mirror of
https://github.com/openai/codex.git
synced 2026-04-24 22:54:54 +00:00
c6f68c9df8
This introduces a new feature to Codex when it operates as an MCP
_client_ where if an MCP _server_ replies that it has an entry named
`"codex/sandbox-state"` in its _server capabilities_, then Codex will
send it an MCP notification with the following structure:
```json
{
"method": "codex/sandbox-state/update",
"params": {
"sandboxPolicy": {
"type": "workspace-write",
"network-access": false,
"exclude-tmpdir-env-var": false
"exclude-slash-tmp": false
},
"codexLinuxSandboxExe": null,
"sandboxCwd": "/Users/mbolin/code/codex2"
}
}
```
or with whatever values are appropriate for the initial `sandboxPolicy`.
**NOTE:** Codex _should_ continue to send the MCP server notifications
of the same format if these things change over the lifetime of the
thread, but that isn't wired up yet.
The result is that `shell-tool-mcp` can consume these values so that
when it calls `codex_core::exec::process_exec_tool_call()` in
`codex-rs/exec-server/src/posix/escalate_server.rs`, it is now sure to
call it with the correct values (whereas previously we relied on
hardcoded values).
While I would argue this is a supported use case within the MCP
protocol, the `rmcp` crate that we are using today does not support
custom notifications. As such, I had to patch it and I submitted it for
review, so hopefully it will be accepted in some form:
https://github.com/modelcontextprotocol/rust-sdk/pull/556
To test out this change from end-to-end:
- I ran `cargo build` in `~/code/codex2/codex-rs/exec-server`
- I built the fork of Bash in `~/code/bash/bash`
- I added the following to my `~/.codex/config.toml`:
```toml
# Use with `codex --disable shell_tool`.
[mcp_servers.execshell]
args = ["--bash", "/Users/mbolin/code/bash/bash"]
command = "/Users/mbolin/code/codex2/codex-rs/target/debug/codex-exec-mcp-server"
```
- From `~/code/codex2/codex-rs`, I ran `just codex --disable shell_tool`
- When the TUI started up, I verified that the sandbox mode is
`workspace-write`
- I ran `/mcp` to verify that the shell tool from the MCP is there:
<img width="1387" height="1400" alt="image"
src="https://github.com/user-attachments/assets/1a8addcc-5005-4e16-b59f-95cfd06fd4ab"
/>
- Then I asked it:
> what is the output of `gh issue list`
because this should be auto-approved with our existing dummy policy:
af63e6eccc/codex-rs/exec-server/src/posix.rs (L157-L164)
And it worked:
<img width="1387" height="1400" alt="image"
src="https://github.com/user-attachments/assets/7568d2f7-80da-4d68-86d0-c265a6f5e6c1"
/>
289 lines
7.4 KiB
TOML
289 lines
7.4 KiB
TOML
[workspace]
|
|
members = [
|
|
"backend-client",
|
|
"ansi-escape",
|
|
"async-utils",
|
|
"app-server",
|
|
"app-server-protocol",
|
|
"app-server-test-client",
|
|
"apply-patch",
|
|
"arg0",
|
|
"feedback",
|
|
"codex-backend-openapi-models",
|
|
"cloud-tasks",
|
|
"cloud-tasks-client",
|
|
"cli",
|
|
"common",
|
|
"core",
|
|
"exec",
|
|
"exec-server",
|
|
"execpolicy",
|
|
"execpolicy-legacy",
|
|
"keyring-store",
|
|
"file-search",
|
|
"linux-sandbox",
|
|
"lmstudio",
|
|
"login",
|
|
"mcp-server",
|
|
"mcp-types",
|
|
"ollama",
|
|
"process-hardening",
|
|
"protocol",
|
|
"rmcp-client",
|
|
"responses-api-proxy",
|
|
"stdio-to-uds",
|
|
"otel",
|
|
"tui",
|
|
"utils/git",
|
|
"utils/cache",
|
|
"utils/image",
|
|
"utils/json-to-toml",
|
|
"utils/pty",
|
|
"utils/readiness",
|
|
"utils/string",
|
|
]
|
|
resolver = "2"
|
|
|
|
[workspace.package]
|
|
version = "0.0.0"
