// Use when a spawned agent fails because of sandbox restrictions, missing tools, harness limitations, or insufficient permissions, and you need to change the spawn configuration to unblock it.
[HINT] Download the complete skill directory including SKILL.md and all related files
| name | meridian-privilege-escalation |
| type | reference |
| description | Use when a spawned agent fails because of sandbox restrictions, missing tools, harness limitations, or insufficient permissions, and you need to change the spawn configuration to unblock it. |
Meridian agents run with constrained permissions by default ā sandboxed filesystems, restricted tools, harness-specific limitations. When a spawn can't complete its task because of these constraints, you can escalate permissions per-spawn without changing the agent profile.
Prefer the least-privilege escalation that unblocks the task. Try targeted fixes first (--sandbox full-access, --approval auto) before broad overrides (--approval yolo, --sandbox danger-full-access). Broad overrides disable safety checks entirely ā if you're reaching for yolo or danger-full-access, surface the situation to the user first and let them approve the escalation. An autonomous agent silently granting itself maximum permissions defeats the purpose of having tiers.
The --sandbox flag controls Codex's process sandboxing ā filesystem, network, and process isolation. Other harnesses (Claude, OpenCode) don't have sandbox tiers; see Approval Modes and Model/Harness Switching below for how to escalate permissions on those.
Tiers from most to least restrictive:
| Tier | What it allows |
|---|---|
read-only | Read files only. No writes, no process execution. |
workspace-write | Read/write within the workspace. No network listeners, no access outside project. |
full-access | Full filesystem and process access. |
danger-full-access | Like full-access with reduced safety checks. |
Override per-spawn:
meridian spawn -a coder --sandbox full-access --prompt-file integration-tests.md --bg
Agent profiles set a default tier (e.g. sandbox: workspace-write). The --sandbox flag overrides it for that specific spawn only. The tier passes through directly to Codex's --sandbox flag.
The --approval flag controls how the harness handles tool-call approvals:
| Mode | Behavior |
|---|---|
default | Harness decides (each harness has its own default policy). |
confirm | User approves each tool call. |
auto | Auto-approve safe operations, prompt for dangerous ones. |
yolo | Approve everything. No prompts. |
Override per-spawn:
meridian spawn -a coder --approval auto --prompt-file task.md --bg
meridian spawn -a coder --approval yolo --prompt-file task.md --bg # use yolo sparingly
Different models route to different harnesses, and each harness has different capability profiles. Switching the model can bypass harness-level restrictions entirely:
# Some harnesses have sandboxes that restrict network binding
meridian spawn -a coder -m <sandboxed-model> --prompt-file task.md --bg
# Switching to a harness without sandbox restrictions sidesteps the issue
meridian spawn -a coder -m <unsandboxed-model> --prompt-file task.md --bg
Run meridian mars models list to see which models route to which harness.
"Can't bind to a port / start a server"
On Codex: sandbox restricts network listeners ā --sandbox full-access or higher.
On Claude: not sandbox-restricted ā check if the tool is in the allowedTools list, or use --approval auto.
"Can't write files outside workspace"
On Codex: sandbox restricts filesystem scope ā --sandbox full-access for that spawn.
On Claude: escalate to the user ā they can approve --approval yolo or --sandbox danger-full-access for that spawn.
"Can't access the network / fetch URLs" On Codex: sandbox or tool restriction ā ensure WebFetch/WebSearch are in the agent's tools list, or escalate sandbox. On Claude: ensure the agent profile includes WebFetch/WebSearch tools.
"Permission denied on tool call" ā approval mode is blocking.
ā --approval auto first. If that's not enough, surface to the user before using --approval yolo.
"Context too small for the task" ā model limitation.
ā Switch to a model with a larger context window via -m.