Extract MCP into codex-mcp crate (#15919)

- Split MCP runtime/server code out of `codex-core` into the new
`codex-mcp` crate. New/moved public structs/types include `McpConfig`,
`McpConnectionManager`, `ToolInfo`, `ToolPluginProvenance`,
`CodexAppsToolsCacheKey`, and the `McpManager` API
(`codex_mcp::mcp::McpManager` plus the `codex_core::mcp::McpManager`
wrapper/shim). New/moved functions include `with_codex_apps_mcp`,
`configured_mcp_servers`, `effective_mcp_servers`,
`collect_mcp_snapshot`, `collect_mcp_snapshot_from_manager`,
`qualified_mcp_tool_name_prefix`, and the MCP auth/skill-dependency
helpers. Why: this creates a focused MCP crate boundary and shrinks
`codex-core` without forcing every consumer to migrate in the same PR.

- Move MCP server config schema and persistence into `codex-config`.
New/moved structs/enums include `AppToolApproval`,
`McpServerToolConfig`, `McpServerConfig`, `RawMcpServerConfig`,
`McpServerTransportConfig`, `McpServerDisabledReason`, and
`codex_config::ConfigEditsBuilder`. New/moved functions include
`load_global_mcp_servers` and
`ConfigEditsBuilder::replace_mcp_servers`/`apply`. Why: MCP TOML
parsing/editing is config ownership, and this keeps config
validation/round-tripping (including per-tool approval overrides and
inline bearer-token rejection) in the config crate instead of
`codex-core`.

- Rewire `codex-core`, app-server, and plugin call sites onto the new
crates. Updated `Config::to_mcp_config(&self, plugins_manager)`,
`codex-rs/core/src/mcp.rs`, `codex-rs/core/src/connectors.rs`,
`codex-rs/core/src/codex.rs`,
`CodexMessageProcessor::list_mcp_server_status_task`, and
`utils/plugins/src/mcp_connector.rs` to build/pass the new MCP
config/runtime types. Why: plugin-provided MCP servers still merge with
user-configured servers, and runtime auth (`CodexAuth`) is threaded into
`with_codex_apps_mcp` / `collect_mcp_snapshot` explicitly so `McpConfig`
stays config-only.

codex-rs/config/src/lib.rs

@@ -3,6 +3,8 @@ mod config_requirements;
 mod constraint;
 mod diagnostics;
 mod fingerprint;
+mod mcp_edit;
+mod mcp_types;
 mod merge;
 mod overrides;
 mod project_root_markers;
@@ -50,6 +52,14 @@ pub use diagnostics::format_config_error;
 pub use diagnostics::format_config_error_with_source;
 pub use diagnostics::io_error_from_config_error;
 pub use fingerprint::version_for_toml;
+pub use mcp_edit::ConfigEditsBuilder;
+pub use mcp_edit::load_global_mcp_servers;
+pub use mcp_types::AppToolApproval;
+pub use mcp_types::McpServerConfig;
+pub use mcp_types::McpServerDisabledReason;
+pub use mcp_types::McpServerToolConfig;
+pub use mcp_types::McpServerTransportConfig;
+pub use mcp_types::RawMcpServerConfig;
 pub use merge::merge_toml_values;
 pub use overrides::build_cli_overrides_layer;
 pub use project_root_markers::default_project_root_markers;

codex-rs/config/src/mcp_edit.rs

@@ -0,0 +1,253 @@
+use std::collections::BTreeMap;
+use std::fs;
+use std::io::ErrorKind;
+use std::path::Path;
+use std::path::PathBuf;
+
+use tokio::task;
+use toml::Value as TomlValue;
+use toml_edit::DocumentMut;
+use toml_edit::Item as TomlItem;
+use toml_edit::Table as TomlTable;
+use toml_edit::value;
+
+use crate::AppToolApproval;
+use crate::CONFIG_TOML_FILE;
+use crate::McpServerConfig;
+use crate::McpServerTransportConfig;
+
+pub async fn load_global_mcp_servers(
+    codex_home: &Path,
+) -> std::io::Result<BTreeMap<String, McpServerConfig>> {
+    let config_path = codex_home.join(CONFIG_TOML_FILE);
+    let raw = match tokio::fs::read_to_string(&config_path).await {
+        Ok(raw) => raw,
+        Err(err) if err.kind() == ErrorKind::NotFound => return Ok(BTreeMap::new()),
+        Err(err) => return Err(err),
+    };
+    let parsed = toml::from_str::<TomlValue>(&raw)
+        .map_err(|err| std::io::Error::new(ErrorKind::InvalidData, err))?;
+    let Some(servers_value) = parsed.get("mcp_servers") else {
+        return Ok(BTreeMap::new());
+    };
+
+    ensure_no_inline_bearer_tokens(servers_value)?;
+
+    servers_value
+        .clone()
+        .try_into()
+        .map_err(|err| std::io::Error::new(ErrorKind::InvalidData, err))
+}
+
+fn ensure_no_inline_bearer_tokens(value: &TomlValue) -> std::io::Result<()> {
+    let Some(servers_table) = value.as_table() else {
+        return Ok(());
+    };
+
+    for (server_name, server_value) in servers_table {
+        if let Some(server_table) = server_value.as_table()
+            && server_table.contains_key("bearer_token")
+        {
+            let message = format!(
+                "mcp_servers.{server_name} uses unsupported `bearer_token`; set `bearer_token_env_var`."
