rad/codex
1
0
Fork 0
mirror of https://github.com/openai/codex.git synced 2026-03-05 21:45:28 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
5a3bdcb27b4f5fffa6e3fad038c8f6759c417090
codex/codex-rs/exec-server/README.md
Jeremy Rose 9cf7a07281 feat(shell-tool-mcp): add patched zsh build pipeline (#11668) 
## Summary
- add `shell-tool-mcp/patches/zsh-exec-wrapper.patch` against upstream
zsh `77045ef899e53b9598bebc5a41db93a548a40ca6`
- add `zsh-linux` and `zsh-darwin` jobs to
`.github/workflows/shell-tool-mcp.yml`
- stage zsh binaries under `artifacts/vendor/<target>/zsh/<variant>/zsh`
- include zsh artifact jobs in `package.needs`
- mark staged zsh binaries executable during packaging

## Notes
- zsh source is cloned from `https://git.code.sf.net/p/zsh/code`
- workflow pins zsh commit `77045ef899e53b9598bebc5a41db93a548a40ca6`
- zsh build runs `./Util/preconfig` before `./configure`

## Validation
- parsed workflow YAML locally (`yaml-ok`)
- validated zsh patch applies cleanly with `git apply --check` on a
fresh zsh clone
2026-02-13 01:34:48 +00:00

2.4 KiB
Raw Blame History

codex-exec-server

This crate contains the code for two executables:

  • codex-exec-mcp-server is an MCP server that provides a tool named shell that runs a shell command inside a sandboxed shell process. Every resulting execve(2) call made within that shell is intercepted and run via the executable defined by the EXEC_WRAPPER environment variable within the shell process. In practice, EXEC_WRAPPER is set to codex-execve-wrapper.
  • codex-execve-wrapper is the executable that takes the arguments to the execve(2) call and "escalates" it to the MCP server via a shared file descriptor (specified by the CODEX_ESCALATE_SOCKET environment variable) for consideration. Based on the Codex .rules, the MCP server replies with one of:
    • Run: codex-execve-wrapper should invoke execve(2) on itself to run the original command within Bash
    • Escalate: forward the file descriptors of the current process to the MCP server so the command can be run faithfully outside the sandbox. Because the MCP server will have the original FDs for stdout and stderr, it can write those directly. When the process completes, the MCP server forwards the exit code to codex-execve-wrapper so that it exits in a consistent manner.
    • Deny: the MCP server has declared the proposed command to be "forbidden," so codex-execve-wrapper will print an error to stderr and exit with 1.

Patched Bash

We carry a small patch to execute_cmd.c (see patches/bash-exec-wrapper.patch) that adds support for EXEC_WRAPPER. The original commit message is “add support for BASH_EXEC_WRAPPER” and the patch applies cleanly to a8a1c2fac029404d3f42cd39f5a20f24b6e4fe4b from https://github.com/bminor/bash. To rebuild manually:

git clone https://github.com/bminor/bash
git checkout a8a1c2fac029404d3f42cd39f5a20f24b6e4fe4b
git apply /path/to/patches/bash-exec-wrapper.patch
./configure --without-bash-malloc
make -j"$(nproc)"

Release workflow

.github/workflows/shell-tool-mcp.yml builds the Rust binaries, compiles the patched Bash variants, assembles the vendor/ tree, and creates codex-shell-tool-mcp-npm-<version>.tgz for inclusion in the Rust GitHub Release. When the version is a stable or alpha tag, the workflow also publishes the tarball to npm using OIDC. The workflow is invoked from rust-release.yml so the package ships alongside other Codex artifacts.