|
|
# Track the edition for all workspace crates in one place. Individual
|
|
# crates can still override this value, but keeping it here means new
|
|
# crates created with `cargo new -w ...` automatically inherit the 2024
|
|
# edition.
|
|
edition = "2024"
|
|
|
|
[workspace.dependencies]
|
|
# Internal
|
|
app_test_support = { path = "app-server/tests/common" }
|
|
codex-ansi-escape = { path = "ansi-escape" }
|
|
codex-app-server = { path = "app-server" }
|
|
codex-app-server-protocol = { path = "app-server-protocol" }
|
|
codex-apply-patch = { path = "apply-patch" }
|
|
codex-arg0 = { path = "arg0" }
|
|
codex-async-utils = { path = "async-utils" }
|
|
codex-backend-client = { path = "backend-client" }
|
|
codex-chatgpt = { path = "chatgpt" }
|
|
codex-common = { path = "common" }
|
|
codex-core = { path = "core" }
|
|
codex-exec = { path = "exec" }
|
|
codex-execpolicy = { path = "execpolicy" }
|
|
codex-feedback = { path = "feedback" }
|
|
codex-file-search = { path = "file-search" }
|
|
codex-git = { path = "utils/git" }
|
|
codex-keyring-store = { path = "keyring-store" }
|
|
codex-linux-sandbox = { path = "linux-sandbox" }
|
|
codex-lmstudio = { path = "lmstudio" }
|
|
codex-login = { path = "login" }
|
|
codex-mcp-server = { path = "mcp-server" }
|
|
codex-ollama = { path = "ollama" }
|
|
codex-otel = { path = "otel" }
|
|
codex-process-hardening = { path = "process-hardening" }
|
|
codex-protocol = { path = "protocol" }
|
|
codex-responses-api-proxy = { path = "responses-api-proxy" }
|
|
codex-rmcp-client = { path = "rmcp-client" }
|
|
codex-stdio-to-uds = { path = "stdio-to-uds" }
|
|
codex-tui = { path = "tui" }
|
|
codex-utils-cache = { path = "utils/cache" }
|
|
codex-utils-image = { path = "utils/image" }
|
|
codex-utils-json-to-toml = { path = "utils/json-to-toml" }
|
|
codex-utils-pty = { path = "utils/pty" }
|
|
codex-utils-readiness = { path = "utils/readiness" }
|
|
codex-utils-string = { path = "utils/string" }
|
|
codex-windows-sandbox = { path = "windows-sandbox-rs" }
|
|
core_test_support = { path = "core/tests/common" }
|
|
mcp-types = { path = "mcp-types" }
|
|
mcp_test_support = { path = "mcp-server/tests/common" }
|
|
|
|
# External
|
|
allocative = "0.3.3"
|
|
ansi-to-tui = "7.0.0"
|
|
anyhow = "1"
|
|
arboard = { version = "3", features = ["wayland-data-control"] }
|
|
askama = "0.14"
|
|
assert_cmd = "2"
|
|
assert_matches = "1.5.0"
|
|
async-channel = "2.3.1"
|
|
async-stream = "0.3.6"
|
|
async-trait = "0.1.89"
|
|
axum = { version = "0.8", default-features = false }
|
|
base64 = "0.22.1"
|
|
bytes = "1.10.1"
|
|
chardetng = "0.1.17"
|
|
chrono = "0.4.42"
|
|
clap = "4"
|
|
clap_complete = "4"
|
|
color-eyre = "0.6.3"
|
|
crossterm = "0.28.1"
|
|
ctor = "0.5.0"
|
|
derive_more = "2"
|
|
diffy = "0.4.2"
|
|
dirs = "6"
|
|
dotenvy = "0.15.7"
|
|
dunce = "1.0.4"
|
|
encoding_rs = "0.8.35"
|
|
env-flags = "0.1.1"
|
|
env_logger = "0.11.5"
|
|
escargot = "0.5"
|
|
eventsource-stream = "0.2.3"
|
|
futures = { version = "0.3", default-features = false }
|
|
http = "1.3.1"
|
|
icu_decimal = "2.1"
|
|
icu_locale_core = "2.1"
|
|
icu_provider = { version = "2.1", features = ["sync"] }
|
|
ignore = "0.4.23"
|
|
image = { version = "^0.25.8", default-features = false }
|
|
indexmap = "2.12.0"
|
|
insta = "1.43.2"
|
|
itertools = "0.14.0"
|
|
keyring = { version = "3.6", default-features = false }
|
|
landlock = "0.4.1"
|
|
lazy_static = "1"
|
|
libc = "0.2.175"
|
|
log = "0.4"
|
|
lru = "0.12.5"
|
|
maplit = "1.0.2"
|
|
mime_guess = "2.0.5"
|
|
multimap = "0.10.0"
|
|
notify = "8.2.0"
|
|
nucleo-matcher = "0.3.1"
|
|
once_cell = "1.20.2"
|
|
openssl-sys = "*"
|
|
opentelemetry = "0.30.0"
|
|
opentelemetry-appender-tracing = "0.30.0"
|
|
opentelemetry-otlp = "0.30.0"
|
|
opentelemetry-semantic-conventions = "0.30.0"
|
|
opentelemetry_sdk = "0.30.0"
|
|