+            );
+            return Err(std::io::Error::new(ErrorKind::InvalidData, message));
+        }
+    }
+
+    Ok(())
+}
+
+pub struct ConfigEditsBuilder {
+    codex_home: PathBuf,
+    mcp_servers: Option<BTreeMap<String, McpServerConfig>>,
+}
+
+impl ConfigEditsBuilder {
+    pub fn new(codex_home: &Path) -> Self {
+        Self {
+            codex_home: codex_home.to_path_buf(),
+            mcp_servers: None,
+        }
+    }
+
+    pub fn replace_mcp_servers(mut self, servers: &BTreeMap<String, McpServerConfig>) -> Self {
+        self.mcp_servers = Some(servers.clone());
+        self
+    }
+
+    pub async fn apply(self) -> std::io::Result<()> {
+        task::spawn_blocking(move || self.apply_blocking())
+            .await
+            .map_err(|err| {
+                std::io::Error::other(format!("config persistence task panicked: {err}"))
+            })?
+    }
+
+    fn apply_blocking(self) -> std::io::Result<()> {
+        let config_path = self.codex_home.join(CONFIG_TOML_FILE);
+        let mut doc = read_or_create_document(&config_path)?;
+        if let Some(servers) = self.mcp_servers.as_ref() {
+            replace_mcp_servers(&mut doc, servers);
+        }
+        fs::create_dir_all(&self.codex_home)?;
+        fs::write(config_path, doc.to_string())
+    }
+}
+
+fn read_or_create_document(config_path: &Path) -> std::io::Result<DocumentMut> {
+    match fs::read_to_string(config_path) {
+        Ok(raw) => raw
+            .parse::<DocumentMut>()
+            .map_err(|err| std::io::Error::new(ErrorKind::InvalidData, err)),
+        Err(err) if err.kind() == ErrorKind::NotFound => Ok(DocumentMut::new()),
+        Err(err) => Err(err),
+    }
+}
+
+fn replace_mcp_servers(doc: &mut DocumentMut, servers: &BTreeMap<String, McpServerConfig>) {
+    let root = doc.as_table_mut();
+    if servers.is_empty() {
+        root.remove("mcp_servers");
+        return;
+    }
+
+    let mut table = TomlTable::new();
+    table.set_implicit(true);
+    for (name, config) in servers {
+        table.insert(name, serialize_mcp_server(config));
+    }
+    root.insert("mcp_servers", TomlItem::Table(table));
+}
+
+fn serialize_mcp_server(config: &McpServerConfig) -> TomlItem {
+    let mut entry = TomlTable::new();
+    entry.set_implicit(false);
+
+    match &config.transport {
+        McpServerTransportConfig::Stdio {
+            command,
+            args,
+            env,
+            env_vars,
+            cwd,
+        } => {
+            entry["command"] = value(command.clone());
+            if !args.is_empty() {
+                entry["args"] = array_from_strings(args);
+            }
+            if let Some(env) = env
+                && !env.is_empty()
+            {
+                entry["env"] = table_from_pairs(env.iter());
+            }
+            if !env_vars.is_empty() {
+                entry["env_vars"] = array_from_strings(env_vars);
+            }
+            if let Some(cwd) = cwd {
+                entry["cwd"] = value(cwd.to_string_lossy().to_string());
+            }
+        }
+        McpServerTransportConfig::StreamableHttp {
+            url,
+            bearer_token_env_var,
+            http_headers,
+            env_http_headers,
+        } => {
+            entry["url"] = value(url.clone());
+            if let Some(env_var) = bearer_token_env_var {
+                entry["bearer_token_env_var"] = value(env_var.clone());
+            }
+            if let Some(headers) = http_headers
+                && !headers.is_empty()
+            {
+                entry["http_headers"] = table_from_pairs(headers.iter());
+            }
+            if let Some(headers) = env_http_headers
+                && !headers.is_empty()
+            {
+                entry["env_http_headers"] = table_from_pairs(headers.iter());
+            }
+        }
+    }
+
+    if !config.enabled {
+        entry["enabled"] = value(false);
+    }
+    if config.required {
+        entry["required"] = value(true);
+    }
+    if let Some(timeout) = config.startup_timeout_sec {
+        entry["startup_timeout_sec"] = value(timeout.as_secs_f64());
+    }
+    if let Some(timeout) = config.tool_timeout_sec {
+        entry["tool_timeout_sec"] = value(timeout.as_secs_f64());
+    }
+    if let Some(enabled_tools) = &config.enabled_tools
+        && !enabled_tools.is_empty()
+    {
+        entry["enabled_tools"] = array_from_strings(enabled_tools);
+    }
+    if let Some(disabled_tools) = &config.disabled_tools
