprise agent internet access (still "coming soon").
- Agent-to-agent delegation — the real multi-agent frontier, where Auto-review policies will likely carry across delegated subtasks.
The meta-story: as coding agents gain desktop control and long-horizon autonomy, the bottleneck moves from capability to governance. Auto-review is the first shipping answer to "how does one human supervise five agents running for seven hours each" — and it will get copied fast.
Nguồn: developers.openai.com/codex/changelog, BuildFastWithAI, AI Tool Analysis, Remio.
