core/core-agent-ide
8
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(core): require approval for destructive MCP tool calls (#12353)

Browse source 
Summary
- ensure destructive tool annotations short-circuit to require approval
- simplify approval logic to only require read/write + open-world when
destructive is false
- update the unit test to cover the new destructive behavior

Testing
- Not run (not requested)
This commit is contained in:
colby-oai 2026-02-20 15:12:16 -05:00 committed by GitHub
parent aa121a115e
commit d3cf8bd0fa
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 7 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
codex-rs/core/src/mcp_tool_call.rs
View file

@ -582,8 +582,11 @@ async fn remember_mcp_tool_approval(sess: &Session, key: McpToolApprovalKey) {
}
fn requires_mcp_tool_approval(annotations: &ToolAnnotations) -> bool {
annotations.read_only_hint == Some(false)
&& (annotations.destructive_hint == Some(true) || annotations.open_world_hint == Some(true))
if annotations.destructive_hint == Some(true) {
return true;
}
annotations.read_only_hint == Some(false) && annotations.open_world_hint == Some(true)
}
async fn notify_mcp_tool_call_skip(
@ -641,9 +644,9 @@ mod tests {
}
#[test]
fn approval_not_required_when_read_only_true() {
fn approval_required_when_destructive_even_if_read_only_true() {
let annotations = annotations(Some(true), Some(true), Some(true));
assert_eq!(requires_mcp_tool_approval(&annotations), false);
assert_eq!(requires_mcp_tool_approval(&annotations), true);
}
#[test]