From d3cf8bd0fa6880b9a14ad8f9afb5a176adbc7291 Mon Sep 17 00:00:00 2001
From: colby-oai <228809017+colby-oai@users.noreply.github.com>
Date: Fri, 20 Feb 2026 15:12:16 -0500
Subject: [PATCH] fix(core): require approval for destructive MCP tool calls
 (#12353)

Summary
- ensure destructive tool annotations short-circuit to require approval
- simplify approval logic to only require read/write + open-world when
destructive is false
- update the unit test to cover the new destructive behavior

Testing
- Not run (not requested)
---
 codex-rs/core/src/mcp_tool_call.rs | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/codex-rs/core/src/mcp_tool_call.rs b/codex-rs/core/src/mcp_tool_call.rs
index 00327386b..f194ee79a 100644
--- a/codex-rs/core/src/mcp_tool_call.rs
+++ b/codex-rs/core/src/mcp_tool_call.rs
@@ -582,8 +582,11 @@ async fn remember_mcp_tool_approval(sess: &Session, key: McpToolApprovalKey) {
 }
 
 fn requires_mcp_tool_approval(annotations: &ToolAnnotations) -> bool {
-    annotations.read_only_hint == Some(false)
-        && (annotations.destructive_hint == Some(true) || annotations.open_world_hint == Some(true))
+    if annotations.destructive_hint == Some(true) {
+        return true;
+    }
+
+    annotations.read_only_hint == Some(false) && annotations.open_world_hint == Some(true)
 }
 
 async fn notify_mcp_tool_call_skip(
@@ -641,9 +644,9 @@ mod tests {
     }
 
     #[test]
-    fn approval_not_required_when_read_only_true() {
+    fn approval_required_when_destructive_even_if_read_only_true() {
         let annotations = annotations(Some(true), Some(true), Some(true));
-        assert_eq!(requires_mcp_tool_approval(&annotations), false);
+        assert_eq!(requires_mcp_tool_approval(&annotations), true);
     }
 
     #[test]