core/core-agent-ide
8
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Agent IDE — Codex fork for AI-native development environment
4484 commits 2 branches 0 tags 80 MiB
Find a file
jgershen-oai 3e96c867fe
use scopes_supported for OAuth when present on MCP servers (#14419) 
Fixes [#8889](https://github.com/openai/codex/issues/8889).

## Summary
- Discover and use advertised MCP OAuth `scopes_supported` when no
explicit or configured scopes are present.
- Apply the same scope precedence across `mcp add`, `mcp login`, skill
dependency auto-login, and app-server MCP OAuth login.
- Keep discovered scopes ephemeral and non-persistent.
- Retry once without scopes for CLI and skill auto-login flows if the
OAuth provider rejects discovered scopes.

## Motivation
Some MCP servers advertise the scopes they expect clients to request
during OAuth, but Codex was ignoring that metadata and typically
starting OAuth with no scopes unless the user manually passed `--scopes`
or configured `server.scopes`.

That made compliant MCP servers harder to use out of the box and is the
behavior described in
[#8889](https://github.com/openai/codex/issues/8889).

This change also brings our behavior in line with the MCP authorization
spec's scope selection guidance:

https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#scope-selection-strategy

## Behavior
Scope selection now follows this order everywhere:
1. Explicit request scopes / CLI `--scopes`
2. Configured `server.scopes`
3. Discovered `scopes_supported`
4. Legacy empty-scope behavior

Compatibility notes:
- Existing working setups keep the same behavior because explicit and
configured scopes still win.
- Discovered scopes are never written back into config or token storage.
- If discovery is missing, malformed, or empty, behavior falls back to
the previous empty-scope path.
- App-server login gets the same precedence rules, but does not add a
transparent retry path in this change.

