History

viyatb-oai b527ee2890 feat(core): add structured network approval plumbing and policy decision model (#11672 ) ### Description #### Summary Introduces the core plumbing required for structured network approvals #### What changed - Added structured network policy decision modeling in core. - Added approval payload/context types needed for network approval semantics. - Wired shell/unified-exec runtime plumbing to consume structured decisions. - Updated related core error/event surfaces for structured handling. - Updated protocol plumbing used by core approval flow. - Included small CLI debug sandbox compatibility updates needed by this layer. #### Why establishes the minimal backend foundation for network approvals without yet changing high-level orchestration or TUI behavior. #### Notes - Behavior remains constrained by existing requirements/config gating. - Follow-up PRs in the stack handle orchestration, UX, and app-server integration. --------- Co-authored-by: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>		2026-02-14 04:18:12 +00:00
..
src	feat(core): add structured network approval plumbing and policy decision model (#11672 )	2026-02-14 04:18:12 +00:00
tests	feat(shell-tool-mcp): add patched zsh build pipeline (#11668 )	2026-02-13 01:34:48 +00:00
BUILD.bazel	feat: add support for building with Bazel (#8875 )	2026-01-09 11:09:43 -08:00
Cargo.toml	feat: introduce codex-utils-cargo-bin as an alternative to assert_cmd::Command (#8496 )	2025-12-23 19:29:32 -08:00
README.md	feat(shell-tool-mcp): add patched zsh build pipeline (#11668 )	2026-02-13 01:34:48 +00:00

README.md

codex-exec-server

This crate contains the code for two executables:

codex-exec-mcp-server is an MCP server that provides a tool named shell that runs a shell command inside a sandboxed shell process. Every resulting execve(2) call made within that shell is intercepted and run via the executable defined by the EXEC_WRAPPER environment variable within the shell process. In practice, EXEC_WRAPPER is set to codex-execve-wrapper.
codex-execve-wrapper is the executable that takes the arguments to the execve(2) call and "escalates" it to the MCP server via a shared file descriptor (specified by the CODEX_ESCALATE_SOCKET environment variable) for consideration. Based on the Codex .rules, the MCP server replies with one of:
- Run: codex-execve-wrapper should invoke execve(2) on itself to run the original command within Bash
- Escalate: forward the file descriptors of the current process to the MCP server so the command can be run faithfully outside the sandbox. Because the MCP server will have the original FDs for stdout and stderr, it can write those directly. When the process completes, the MCP server forwards the exit code to codex-execve-wrapper so that it exits in a consistent manner.
- Deny: the MCP server has declared the proposed command to be "forbidden," so codex-execve-wrapper will print an error to stderr and exit with 1.

Patched Bash

We carry a small patch to execute_cmd.c (see patches/bash-exec-wrapper.patch) that adds support for EXEC_WRAPPER. The original commit message is “add support for BASH_EXEC_WRAPPER” and the patch applies cleanly to a8a1c2fac029404d3f42cd39f5a20f24b6e4fe4b from https://github.com/bminor/bash. To rebuild manually:

git clone https://github.com/bminor/bash
git checkout a8a1c2fac029404d3f42cd39f5a20f24b6e4fe4b
git apply /path/to/patches/bash-exec-wrapper.patch
./configure --without-bash-malloc
make -j"$(nproc)"

Release workflow

.github/workflows/shell-tool-mcp.yml builds the Rust binaries, compiles the patched Bash variants, assembles the vendor/ tree, and creates codex-shell-tool-mcp-npm-<version>.tgz for inclusion in the Rust GitHub Release. When the version is a stable or alpha tag, the workflow also publishes the tarball to npm using OIDC. The workflow is invoked from rust-release.yml so the package ships alongside other Codex artifacts.