History

Michael Bolin 956f2f439e refactor: decouple MCP policy construction from escalate server (#12555 ) ## Why The current escalate path in `codex-rs/exec-server` still had policy creation coupled to MCP details, which makes it hard to reuse the shell execution flow outside the MCP server. This change is part of a broader goal to split MCP-specific behavior from shared escalation execution so other handlers (for example a future `ShellCommandHandler`) can reuse it without depending on MCP request context types. ## What changed - Added a new `EscalationPolicyFactory` abstraction in `mcp.rs`: - `crate`-relative path: `codex-rs/exec-server/src/posix/mcp.rs` - https://github.com/openai/codex/blob/main/codex-rs/exec-server/src/posix/mcp.rs#L87-L107 - Made `run_escalate_server` in `mcp.rs` accept a policy factory instead of constructing `McpEscalationPolicy` directly. - https://github.com/openai/codex/blob/main/codex-rs/exec-server/src/posix/mcp.rs#L178-L201 - Introduced `McpEscalationPolicyFactory` that stores MCP-only state (`RequestContext`, `preserve_program_paths`) and implements the new trait. - https://github.com/openai/codex/blob/main/codex-rs/exec-server/src/posix/mcp.rs#L100-L117 - Updated `shell()` to pass a `McpEscalationPolicyFactory` instance into `run_escalate_server`, so the server remains the MCP-specific wiring layer. - https://github.com/openai/codex/blob/main/codex-rs/exec-server/src/posix/mcp.rs#L163-L170 ## Verification - Build and test execution was not re-run in this pass; changes are limited to `mcp.rs` and preserve the existing escalation flow semantics by only extracting policy construction behind a factory. --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/openai/codex/pull/12555). * #12556 * __->__ #12555		2026-02-23 00:31:29 -08:00
..
src	refactor: decouple MCP policy construction from escalate server (#12555 )	2026-02-23 00:31:29 -08:00
tests	test: vendor zsh fork via DotSlash and stabilize zsh-fork tests (#12518 )	2026-02-22 19:39:56 -08:00
BUILD.bazel	feat: add support for building with Bazel (#8875 )	2026-01-09 11:09:43 -08:00
Cargo.toml	test: vendor zsh fork via DotSlash and stabilize zsh-fork tests (#12518 )	2026-02-22 19:39:56 -08:00
README.md	feat(shell-tool-mcp): add patched zsh build pipeline (#11668 )	2026-02-13 01:34:48 +00:00

README.md

codex-exec-server

This crate contains the code for two executables:

codex-exec-mcp-server is an MCP server that provides a tool named shell that runs a shell command inside a sandboxed shell process. Every resulting execve(2) call made within that shell is intercepted and run via the executable defined by the EXEC_WRAPPER environment variable within the shell process. In practice, EXEC_WRAPPER is set to codex-execve-wrapper.
codex-execve-wrapper is the executable that takes the arguments to the execve(2) call and "escalates" it to the MCP server via a shared file descriptor (specified by the CODEX_ESCALATE_SOCKET environment variable) for consideration. Based on the Codex .rules, the MCP server replies with one of:
- Run: codex-execve-wrapper should invoke execve(2) on itself to run the original command within Bash
- Escalate: forward the file descriptors of the current process to the MCP server so the command can be run faithfully outside the sandbox. Because the MCP server will have the original FDs for stdout and stderr, it can write those directly. When the process completes, the MCP server forwards the exit code to codex-execve-wrapper so that it exits in a consistent manner.
- Deny: the MCP server has declared the proposed command to be "forbidden," so codex-execve-wrapper will print an error to stderr and exit with 1.

Patched Bash

We carry a small patch to execute_cmd.c (see patches/bash-exec-wrapper.patch) that adds support for EXEC_WRAPPER. The original commit message is “add support for BASH_EXEC_WRAPPER” and the patch applies cleanly to a8a1c2fac029404d3f42cd39f5a20f24b6e4fe4b from https://github.com/bminor/bash. To rebuild manually:

git clone https://github.com/bminor/bash
git checkout a8a1c2fac029404d3f42cd39f5a20f24b6e4fe4b
git apply /path/to/patches/bash-exec-wrapper.patch
./configure --without-bash-malloc
make -j"$(nproc)"

Release workflow

.github/workflows/shell-tool-mcp.yml builds the Rust binaries, compiles the patched Bash variants, assembles the vendor/ tree, and creates codex-shell-tool-mcp-npm-<version>.tgz for inclusion in the Rust GitHub Release. When the version is a stable or alpha tag, the workflow also publishes the tarball to npm using OIDC. The workflow is invoked from rust-release.yml so the package ships alongside other Codex artifacts.