[apps] stop exposing Codex turn context to direct MCP servers#31328
Draft
mstoiber-oai wants to merge 1 commit into
Draft
[apps] stop exposing Codex turn context to direct MCP servers#31328mstoiber-oai wants to merge 1 commit into
mstoiber-oai wants to merge 1 commit into
Conversation
Direct user-configured and plugin MCP servers sit outside the managed connector trust boundary, but Codex currently attaches its raw turn, thread, workspace, plugin, and trace metadata to their tool calls. That leaks host implementation context to arbitrary servers and makes direct egress broader than its intended MCP contract. Introduce a source-derived direct_mcp_v1 profile and enforce it again at the final connection-manager boundary. Direct calls now omit host-generated context and strip reserved OpenAI/Codex metadata supplied through app-server calls while retaining ordinary MCP metadata and sandbox state only when the server negotiated that capability. Compatibility and extension registrations retain host-owned behavior. Hoopa still depends on threadId for its legacy per-thread routing and is registered as an ordinary config server, so temporarily reserve the exact logical name hoopa as host-owned. This is intentional migration debt rather than a trust signal; it can be removed once Hoopa moves to a trusted registration or no longer routes through request metadata. Move authoritative hosted thread metadata behind the profile boundary and remove tests and fixtures that asserted direct servers receive the now-private context.
Contributor
|
I have read the CLA Document and I hereby sign the CLA You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Direct user-configured and plugin MCP servers sit outside the managed connector trust boundary, but Codex currently attaches raw turn, thread, workspace, plugin, and trace context to their tool calls. That exposes host implementation details to arbitrary servers and makes direct egress broader than the intended MCP client contract.
What changed
Temporary Hoopa exemption
Hoopa still uses request metadata threadId to select its thread-scoped tool map, but its remaining GaaS and Skyloom registrations look like ordinary config servers. Until Hoopa moves to a trusted host registration or no longer routes through request metadata, the exact logical server name hoopa retains the host-owned profile.
This is migration debt rather than a trust signal: a user-configured server named hoopa receives the same exception. No other name, origin, or capability bypass is added.
Evidence
A capture server registered normally received only standard progressToken metadata plus the negotiated codex/sandbox-state-meta payload; it received no thread, turn, workspace, plugin, or trace context. Registering the same capture server as hoopa retained threadId and x-codex-turn-metadata. The affected crates compile, focused lint and test coverage is green, and an independent diff review found no remaining actionable issues.