## Implementation
- Extend streamable HTTP OAuth discovery to parse and normalize
`scopes_supported`.
- Add a shared MCP scope resolver in `core` so all login entrypoints use
the same precedence rules.
- Preserve provider callback errors from the OAuth flow so CLI/skill
flows can safely distinguish provider rejections from other failures.
- Reuse discovered scopes from the existing OAuth support check where
possible instead of persisting new config.
2026-03-12 11:57:06 -07:00
.codex/skills Add PR babysitting skill for this repo (#12513) 2026-02-22 15:36:28 -08:00
.devcontainer fix: include libcap-dev dependency when creating a devcontainer for building Codex (#13814) 2026-03-06 16:21:14 -08:00
.github check for large binaries in CI (#14382) 2026-03-11 22:39:08 +00:00
.vscode chore: rm --all-features flag from rust-analyzer (#13381) 2026-03-03 11:44:54 -08:00
codex-cli Update pnpm versions to fix cve-2026-24842 (#12009) 2026-02-19 14:27:55 -08:00
codex-rs use scopes_supported for OAuth when present on MCP servers (#14419) 2026-03-12 11:57:06 -07:00
docs Let models opt into original image detail (#14175) 2026-03-11 15:25:07 -07:00
patches [bazel] Bump rules_rs and llvm (#13366) 2026-03-04 01:59:32 +00:00
scripts check for large binaries in CI (#14382) 2026-03-11 22:39:08 +00:00
sdk Add Python app-server SDK (#14435) 2026-03-12 09:22:01 -07:00
shell-tool-mcp refactor: delete exec-server and move execve wrapper into shell-escalation (#12632) 2026-02-23 20:10:22 -08:00
third_party Add feature-gated freeform js_repl core runtime (#10674) 2026-02-11 12:05:02 -08:00
.bazelignore [bazel] Improve runfiles handling (#10098) 2026-01-29 00:15:44 +00:00
.bazelrc [bazel] Bump rules_rs and llvm (#13366) 2026-03-04 01:59:32 +00:00
.bazelversion [bazel] Upgrade to bazel9 (#9576) 2026-01-21 13:25:36 +00:00
.codespellignore feat(network-proxy): structured policy signaling and attempt correlation to core (#11662) 2026-02-13 09:01:11 +00:00
.codespellrc feat(network-proxy): structured policy signaling and attempt correlation to core (#11662) 2026-02-13 09:01:11 +00:00
.gitignore gitignore bazel-* (#8911) 2026-01-08 07:50:58 -08:00
.markdownlint-cli2.yaml fix(tui): document paste-burst state machine (#9020) 2026-01-13 11:48:31 -08:00
.npmrc chore: migrate to pnpm for improved monorepo management (#287) 2025-04-18 16:25:15 -07:00
.prettierignore [apply-patch] Clean up apply-patch tool definitions (#2539) 2025-08-21 20:07:41 -07:00
.prettierrc.toml Initial commit 2025-04-16 12:56:08 -04:00
AGENTS.md Add keyboard based fast switching between agents in TUI (#13923) 2026-03-11 12:33:10 -07:00
announcement_tip.toml nit: test an (#10892) 2026-02-06 14:41:53 +01:00
BUILD.bazel fix(ci): restore guardian coverage and bazel unit tests (#13912) 2026-03-08 12:05:19 -07:00
CHANGELOG.md Documentation improvement: add missing period (#3754) 2025-10-30 13:01:33 -07:00
cliff.toml docs(changelog): update install command to @openai/codex@<version> (#2073) 2025-10-18 11:02:22 -07:00
defs.bzl fix(ci): restore guardian coverage and bazel unit tests (#13912) 2026-03-08 12:05:19 -07:00
flake.lock fix(nix): update flake for newer Rust toolchain requirements (#10302) 2026-01-31 11:34:53 -08:00
flake.nix fix(nix): use correct version from Cargo.toml in flake build (#11770) 2026-02-13 12:19:25 -08:00
justfile start of hooks engine (#13276) 2026-03-10 04:11:31 +00:00
LICENSE Initial commit 2025-04-16 12:56:08 -04:00
MODULE.bazel [bazel] Bump rules_rs and llvm (#13366) 2026-03-04 01:59:32 +00:00
MODULE.bazel.lock feat: track plugins mcps/apps and add plugin info to user_instructions (#13433) 2026-03-04 19:46:13 -08:00
NOTICE Add feature-gated freeform js_repl core runtime (#10674) 2026-02-11 12:05:02 -08:00
package.json start of hooks engine (#13276) 2026-03-10 04:11:31 +00:00
pnpm-lock.yaml chore: ensure pnpm-workspace.yaml is up-to-date (#10140) 2026-01-29 10:49:03 -08:00
pnpm-workspace.yaml chore: ensure pnpm-workspace.yaml is up-to-date (#10140) 2026-01-29 10:49:03 -08:00
rbe.bzl [bazel] Bump rules_rs and llvm (#13366) 2026-03-04 01:59:32 +00:00
README.md docs: mention Codex app in README intro (#11926) 2026-02-16 17:35:05 +01:00
SECURITY.md docs: add codex security policy (#12193) 2026-02-19 09:12:59 -08:00
workspace_root_test_launcher.bat.tpl fix(ci): restore guardian coverage and bazel unit tests (#13912) 2026-03-08 12:05:19 -07:00
workspace_root_test_launcher.sh.tpl fix(ci): restore guardian coverage and bazel unit tests (#13912) 2026-03-08 12:05:19 -07:00

README.md

npm i -g @openai/codex
or brew install --cask codex

Codex CLI is a coding agent from OpenAI that runs locally on your computer.

Codex CLI splash


If you want Codex in your code editor (VS Code, Cursor, Windsurf), install in your IDE.
If you want the desktop app experience, run codex app or visit the Codex App page.
If you are looking for the cloud-based agent from OpenAI, Codex Web, go to chatgpt.com/codex.

Quickstart

Installing and running Codex CLI

Install globally with your preferred package manager:

# Install using npm
npm install -g @openai/codex

# Install using Homebrew
brew install --cask codex

Then simply run codex to get started.

You can also go to the latest GitHub Release and download the appropriate binary for your platform.

Each GitHub Release contains many executables, but in practice, you likely want one of these:

  • macOS
    • Apple Silicon/arm64: codex-aarch64-apple-darwin.tar.gz
    • x86_64 (older Mac hardware): codex-x86_64-apple-darwin.tar.gz
  • Linux
    • x86_64: codex-x86_64-unknown-linux-musl.tar.gz
    • arm64: codex-aarch64-unknown-linux-musl.tar.gz

Each archive contains a single entry with the platform baked into the name (e.g., codex-x86_64-unknown-linux-musl), so you likely want to rename it to codex after extracting it.

Using Codex with your ChatGPT plan

Run codex and select Sign in with ChatGPT. We recommend signing into your ChatGPT account to use Codex as part of your Plus, Pro, Team, Edu, or Enterprise plan. Learn more about what's included in your ChatGPT plan.

You can also use Codex with an API key, but this requires additional setup.

Docs

This repository is licensed under the Apache-2.0 License.