+        && !disabled_tools.is_empty()
+    {
+        entry["disabled_tools"] = array_from_strings(disabled_tools);
+    }
+    if let Some(scopes) = &config.scopes
+        && !scopes.is_empty()
+    {
+        entry["scopes"] = array_from_strings(scopes);
+    }
+    if let Some(resource) = &config.oauth_resource
+        && !resource.is_empty()
+    {
+        entry["oauth_resource"] = value(resource.clone());
+    }
+    if !config.tools.is_empty() {
+        let mut tools = TomlTable::new();
+        tools.set_implicit(false);
+        let mut tool_entries: Vec<_> = config.tools.iter().collect();
+        tool_entries.sort_by(|(left, _), (right, _)| left.cmp(right));
+        for (name, tool_config) in tool_entries {
+            let mut tool_entry = TomlTable::new();
+            tool_entry.set_implicit(false);
+            if let Some(approval_mode) = tool_config.approval_mode {
+                tool_entry["approval_mode"] = value(match approval_mode {
+                    AppToolApproval::Auto => "auto",
+                    AppToolApproval::Prompt => "prompt",
+                    AppToolApproval::Approve => "approve",
+                });
+            }
+            tools.insert(name, TomlItem::Table(tool_entry));
+        }
+        entry.insert("tools", TomlItem::Table(tools));
+    }
+
+    TomlItem::Table(entry)
+}
+
+fn array_from_strings(values: &[String]) -> TomlItem {
+    let mut array = toml_edit::Array::new();
+    for value in values {
+        array.push(value.clone());
+    }
+    TomlItem::Value(array.into())
+}
+
+fn table_from_pairs<'a, I>(pairs: I) -> TomlItem
+where
+    I: IntoIterator<Item = (&'a String, &'a String)>,
+{
+    let mut entries: Vec<_> = pairs.into_iter().collect();
+    entries.sort_by(|(left, _), (right, _)| left.cmp(right));
+    let mut table = TomlTable::new();
+    table.set_implicit(false);
+    for (key, value_str) in entries {
+        table.insert(key, value(value_str.clone()));
+    }
+    TomlItem::Table(table)
+}
+
+#[cfg(test)]
+#[path = "mcp_edit_tests.rs"]
+mod tests;

codex-rs/config/src/mcp_edit_tests.rs

@@ -0,0 +1,79 @@
+use super::*;
+use crate::McpServerToolConfig;
+use pretty_assertions::assert_eq;
+use std::collections::HashMap;
+use std::time::SystemTime;
+use std::time::UNIX_EPOCH;
+
+#[tokio::test]
+async fn replace_mcp_servers_serializes_per_tool_approval_overrides() -> anyhow::Result<()> {
+    let unique_suffix = SystemTime::now().duration_since(UNIX_EPOCH)?.as_nanos();
+    let codex_home = std::env::temp_dir().join(format!(
+        "codex-config-mcp-edit-test-{}-{unique_suffix}",
+        std::process::id()
+    ));
+    let servers = BTreeMap::from([(
+        "docs".to_string(),
+        McpServerConfig {
+            transport: McpServerTransportConfig::Stdio {
+                command: "docs-server".to_string(),
+                args: Vec::new(),
+                env: None,
+                env_vars: Vec::new(),
+                cwd: None,
+            },
+            enabled: true,
+            required: false,
+            disabled_reason: None,
+            startup_timeout_sec: None,
+            tool_timeout_sec: None,
+            enabled_tools: None,
+            disabled_tools: None,
+            scopes: None,
+            oauth_resource: None,
+            tools: HashMap::from([
+                (
+                    "search".to_string(),
+                    McpServerToolConfig {
+                        approval_mode: Some(AppToolApproval::Approve),
+                    },
+                ),
+                (
+                    "read".to_string(),
+                    McpServerToolConfig {
+                        approval_mode: Some(AppToolApproval::Prompt),
+                    },
+                ),
+            ]),
+        },
+    )]);
+
+    ConfigEditsBuilder::new(&codex_home)
+        .replace_mcp_servers(&servers)
+        .apply()
+        .await?;
+
+    let config_path = codex_home.join(CONFIG_TOML_FILE);
+    let serialized = std::fs::read_to_string(&config_path)?;
+    assert_eq!(
+        serialized,
+        r#"[mcp_servers.docs]
+command = "docs-server"
+
+[mcp_servers.docs.tools]
+
+[mcp_servers.docs.tools.read]
+approval_mode = "prompt"
+
+[mcp_servers.docs.tools.search]
+approval_mode = "approve"
+"#
+    );
+
+    let loaded = load_global_mcp_servers(&codex_home).await?;
+    assert_eq!(loaded, servers);
+
+    std::fs::remove_dir_all(&codex_home)?;
+
+    Ok(())
+}

codex-rs/config/src/mcp_types.rs

@@ -0,0 +1,331 @@
+//! MCP server configuration types.