os_info = "3.12.0"
|
|
owo-colors = "4.2.0"
|
|
path-absolutize = "3.1.1"
|
|
pathdiff = "0.2"
|
|
portable-pty = "0.9.0"
|
|
predicates = "3"
|
|
pretty_assertions = "1.4.1"
|
|
pulldown-cmark = "0.10"
|
|
rand = "0.9"
|
|
ratatui = "0.29.0"
|
|
ratatui-macros = "0.6.0"
|
|
regex-lite = "0.1.7"
|
|
regex = "1.11.1"
|
|
reqwest = "0.12"
|
|
rmcp = { version = "0.9.0", default-features = false }
|
|
schemars = "0.8.22"
|
|
seccompiler = "0.5.0"
|
|
serde = "1"
|
|
serde_json = "1"
|
|
serde_with = "3.14"
|
|
serial_test = "3.2.0"
|
|
sha1 = "0.10.6"
|
|
sha2 = "0.10"
|
|
shlex = "1.3.0"
|
|
similar = "2.7.0"
|
|
socket2 = "0.6.0"
|
|
starlark = "0.13.0"
|
|
strum = "0.27.2"
|
|
strum_macros = "0.27.2"
|
|
supports-color = "3.0.2"
|
|
sys-locale = "0.3.2"
|
|
tempfile = "3.23.0"
|
|
test-log = "0.2.18"
|
|
textwrap = "0.16.2"
|
|
thiserror = "2.0.17"
|
|
time = "0.3"
|
|
tiny_http = "0.12"
|
|
tokio = "1"
|
|
tokio-stream = "0.1.17"
|
|
tokio-test = "0.4"
|
|
tokio-util = "0.7.16"
|
|
toml = "0.9.5"
|
|
toml_edit = "0.23.4"
|
|
tonic = "0.13.1"
|
|
tracing = "0.1.41"
|
|
tracing-appender = "0.2.3"
|
|
tracing-subscriber = "0.3.20"
|
|
tracing-test = "0.2.5"
|
|
tree-sitter = "0.25.10"
|
|
tree-sitter-bash = "0.25"
|
|
tree-sitter-highlight = "0.25.10"
|
|
ts-rs = "11"
|
|
uds_windows = "1.1.0"
|
|
unicode-segmentation = "1.12.0"
|
|
unicode-width = "0.2"
|
|
url = "2"
|
|
urlencoding = "2.1"
|
|
uuid = "1"
|
|
vt100 = "0.16.2"
|
|
walkdir = "2.5.0"
|
|
webbrowser = "1.0"
|
|
which = "6"
|
|
wildmatch = "2.5.0"
|
|
|
|
wiremock = "0.6"
|
|
zeroize = "1.8.2"
|
|
|
|
[workspace.lints]
|
|
rust = {}
|
|
|
|
[workspace.lints.clippy]
|
|
expect_used = "deny"
|
|
identity_op = "deny"
|
|
manual_clamp = "deny"
|
|
manual_filter = "deny"
|
|
manual_find = "deny"
|
|
manual_flatten = "deny"
|
|
manual_map = "deny"
|
|
manual_memcpy = "deny"
|
|
manual_non_exhaustive = "deny"
|
|
manual_ok_or = "deny"
|
|
manual_range_contains = "deny"
|
|
manual_retain = "deny"
|
|
manual_strip = "deny"
|
|
manual_try_fold = "deny"
|
|
manual_unwrap_or = "deny"
|
|
needless_borrow = "deny"
|
|
needless_borrowed_reference = "deny"
|
|
needless_collect = "deny"
|
|
needless_late_init = "deny"
|
|
needless_option_as_deref = "deny"
|
|
needless_question_mark = "deny"
|
|
needless_update = "deny"
|
|
redundant_clone = "deny"
|
|
redundant_closure = "deny"
|
|
redundant_closure_for_method_calls = "deny"
|
|
redundant_static_lifetimes = "deny"
|
|
trivially_copy_pass_by_ref = "deny"
|
|
uninlined_format_args = "deny"
|
|
unnecessary_filter_map = "deny"
|
|
unnecessary_lazy_evaluations = "deny"
|
|
unnecessary_sort_by = "deny"
|
|
unnecessary_to_owned = "deny"
|
|
unwrap_used = "deny"
|
|
|
|
# cargo-shear cannot see the platform-specific openssl-sys usage, so we
|
|
# silence the false positive here instead of deleting a real dependency.
|
|
[workspace.metadata.cargo-shear]
|
|
ignored = ["icu_provider", "openssl-sys", "codex-utils-readiness"]
|
|
|
|
[profile.release]
|
|
lto = "fat"
|
|
# Because we bundle some of these executables with the TypeScript CLI, we
|
|
# remove everything to make the binary as small as possible.
|
|
strip = "symbols"
|
|
|
|
# See https://github.com/openai/codex/issues/1411 for details.
|
|
codegen-units = 1
|
|
|
|
[profile.ci-test]
|
|
debug = 1 # Reduce debug symbol size
|
|
inherits = "test"
|
|
opt-level = 0
|
|
|
|
[patch.crates-io]
|
|
# Uncomment to debug local changes.
|
|
# ratatui = { path = "../../ratatui" }
|
|
crossterm = { git = "https://github.com/nornagon/crossterm", branch = "nornagon/color-query" }
|
|
ratatui = { git = "https://github.com/nornagon/ratatui", branch = "nornagon-v0.29.0-patch" }
|
|
rmcp = { git = "https://github.com/bolinfest/rust-sdk", branch = "pr556" }
|
|
|
|
# Uncomment to debug local changes.
|
|
# rmcp = { path = "../../rust-sdk/crates/rmcp" }
|