maja-openai a5ebedef67 Bypass review for always-allow MCP tools in auto-review (#20069) ...

## Why

When an MCP or app tool is configured with approval mode `approve`
(always allow), users expect that decision to be authoritative. In
guardian auto-review mode, ARC could still return `ask-user`, which then
routed the approval question into guardian with the ARC reason as
context. That meant a tool explicitly configured as always allowed still
went through both safety monitors before running.

This change keeps the existing ARC behavior for non-auto-review
sessions, but avoids the ARC-to-guardian sequence when
`approvals_reviewer = auto_review` and the tool approval mode is
`approve`.

## What changed

- Short-circuit MCP tool approval handling when `approval_mode ==
approve` and `approvals_reviewer == auto_review`.
- Updated the MCP approval regression test so the auto-review case
asserts neither ARC nor guardian is called.
- Preserved existing tests that verify ARC can still block always-allow
MCP tools outside guardian auto-review mode.

## Verification

- `cargo test -p codex-core --lib mcp_tool_call`

2026-04-30 16:44:09 -07:00

..

src

Bypass review for always-allow MCP tools in auto-review (#20069)

2026-04-30 16:44:09 -07:00

BUILD.bazel

Extract MCP into codex-mcp crate (#15919)

2026-04-01 19:03:26 -07:00

Cargo.toml

[codex] Prune unused codex-mcp API and duplicate helpers (#19524)

2026-04-25 06:36:07 -07:00