+
+use std::collections::HashMap;
+use std::fmt;
+use std::path::PathBuf;
+use std::time::Duration;
+
+use schemars::JsonSchema;
+use serde::Deserialize;
+use serde::Deserializer;
+use serde::Serialize;
+use serde::de::Error as SerdeError;
+
+use crate::RequirementSource;
+
+#[derive(Serialize, Deserialize, Debug, Clone, Copy, PartialEq, Eq, Default, JsonSchema)]
+#[serde(rename_all = "snake_case")]
+pub enum AppToolApproval {
+    #[default]
+    Auto,
+    Prompt,
+    Approve,
+}
+
+/// Human-readable reason a configured MCP server was disabled after requirements
+/// were applied.
+///
+/// `Display` is intentionally implemented for CLI/TUI status output; avoid
+/// relying on `Debug` because enum variant syntax is not part of the user-facing
+/// message contract.
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub enum McpServerDisabledReason {
+    /// The server is disabled, but there is no more specific user-facing reason.
+    Unknown,
+    /// The server was disabled by config requirements from the given source.
+    Requirements { source: RequirementSource },
+}
+
+impl fmt::Display for McpServerDisabledReason {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        match self {
+            McpServerDisabledReason::Unknown => write!(f, "unknown"),
+            McpServerDisabledReason::Requirements { source } => {
+                write!(f, "requirements ({source})")
+            }
+        }
+    }
+}
+
+/// Per-tool approval settings for a single MCP server tool.
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, Default, JsonSchema)]
+#[schemars(deny_unknown_fields)]
+pub struct McpServerToolConfig {
+    /// Approval mode for this tool.
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub approval_mode: Option<AppToolApproval>,
+}
+
+#[derive(Serialize, Debug, Clone, PartialEq)]
+pub struct McpServerConfig {
+    #[serde(flatten)]
+    pub transport: McpServerTransportConfig,
+
+    /// When `false`, Codex skips initializing this MCP server.
+    #[serde(default = "default_enabled")]
+    pub enabled: bool,
+
+    /// When `true`, `codex exec` exits with an error if this MCP server fails to initialize.
+    #[serde(default, skip_serializing_if = "std::ops::Not::not")]
+    pub required: bool,
+
+    /// Reason this server was disabled after applying requirements.
+    #[serde(skip)]
+    pub disabled_reason: Option<McpServerDisabledReason>,
+
+    /// Startup timeout in seconds for initializing MCP server & initially listing tools.
+    #[serde(
+        default,
+        with = "option_duration_secs",
+        skip_serializing_if = "Option::is_none"
+    )]
+    pub startup_timeout_sec: Option<Duration>,
+
+    /// Default timeout for MCP tool calls initiated via this server.
+    #[serde(default, with = "option_duration_secs")]
+    pub tool_timeout_sec: Option<Duration>,
+
+    /// Explicit allow-list of tools exposed from this server. When set, only these tools will be registered.
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub enabled_tools: Option<Vec<String>>,
+
+    /// Explicit deny-list of tools. These tools will be removed after applying `enabled_tools`.
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub disabled_tools: Option<Vec<String>>,
+
+    /// Optional OAuth scopes to request during MCP login.
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub scopes: Option<Vec<String>>,
+
+    /// Optional OAuth resource parameter to include during MCP login (RFC 8707).
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub oauth_resource: Option<String>,
+
+    /// Per-tool approval settings keyed by tool name.
+    #[serde(default, skip_serializing_if = "HashMap::is_empty")]
+    pub tools: HashMap<String, McpServerToolConfig>,
+}
+
+/// Raw MCP config shape used for deserialization and JSON Schema generation.
+///
+/// Keep `TryFrom<RawMcpServerConfig> for McpServerConfig` exhaustively
+/// destructuring this struct so new TOML fields cannot be added here without
+/// updating the validation/mapping logic that produces [`McpServerConfig`].
+#[derive(Deserialize, Clone, JsonSchema)]
+#[schemars(deny_unknown_fields)]
+pub struct RawMcpServerConfig {
+    // stdio
+    pub command: Option<String>,
+    #[serde(default)]
+    pub args: Option<Vec<String>>,
+    #[serde(default)]
+    pub env: Option<HashMap<String, String>>,
+    #[serde(default)]
+    pub env_vars: Option<Vec<String>>,
+    #[serde(default)]
+    pub cwd: Option<PathBuf>,
+    pub http_headers: Option<HashMap<String, String>>,
+    #[serde(default)]
+    pub env_http_headers: Option<HashMap<String, String>>,
+
+    // streamable_http
+    pub url: Option<String>,
+    pub bearer_token: Option<String>,
+    pub bearer_token_env_var: Option<String>,
+
+    // shared
+    #[serde(default)]
+    pub startup_timeout_sec: Option<f64>,
+    #[serde(default)]
+    pub startup_timeout_ms: Option<u64>,
+    #[serde(default, with = "option_duration_secs")]
+    #[schemars(with = "Option<f64>")]
+    pub tool_timeout_sec: Option<Duration>,
+    #[serde(default)]
+    pub enabled: Option<bool>,
+    #[serde(default)]
+    pub required: Option<bool>,
+    #[serde(default)]
+    pub enabled_tools: Option<Vec<String>>,
+    #[serde(default)]
+    pub disabled_tools: Option<Vec<String>>,
+    #[serde(default)]
+    pub scopes: Option<Vec<String>>,
+    #[serde(default)]
+    pub oauth_resource: Option<String>,
+    /// Legacy display-name field accepted for backward compatibility.
+    #[serde(default, rename = "name")]
+    pub _name: Option<String>,
+    #[serde(default)]
+    pub tools: Option<HashMap<String, McpServerToolConfig>>,
+}
+
+impl TryFrom<RawMcpServerConfig> for McpServerConfig {
+    type Error = String;
+
+    fn try_from(raw: RawMcpServerConfig) -> Result<Self, Self::Error> {
+        let RawMcpServerConfig {
+            command,
+            args,
+            env,
+            env_vars,
+            cwd,
+            http_headers,
+            env_http_headers,
+            url,
+            bearer_token,
+            bearer_token_env_var,
+            startup_timeout_sec,
+            startup_timeout_ms,
+            tool_timeout_sec,
+            enabled,
+            required,
+            enabled_tools,
+            disabled_tools,
+            scopes,
+            oauth_resource,
+            _name: _,
+            tools,
+        } = raw;
+
+        let startup_timeout_sec = match (startup_timeout_sec, startup_timeout_ms) {
+            (Some(sec), _) => {
+                Some(Duration::try_from_secs_f64(sec).map_err(|err| err.to_string())?)
+            }
+            (None, Some(ms)) => Some(Duration::from_millis(ms)),
+            (None, None) => None,
+        };
+
+        fn throw_if_set<T>(transport: &str, field: &str, value: Option<&T>) -> Result<(), String> {
+            if value.is_none() {
+                return Ok(());
+            }
+            Err(format!("{field} is not supported for {transport}"))
+        }
+
+        let transport = if let Some(command) = command {
+            throw_if_set("stdio", "url", url.as_ref())?;
+            throw_if_set(
+                "stdio",
+                "bearer_token_env_var",
+                bearer_token_env_var.as_ref(),
+            )?;
+            throw_if_set("stdio", "bearer_token", bearer_token.as_ref())?;
+            throw_if_set("stdio", "http_headers", http_headers.as_ref())?;
+            throw_if_set("stdio", "env_http_headers", env_http_headers.as_ref())?;
+            throw_if_set("stdio", "oauth_resource", oauth_resource.as_ref())?;
+            McpServerTransportConfig::Stdio {
+                command,
+                args: args.unwrap_or_default(),
+                env,
+                env_vars: env_vars.unwrap_or_default(),
+                cwd,
+            }
+        } else if let Some(url) = url {
+            throw_if_set("streamable_http", "args", args.as_ref())?;
+            throw_if_set("streamable_http", "env", env.as_ref())?;
+            throw_if_set("streamable_http", "env_vars", env_vars.as_ref())?;
+            throw_if_set("streamable_http", "cwd", cwd.as_ref())?;
+            throw_if_set("streamable_http", "bearer_token", bearer_token.as_ref())?;
+            McpServerTransportConfig::StreamableHttp {
+                url,
+                bearer_token_env_var,
+                http_headers,
+                env_http_headers,
+            }
+        } else {
+            return Err("invalid transport".to_string());
+        };
+
+        Ok(Self {
+            transport,
+            startup_timeout_sec,
+            tool_timeout_sec,
+            enabled: enabled.unwrap_or_else(default_enabled),
+            required: required.unwrap_or_default(),
+            disabled_reason: None,
+            enabled_tools,
+            disabled_tools,
+            scopes,
+            oauth_resource,
+            tools: tools.unwrap_or_default(),
+        })
+    }
+}
+
+impl<'de> Deserialize<'de> for McpServerConfig {
+    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
+    where
+        D: Deserializer<'de>,
+    {
+        RawMcpServerConfig::deserialize(deserializer)?
+            .try_into()
+            .map_err(SerdeError::custom)
+    }
+}
+
+const fn default_enabled() -> bool {
+    true
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema)]
+#[serde(untagged, deny_unknown_fields, rename_all = "snake_case")]
+pub enum McpServerTransportConfig {
+    /// https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#stdio
+    Stdio {
+        command: String,
+        #[serde(default)]
+        args: Vec<String>,
+        #[serde(default, skip_serializing_if = "Option::is_none")]
+        env: Option<HashMap<String, String>>,
+        #[serde(default, skip_serializing_if = "Vec::is_empty")]
+        env_vars: Vec<String>,
+        #[serde(default, skip_serializing_if = "Option::is_none")]
+        cwd: Option<PathBuf>,
+    },
+    /// https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#streamable-http
+    StreamableHttp {
+        url: String,
+        /// Name of the environment variable to read for an HTTP bearer token.
+        /// When set, requests will include the token via `Authorization: Bearer <token>`.
+        /// The actual secret value must be provided via the environment.
+        #[serde(default, skip_serializing_if = "Option::is_none")]
+        bearer_token_env_var: Option<String>,
+        /// Additional HTTP headers to include in requests to this server.
+        #[serde(default, skip_serializing_if = "Option::is_none")]
+        http_headers: Option<HashMap<String, String>>,
+        /// HTTP headers where the value is sourced from an environment variable.
+        #[serde(default, skip_serializing_if = "Option::is_none")]
+        env_http_headers: Option<HashMap<String, String>>,
+    },
+}
+
+mod option_duration_secs {
+    use serde::Deserialize;
+    use serde::Deserializer;
+    use serde::Serializer;
+    use std::time::Duration;
+
+    pub fn serialize<S>(value: &Option<Duration>, serializer: S) -> Result<S::Ok, S::Error>
+    where
+        S: Serializer,
+    {
+        match value {
+            Some(duration) => serializer.serialize_some(&duration.as_secs_f64()),
+            None => serializer.serialize_none(),
+        }
+    }
+
+    pub fn deserialize<'de, D>(deserializer: D) -> Result<Option<Duration>, D::Error>
+    where
+        D: Deserializer<'de>,
+    {
+        let secs = Option::<f64>::deserialize(deserializer)?;
+        secs.map(|secs| Duration::try_from_secs_f64(secs).map_err(serde::de::Error::custom))
+            .transpose()
+    }
+}
+
+#[cfg(test)]
+#[path = "mcp_types_tests.rs"]
+mod tests;

codex-rs/config/src/mcp_types_tests.rs

@@ -0,0 +1,351 @@
+use super::*;
+use pretty_assertions::assert_eq;
+use std::collections::HashMap;
+use std::path::PathBuf;
+
+#[test]
+fn deserialize_stdio_command_server_config() {
+    let cfg: McpServerConfig = toml::from_str(
+        r#"
+            command = "echo"
+        "#,
+    )
+    .expect("should deserialize command config");
+
+    assert_eq!(
+        cfg.transport,
+        McpServerTransportConfig::Stdio {
+            command: "echo".to_string(),
+            args: vec![],
+            env: None,
+            env_vars: Vec::new(),
+            cwd: None,
+        }
+    );
+    assert!(cfg.enabled);
+    assert!(!cfg.required);
+    assert!(cfg.enabled_tools.is_none());
+    assert!(cfg.disabled_tools.is_none());
+}
+
+#[test]
+fn deserialize_stdio_command_server_config_with_args() {
+    let cfg: McpServerConfig = toml::from_str(
+        r#"
+            command = "echo"
+            args = ["hello", "world"]
+        "#,
+    )
+    .expect("should deserialize command config");
+
+    assert_eq!(
+        cfg.transport,
+        McpServerTransportConfig::Stdio {
+            command: "echo".to_string(),
+            args: vec!["hello".to_string(), "world".to_string()],
+            env: None,
+            env_vars: Vec::new(),
+            cwd: None,
+        }
+    );
+    assert!(cfg.enabled);
+}
+
+#[test]
+fn deserialize_stdio_command_server_config_with_arg_with_args_and_env() {
+    let cfg: McpServerConfig = toml::from_str(
+        r#"
+            command = "echo"
+            args = ["hello", "world"]
+            env = { "FOO" = "BAR" }
+        "#,
+    )
+    .expect("should deserialize command config");
+
+    assert_eq!(
+        cfg.transport,
+        McpServerTransportConfig::Stdio {
+            command: "echo".to_string(),
+            args: vec!["hello".to_string(), "world".to_string()],
+            env: Some(HashMap::from([("FOO".to_string(), "BAR".to_string())])),
+            env_vars: Vec::new(),
+            cwd: None,
+        }
+    );
+    assert!(cfg.enabled);
+}
+
+#[test]
+fn deserialize_stdio_command_server_config_with_env_vars() {
+    let cfg: McpServerConfig = toml::from_str(
+        r#"
+            command = "echo"
+            env_vars = ["FOO", "BAR"]
+        "#,
+    )
+    .expect("should deserialize command config with env_vars");
+
+    assert_eq!(
+        cfg.transport,
+        McpServerTransportConfig::Stdio {
+            command: "echo".to_string(),
+            args: vec![],
+            env: None,
+            env_vars: vec!["FOO".to_string(), "BAR".to_string()],
+            cwd: None,
+        }
+    );
+}
+
+#[test]
+fn deserialize_stdio_command_server_config_with_cwd() {
+    let cfg: McpServerConfig = toml::from_str(
+        r#"
+            command = "echo"
+            cwd = "/tmp"
+        "#,
+    )
+    .expect("should deserialize command config with cwd");
+
+    assert_eq!(
+        cfg.transport,
+        McpServerTransportConfig::Stdio {
+            command: "echo".to_string(),
+            args: vec![],
+            env: None,
+            env_vars: Vec::new(),
+            cwd: Some(PathBuf::from("/tmp")),
+        }
+    );
+}
+
+#[test]
+fn deserialize_disabled_server_config() {
+    let cfg: McpServerConfig = toml::from_str(
+        r#"
+            command = "echo"
+            enabled = false
+        "#,
+    )
+    .expect("should deserialize disabled server config");
+
+    assert!(!cfg.enabled);
+    assert!(!cfg.required);
+}
+
+#[test]
+fn deserialize_required_server_config() {
+    let cfg: McpServerConfig = toml::from_str(
+        r#"
+            command = "echo"
+            required = true
+        "#,
+    )
+    .expect("should deserialize required server config");
+
+    assert!(cfg.required);
+}
+
+#[test]
+fn deserialize_streamable_http_server_config() {
+    let cfg: McpServerConfig = toml::from_str(
+        r#"
+            url = "https://example.com/mcp"
+        "#,
+    )
+    .expect("should deserialize http config");
+
+    assert_eq!(
+        cfg.transport,
+        McpServerTransportConfig::StreamableHttp {
+            url: "https://example.com/mcp".to_string(),
+            bearer_token_env_var: None,
+            http_headers: None,
+            env_http_headers: None,
+        }
+    );
+    assert!(cfg.enabled);
+}
+
+#[test]
+fn deserialize_streamable_http_server_config_with_env_var() {
+    let cfg: McpServerConfig = toml::from_str(
+        r#"
+            url = "https://example.com/mcp"
+            bearer_token_env_var = "GITHUB_TOKEN"
+        "#,
+    )
