feat: exec policy integration in shell mcp (#7609)

adding execpolicy support into the `posix` mcp Co-authored-by: Michael Bolin <mbolin@openai.com>
2026-04-30 03:12:20 +03:00 · 2025-12-04 21:55:54 -08:00
parent 4c9762d15c
commit b1c918d8f7
6 changed files with 171 additions and 41 deletions
--- a/codex-rs/exec-server/src/posix/mcp.rs
+++ b/codex-rs/exec-server/src/posix/mcp.rs
@@ -8,6 +8,7 @@ use codex_core::MCP_SANDBOX_STATE_CAPABILITY;
 use codex_core::MCP_SANDBOX_STATE_NOTIFICATION;
 use codex_core::SandboxState;
 use codex_core::protocol::SandboxPolicy;
+use codex_execpolicy::Policy;
 use rmcp::ErrorData as McpError;
 use rmcp::RoleServer;
 use rmcp::ServerHandler;
@@ -27,7 +28,6 @@ use tracing::debug;

 use crate::posix::escalate_server::EscalateServer;
 use crate::posix::escalate_server::{self};
-use crate::posix::mcp_escalation_policy::ExecPolicy;
 use crate::posix::mcp_escalation_policy::McpEscalationPolicy;
 use crate::posix::stopwatch::Stopwatch;

@@ -78,18 +78,25 @@ pub struct ExecTool {
    tool_router: ToolRouter<ExecTool>,
    bash_path: PathBuf,
    execve_wrapper: PathBuf,
-    policy: ExecPolicy,
+    policy: Arc<RwLock<Policy>>,
+    preserve_program_paths: bool,
    sandbox_state: Arc<RwLock<Option<SandboxState>>>,
 }

 #[tool_router]
 impl ExecTool {
-    pub fn new(bash_path: PathBuf, execve_wrapper: PathBuf, policy: ExecPolicy) -> Self {
+    pub fn new(
+        bash_path: PathBuf,
+        execve_wrapper: PathBuf,
+        policy: Arc<RwLock<Policy>>,
+        preserve_program_paths: bool,
+    ) -> Self {
        Self {
            tool_router: Self::tool_router(),
            bash_path,
            execve_wrapper,
            policy,
+            preserve_program_paths,
            sandbox_state: Arc::new(RwLock::new(None)),
        }
    }
@@ -121,7 +128,12 @@ impl ExecTool {
        let escalate_server = EscalateServer::new(
            self.bash_path.clone(),
            self.execve_wrapper.clone(),
-            McpEscalationPolicy::new(self.policy, context, stopwatch.clone()),
+            McpEscalationPolicy::new(
+                self.policy.clone(),
+                context,
+                stopwatch.clone(),
+                self.preserve_program_paths,
+            ),
        );

        let result = escalate_server
@@ -198,9 +210,10 @@ impl ServerHandler for ExecTool {
 pub(crate) async fn serve(
    bash_path: PathBuf,
    execve_wrapper: PathBuf,
-    policy: ExecPolicy,
+    policy: Arc<RwLock<Policy>>,
+    preserve_program_paths: bool,
 ) -> Result<RunningService<RoleServer, ExecTool>, rmcp::service::ServerInitializeError> {
-    let tool = ExecTool::new(bash_path, execve_wrapper, policy);
+    let tool = ExecTool::new(bash_path, execve_wrapper, policy, preserve_program_paths);
    tool.serve(stdio()).await
 }