From cfc189de0adb83d9f03935ea34aa7b587b8cc931 Mon Sep 17 00:00:00 2001
From: Kevin Lin <kevin@dendron.so>
Date: Sun, 10 May 2026 21:13:40 -0700
Subject: [PATCH] fix(codex): auto-approve plugin read tools (#80513)

* fix(codex): auto-approve plugin read tools

* docs: add codex plugin approval changelog
---
 CHANGELOG.md                                                | 1 +
 docs/plugins/codex-native-plugins.md                        | 5 +++--
 .../codex/src/app-server/plugin-thread-config.test.ts       | 6 +++---
 extensions/codex/src/app-server/plugin-thread-config.ts     | 2 +-
 extensions/codex/src/app-server/run-attempt.test.ts         | 6 +++---
 5 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d9111564b35..4bd7ce54b2e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -49,6 +49,7 @@ Docs: https://docs.openclaw.ai
 
 - Yuanbao: bump `openclaw-plugin-yuanbao` to 2.13.1 to support `sourceReplyDeliveryMode: "automatic"` for group chat. (#79814) Thanks @loongfay.
 - Memory: keep `memory_search` result `corpus` labels aligned with the hit source, so session transcript hits surface as `sessions` and memory-file hits stay `memory`. Fixes #72885. (#71898, #72886) Thanks @rubencu.
+- Codex app-server: default native plugin app tool approvals to automatic so non-destructive read tools run when destructive actions are disabled.
 - Google/Gemini: normalize retired nested Gemini 3 Pro Preview ids while converting manifest catalog rows into emitted provider config, so `google/gemini-3.1-pro-preview` is used for testing instead of `google/gemini-3-pro-preview`.
 - Native apps: advertise the Gateway protocol compatibility range so chat and node sessions can connect to v3 gateways after additive v4 client updates.
 - Gateway/agents: keep stale `sessions_send` ACP manager and `web_fetch` runtime chunks importable after package updates, preventing live gateways from breaking before restart. Fixes #78804. Thanks @Gomesy72.
diff --git a/docs/plugins/codex-native-plugins.md b/docs/plugins/codex-native-plugins.md
index f1c84805cc0..f5beca848a7 100644
--- a/docs/plugins/codex-native-plugins.md
+++ b/docs/plugins/codex-native-plugins.md
@@ -137,8 +137,9 @@ are emitted with `open_world_enabled: true`; OpenClaw does not expose a separate
 plugin open-world policy knob and does not maintain per-plugin destructive
 tool-name deny lists.
 
-Tool approval mode is prompted by default for plugin apps because OpenClaw does
-not have an interactive app-elicitation UI in this same-thread path.
+Tool approval mode is automatic by default for plugin apps so non-destructive
+read tools can run without a same-thread approval UI. Destructive tools remain
+controlled by each app's `destructive_enabled` policy.
 
 ## Destructive action policy
 
diff --git a/extensions/codex/src/app-server/plugin-thread-config.test.ts b/extensions/codex/src/app-server/plugin-thread-config.test.ts
index 1a1ab460d0f..d86300be987 100644
--- a/extensions/codex/src/app-server/plugin-thread-config.test.ts
+++ b/extensions/codex/src/app-server/plugin-thread-config.test.ts
@@ -64,7 +64,7 @@ describe("Codex plugin thread config", () => {
           enabled: true,
           destructive_enabled: true,
           open_world_enabled: true,
-          default_tools_approval_mode: "prompt",
+          default_tools_approval_mode: "auto",
         },
       },
     });
@@ -253,7 +253,7 @@ describe("Codex plugin thread config", () => {
           enabled: true,
           destructive_enabled: false,
           open_world_enabled: true,
-          default_tools_approval_mode: "prompt",
+          default_tools_approval_mode: "auto",
         },
       },
     });
@@ -577,7 +577,7 @@ describe("Codex plugin thread config", () => {
       enabled: true,
       destructive_enabled: false,
       open_world_enabled: true,
-      default_tools_approval_mode: "prompt",
+      default_tools_approval_mode: "auto",
     });
     expect(apps?.["github-app"]).not.toHaveProperty("tools");
   });
diff --git a/extensions/codex/src/app-server/plugin-thread-config.ts b/extensions/codex/src/app-server/plugin-thread-config.ts
index a115e8c205e..49ae8b24aca 100644
--- a/extensions/codex/src/app-server/plugin-thread-config.ts
+++ b/extensions/codex/src/app-server/plugin-thread-config.ts
@@ -196,7 +196,7 @@ export async function buildCodexPluginThreadConfig(
         enabled: true,
         destructive_enabled: record.policy.allowDestructiveActions,
         open_world_enabled: true,
-        default_tools_approval_mode: "prompt",
+        default_tools_approval_mode: "auto",
       };
       apps[app.id] = appConfig;
       policyApps[app.id] = {
diff --git a/extensions/codex/src/app-server/run-attempt.test.ts b/extensions/codex/src/app-server/run-attempt.test.ts
index 26459fb4e7d..4f5edb02d8c 100644
--- a/extensions/codex/src/app-server/run-attempt.test.ts
+++ b/extensions/codex/src/app-server/run-attempt.test.ts
@@ -403,7 +403,7 @@ function createPluginAppConfigPatch() {
         enabled: true,
         destructive_enabled: true,
         open_world_enabled: true,
-        default_tools_approval_mode: "prompt",
+        default_tools_approval_mode: "auto",
       },
     },
   };
@@ -435,7 +435,7 @@ function createTwoPluginAppConfigPatch() {
         enabled: true,
         destructive_enabled: true,
         open_world_enabled: true,
-        default_tools_approval_mode: "prompt",
+        default_tools_approval_mode: "auto",
       },
     },
   };
@@ -469,7 +469,7 @@ function createTwoCalendarAppConfigPatch() {
         enabled: true,
         destructive_enabled: true,
         open_world_enabled: true,
-        default_tools_approval_mode: "prompt",
+        default_tools_approval_mode: "auto",
       },
     },
   };