+    .expect("should deserialize http config");
+
+    assert_eq!(
+        cfg.transport,
+        McpServerTransportConfig::StreamableHttp {
+            url: "https://example.com/mcp".to_string(),
+            bearer_token_env_var: Some("GITHUB_TOKEN".to_string()),
+            http_headers: None,
+            env_http_headers: None,
+        }
+    );
+    assert!(cfg.enabled);
+}
+
+#[test]
+fn deserialize_streamable_http_server_config_with_headers() {
+    let cfg: McpServerConfig = toml::from_str(
+        r#"
+            url = "https://example.com/mcp"
+            http_headers = { "X-Foo" = "bar" }
+            env_http_headers = { "X-Token" = "TOKEN_ENV" }
+        "#,
+    )
+    .expect("should deserialize http config with headers");
+
+    assert_eq!(
+        cfg.transport,
+        McpServerTransportConfig::StreamableHttp {
+            url: "https://example.com/mcp".to_string(),
+            bearer_token_env_var: None,
+            http_headers: Some(HashMap::from([("X-Foo".to_string(), "bar".to_string())])),
+            env_http_headers: Some(HashMap::from([(
+                "X-Token".to_string(),
+                "TOKEN_ENV".to_string()
+            )])),
+        }
+    );
+}
+
+#[test]
+fn deserialize_streamable_http_server_config_with_oauth_resource() {
+    let cfg: McpServerConfig = toml::from_str(
+        r#"
+            url = "https://example.com/mcp"
+            oauth_resource = "https://api.example.com"
+        "#,
+    )
+    .expect("should deserialize http config with oauth_resource");
+
+    assert_eq!(
+        cfg.oauth_resource,
+        Some("https://api.example.com".to_string())
+    );
+}
+
+#[test]
+fn deserialize_server_config_with_tool_filters() {
+    let cfg: McpServerConfig = toml::from_str(
+        r#"
+            command = "echo"
+            enabled_tools = ["allowed"]
+            disabled_tools = ["blocked"]
+        "#,
+    )
+    .expect("should deserialize tool filters");
+
+    assert_eq!(cfg.enabled_tools, Some(vec!["allowed".to_string()]));
+    assert_eq!(cfg.disabled_tools, Some(vec!["blocked".to_string()]));
+}
+
+#[test]
+fn deserialize_ignores_unknown_server_fields() {
+    let cfg: McpServerConfig = toml::from_str(
+        r#"
+            command = "echo"
+            trust_level = "trusted"
+        "#,
+    )
+    .expect("should ignore unknown server fields");
+
+    assert_eq!(
+        cfg,
+        McpServerConfig {
+            transport: McpServerTransportConfig::Stdio {
+                command: "echo".to_string(),
+                args: vec![],
+                env: None,
+                env_vars: Vec::new(),
+                cwd: None,
+            },
+            enabled: true,
+            required: false,
+            disabled_reason: None,
+            startup_timeout_sec: None,
+            tool_timeout_sec: None,
+            enabled_tools: None,
+            disabled_tools: None,
+            scopes: None,
+            oauth_resource: None,
+            tools: HashMap::new(),
+        }
+    );
+}
+
+#[test]
+fn deserialize_rejects_command_and_url() {
+    toml::from_str::<McpServerConfig>(
+        r#"
+            command = "echo"
+            url = "https://example.com"
+        "#,
+    )
+    .expect_err("should reject command+url");
+}
+
+#[test]
+fn deserialize_rejects_env_for_http_transport() {
+    toml::from_str::<McpServerConfig>(
+        r#"
+            url = "https://example.com"
+            env = { "FOO" = "BAR" }
+        "#,
+    )
+    .expect_err("should reject env for http transport");
+}
+
+#[test]
+fn deserialize_rejects_headers_for_stdio() {
+    toml::from_str::<McpServerConfig>(
+        r#"
+            command = "echo"
+            http_headers = { "X-Foo" = "bar" }
+        "#,
+    )
+    .expect_err("should reject http_headers for stdio transport");
+
+    toml::from_str::<McpServerConfig>(
+        r#"
+            command = "echo"
+            env_http_headers = { "X-Foo" = "BAR_ENV" }
+        "#,
+    )
+    .expect_err("should reject env_http_headers for stdio transport");
+
+    let err = toml::from_str::<McpServerConfig>(
+        r#"
+            command = "echo"
+            oauth_resource = "https://api.example.com"
+        "#,
+    )
+    .expect_err("should reject oauth_resource for stdio transport");
+
+    assert!(
+        err.to_string()
+            .contains("oauth_resource is not supported for stdio"),
+        "unexpected error: {err}"
+    );
+}
+
+#[test]
+fn deserialize_rejects_inline_bearer_token_field() {
+    let err = toml::from_str::<McpServerConfig>(
+        r#"
+            url = "https://example.com"
+            bearer_token = "secret"
+        "#,
+    )
+    .expect_err("should reject bearer_token field");
+
+    assert!(
+        err.to_string().contains("bearer_token is not supported"),
+        "unexpected error: {err}"
+    );
+}