diff --git a/codex-rs/app-server/README.md b/codex-rs/app-server/README.md index 7959c61aa..5ada34049 100644 --- a/codex-rs/app-server/README.md +++ b/codex-rs/app-server/README.md @@ -168,7 +168,7 @@ Example with notification opt-out: - `skills/changed` — notification emitted when watched local skill files change. - `app/list` — list available apps. - `skills/config/write` — write user-level skill config by path. -- `plugin/install` — install a plugin from a discovered marketplace entry, rejecting marketplace entries marked unavailable for install, and return the effective plugin auth policy plus any apps that still need auth (**under development; do not call from production clients yet**). +- `plugin/install` — install a plugin from a discovered marketplace entry, rejecting marketplace entries marked unavailable for install, install MCPs if any, and return the effective plugin auth policy plus any apps that still need auth (**under development; do not call from production clients yet**). - `plugin/uninstall` — uninstall a plugin by id by removing its cached files and clearing its user-level config entry (**under development; do not call from production clients yet**). - `mcpServer/oauth/login` — start an OAuth login for a configured MCP server; returns an `authorization_url` and later emits `mcpServer/oauthLogin/completed` once the browser flow finishes. - `tool/requestUserInput` — prompt the user with 1–3 short questions for a tool call and return their answers (experimental). diff --git a/codex-rs/app-server/src/codex_message_processor.rs b/codex-rs/app-server/src/codex_message_processor.rs index 19efc8800..58c2b0642 100644 --- a/codex-rs/app-server/src/codex_message_processor.rs +++ b/codex-rs/app-server/src/codex_message_processor.rs @@ -228,6 +228,7 @@ use codex_core::plugins::PluginInstallRequest; use codex_core::plugins::PluginReadRequest; use codex_core::plugins::PluginUninstallError as CorePluginUninstallError; use codex_core::plugins::load_plugin_apps; +use codex_core::plugins::load_plugin_mcp_servers; use codex_core::read_head_for_summary; use codex_core::read_session_meta_line; use codex_core::rollout_date_parts; @@ -311,6 +312,7 @@ use codex_app_server_protocol::ServerRequest; mod apps_list_helpers; mod plugin_app_helpers; +mod plugin_mcp_oauth; use crate::filters::compute_source_filters; use crate::filters::source_kind_matches; @@ -4587,20 +4589,28 @@ impl CodexMessageProcessor { } }; - let configured_servers = self - .thread_manager - .mcp_manager() - .configured_servers(&config); + if let Err(error) = self.queue_mcp_server_refresh_for_config(&config).await { + self.outgoing.send_error(request_id, error).await; + return; + } + + let response = McpServerRefreshResponse {}; + self.outgoing.send_response(request_id, response).await; + } + + async fn queue_mcp_server_refresh_for_config( + &self, + config: &Config, + ) -> Result<(), JSONRPCErrorError> { + let configured_servers = self.thread_manager.mcp_manager().configured_servers(config); let mcp_servers = match serde_json::to_value(configured_servers) { Ok(value) => value, Err(err) => { - let error = JSONRPCErrorError { + return Err(JSONRPCErrorError { code: INTERNAL_ERROR_CODE, message: format!("failed to serialize MCP servers: {err}"), data: None, - }; - self.outgoing.send_error(request_id, error).await; - return; + }); } }; @@ -4608,15 +4618,13 @@ impl CodexMessageProcessor { match serde_json::to_value(config.mcp_oauth_credentials_store_mode) { Ok(value) => value, Err(err) => { - let error = JSONRPCErrorError { + return Err(JSONRPCErrorError { code: INTERNAL_ERROR_CODE, message: format!( "failed to serialize MCP OAuth credentials store mode: {err}" ), data: None, - }; - self.outgoing.send_error(request_id, error).await; - return; + }); } }; @@ -4629,8 +4637,7 @@ impl CodexMessageProcessor { // active turn to avoid work for threads that never resume. let thread_manager = Arc::clone(&self.thread_manager); thread_manager.refresh_mcp_servers(refresh_config).await; - let response = McpServerRefreshResponse {}; - self.outgoing.send_response(request_id, response).await; + Ok(()) } async fn mcp_server_oauth_login( @@ -5742,6 +5749,22 @@ impl CodexMessageProcessor { self.config.as_ref().clone() } }; + + self.clear_plugin_related_caches(); + + let plugin_mcp_servers = load_plugin_mcp_servers(result.installed_path.as_path()); + + if !plugin_mcp_servers.is_empty() { + if let Err(err) = self.queue_mcp_server_refresh_for_config(&config).await { + warn!( + plugin = result.plugin_id.as_key(), + "failed to queue MCP refresh after plugin install: {err:?}" + ); + } + self.start_plugin_mcp_oauth_logins(&config, plugin_mcp_servers) + .await; + } + let plugin_apps = load_plugin_apps(result.installed_path.as_path()); let apps_needing_auth = if plugin_apps.is_empty() || !config.features.apps_enabled(Some(&self.auth_manager)).await @@ -5802,7 +5825,6 @@ impl CodexMessageProcessor { ) }; - self.clear_plugin_related_caches(); self.outgoing .send_response( request_id, diff --git a/codex-rs/app-server/src/codex_message_processor/plugin_mcp_oauth.rs b/codex-rs/app-server/src/codex_message_processor/plugin_mcp_oauth.rs new file mode 100644 index 000000000..0c13f5ed4 --- /dev/null +++ b/codex-rs/app-server/src/codex_message_processor/plugin_mcp_oauth.rs @@ -0,0 +1,95 @@ +use std::collections::HashMap; +use std::sync::Arc; + +use codex_app_server_protocol::McpServerOauthLoginCompletedNotification; +use codex_app_server_protocol::ServerNotification; +use codex_core::config::Config; +use codex_core::config::types::McpServerConfig; +use codex_core::mcp::auth::McpOAuthLoginSupport; +use codex_core::mcp::auth::oauth_login_support; +use codex_core::mcp::auth::resolve_oauth_scopes; +use codex_core::mcp::auth::should_retry_without_scopes; +use codex_rmcp_client::perform_oauth_login; +use tracing::warn; + +use super::CodexMessageProcessor; + +impl CodexMessageProcessor { + pub(super) async fn start_plugin_mcp_oauth_logins( + &self, + config: &Config, + plugin_mcp_servers: HashMap, + ) { + for (name, server) in plugin_mcp_servers { + let oauth_config = match oauth_login_support(&server.transport).await { + McpOAuthLoginSupport::Supported(config) => config, + McpOAuthLoginSupport::Unsupported => continue, + McpOAuthLoginSupport::Unknown(err) => { + warn!( + "MCP server may or may not require login for plugin install {name}: {err}" + ); + continue; + } + }; + + let resolved_scopes = resolve_oauth_scopes( + /*explicit_scopes*/ None, + server.scopes.clone(), + oauth_config.discovered_scopes.clone(), + ); + + let store_mode = config.mcp_oauth_credentials_store_mode; + let callback_port = config.mcp_oauth_callback_port; + let callback_url = config.mcp_oauth_callback_url.clone(); + let outgoing = Arc::clone(&self.outgoing); + let notification_name = name.clone(); + + tokio::spawn(async move { + let first_attempt = perform_oauth_login( + &name, + &oauth_config.url, + store_mode, + oauth_config.http_headers.clone(), + oauth_config.env_http_headers.clone(), + &resolved_scopes.scopes, + server.oauth_resource.as_deref(), + callback_port, + callback_url.as_deref(), + ) + .await; + + let final_result = match first_attempt { + Err(err) if should_retry_without_scopes(&resolved_scopes, &err) => { + perform_oauth_login( + &name, + &oauth_config.url, + store_mode, + oauth_config.http_headers, + oauth_config.env_http_headers, + &[], + server.oauth_resource.as_deref(), + callback_port, + callback_url.as_deref(), + ) + .await + } + result => result, + }; + + let (success, error) = match final_result { + Ok(()) => (true, None), + Err(err) => (false, Some(err.to_string())), + }; + + let notification = ServerNotification::McpServerOauthLoginCompleted( + McpServerOauthLoginCompletedNotification { + name: notification_name, + success, + error, + }, + ); + outgoing.send_server_notification(notification).await; + }); + } + } +} diff --git a/codex-rs/app-server/tests/suite/v2/plugin_install.rs b/codex-rs/app-server/tests/suite/v2/plugin_install.rs index d65e438ed..8c597d94a 100644 --- a/codex-rs/app-server/tests/suite/v2/plugin_install.rs +++ b/codex-rs/app-server/tests/suite/v2/plugin_install.rs @@ -529,6 +529,79 @@ async fn plugin_install_filters_disallowed_apps_needing_auth() -> Result<()> { Ok(()) } +#[tokio::test] +async fn plugin_install_makes_bundled_mcp_servers_available_to_followup_requests() -> Result<()> { + let codex_home = TempDir::new()?; + std::fs::write( + codex_home.path().join("config.toml"), + "[features]\nplugins = true\n", + )?; + let repo_root = TempDir::new()?; + write_plugin_marketplace( + repo_root.path(), + "debug", + "sample-plugin", + "./sample-plugin", + None, + None, + )?; + write_plugin_source(repo_root.path(), "sample-plugin", &[])?; + std::fs::write( + repo_root.path().join("sample-plugin/.mcp.json"), + r#"{ + "mcpServers": { + "sample-mcp": { + "command": "echo" + } + } +}"#, + )?; + let marketplace_path = + AbsolutePathBuf::try_from(repo_root.path().join(".agents/plugins/marketplace.json"))?; + + let mut mcp = McpProcess::new(codex_home.path()).await?; + timeout(DEFAULT_TIMEOUT, mcp.initialize()).await??; + + let request_id = mcp + .send_plugin_install_request(PluginInstallParams { + marketplace_path, + plugin_name: "sample-plugin".to_string(), + force_remote_sync: false, + }) + .await?; + let response: JSONRPCResponse = timeout( + DEFAULT_TIMEOUT, + mcp.read_stream_until_response_message(RequestId::Integer(request_id)), + ) + .await??; + let response: PluginInstallResponse = to_response(response)?; + assert_eq!(response.apps_needing_auth, Vec::::new()); + let config = std::fs::read_to_string(codex_home.path().join("config.toml"))?; + assert!(!config.contains("[mcp_servers.sample-mcp]")); + assert!(!config.contains("command = \"echo\"")); + + let request_id = mcp + .send_raw_request( + "mcpServer/oauth/login", + Some(json!({ + "name": "sample-mcp", + })), + ) + .await?; + let err = timeout( + DEFAULT_TIMEOUT, + mcp.read_stream_until_error_message(RequestId::Integer(request_id)), + ) + .await??; + + assert_eq!(err.error.code, -32600); + assert_eq!( + err.error.message, + "OAuth login is only supported for streamable HTTP servers." + ); + Ok(()) +} + #[derive(Clone)] struct AppsServerState { response: Arc>, diff --git a/codex-rs/core/src/plugins/manager.rs b/codex-rs/core/src/plugins/manager.rs index f28bcc2c4..936dc48fd 100644 --- a/codex-rs/core/src/plugins/manager.rs +++ b/codex-rs/core/src/plugins/manager.rs @@ -1660,6 +1660,22 @@ pub fn plugin_telemetry_metadata_from_root( } } +pub fn load_plugin_mcp_servers(plugin_root: &Path) -> HashMap { + let Some(manifest) = load_plugin_manifest(plugin_root) else { + return HashMap::new(); + }; + + let mut mcp_servers = HashMap::new(); + for mcp_config_path in plugin_mcp_config_paths(plugin_root, &manifest.paths) { + let plugin_mcp = load_mcp_servers_from_file(plugin_root, &mcp_config_path); + for (name, config) in plugin_mcp.mcp_servers { + mcp_servers.entry(name).or_insert(config); + } + } + + mcp_servers +} + pub fn installed_plugin_telemetry_metadata( codex_home: &Path, plugin_id: &PluginId, diff --git a/codex-rs/core/src/plugins/mod.rs b/codex-rs/core/src/plugins/mod.rs index f518e3b2b..895a633e6 100644 --- a/codex-rs/core/src/plugins/mod.rs +++ b/codex-rs/core/src/plugins/mod.rs @@ -36,6 +36,7 @@ pub use manager::PluginsManager; pub use manager::RemotePluginSyncResult; pub use manager::installed_plugin_telemetry_metadata; pub use manager::load_plugin_apps; +pub use manager::load_plugin_mcp_servers; pub(crate) use manager::plugin_namespace_for_skill_path; pub use manager::plugin_telemetry_metadata_from_root; pub use manifest::PluginManifestInterface;