How do you guys work with Codex in auto-approval mode?

Hi everyone, quick question. I’m using Codex in allowed repositories with permissions set to auto-approve. I’ve noticed that when Codex needs to run CLI commands or similar actions, it often first hits a sandbox permission error, then retries with an elevated permission request, gets auto-approved, and only then runs the command. Is there a way to configure Codex so that, when auto-approval is enabled, it requests elevated permissions upfront for commands that need them? I tried adding this to the instructions, but the results are inconsistent and the logic gets messy. Maybe I’m missing a setting or a better approach.