Skip to content

[apps] stop exposing Codex turn context to direct MCP servers#31328

Draft
mstoiber-oai wants to merge 1 commit into
mainfrom
dev/mstoiber/stop-exposing-direct-mcp-context
Draft

[apps] stop exposing Codex turn context to direct MCP servers#31328
mstoiber-oai wants to merge 1 commit into
mainfrom
dev/mstoiber/stop-exposing-direct-mcp-context

Conversation

@mstoiber-oai

@mstoiber-oai mstoiber-oai commented Jul 7, 2026

Copy link
Copy Markdown

Why

Direct user-configured and plugin MCP servers sit outside the managed connector trust boundary, but Codex currently attaches raw turn, thread, workspace, plugin, and trace context to their tool calls. That exposes host implementation details to arbitrary servers and makes direct egress broader than the intended MCP client contract.

What changed

  • Assign each resolved MCP registration an egress profile from its catalog provenance. Config, discovered-plugin, and selected-plugin registrations use direct_mcp_v1; compatibility and extension registrations remain host-owned.
  • Stop generating Codex turn metadata, thread IDs, plugin attribution, and rollout correlation for direct calls, and apply the same reserved-metadata policy again at the connection-manager boundary.
  • Preserve standard MCP request metadata and explicitly negotiated sandbox state. App-server metadata is sanitized before direct egress so callers cannot reintroduce reserved OpenAI or Codex fields or forge sandbox state.
  • Keep hosted calls unchanged by adding authoritative thread metadata only after the host-owned profile is known.
  • Remove assertions and fixture behavior that required direct servers to receive the private fields being removed.

Temporary Hoopa exemption

Hoopa still uses request metadata threadId to select its thread-scoped tool map, but its remaining GaaS and Skyloom registrations look like ordinary config servers. Until Hoopa moves to a trusted host registration or no longer routes through request metadata, the exact logical server name hoopa retains the host-owned profile.

This is migration debt rather than a trust signal: a user-configured server named hoopa receives the same exception. No other name, origin, or capability bypass is added.

Evidence

A capture server registered normally received only standard progressToken metadata plus the negotiated codex/sandbox-state-meta payload; it received no thread, turn, workspace, plugin, or trace context. Registering the same capture server as hoopa retained threadId and x-codex-turn-metadata. The affected crates compile, focused lint and test coverage is green, and an independent diff review found no remaining actionable issues.

Direct user-configured and plugin MCP servers sit outside the managed connector trust boundary, but Codex currently attaches its raw turn, thread, workspace, plugin, and trace metadata to their tool calls. That leaks host implementation context to arbitrary servers and makes direct egress broader than its intended MCP contract.

Introduce a source-derived direct_mcp_v1 profile and enforce it again at the final connection-manager boundary. Direct calls now omit host-generated context and strip reserved OpenAI/Codex metadata supplied through app-server calls while retaining ordinary MCP metadata and sandbox state only when the server negotiated that capability. Compatibility and extension registrations retain host-owned behavior.

Hoopa still depends on threadId for its legacy per-thread routing and is registered as an ordinary config server, so temporarily reserve the exact logical name hoopa as host-owned. This is intentional migration debt rather than a trust signal; it can be removed once Hoopa moves to a trusted registration or no longer routes through request metadata.

Move authoritative hosted thread metadata behind the profile boundary and remove tests and fixtures that asserted direct servers receive the now-private context.
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor


Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.


I have read the CLA Document and I hereby sign the CLA


You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant