feat: add web-fetch MCP server for Codex engine#30400
Closed
Copilot wants to merge 2 commits into
Closed
Conversation
The smoke-codex test was failing because `web-fetch MCP tool was not exposed` — the model reported no MCP tool named "web-fetch" was available. Root cause: the Codex CLI's native `-c fetch` flag does not expose a discoverable MCP tool by that name. Other engines (Claude, Copilot, Gemini) provide web-fetch as a native built-in, but Codex requires an explicit MCP server. Fix: - Add `web_fetch_server.cjs`: a minimal Node.js MCP stdio server that provides a `fetch` tool for HTTP/HTTPS content retrieval. Runs inside a `node:lts-alpine` Docker container managed by the MCP gateway, with `--network host` so it can reach external URLs. - Extend `collectMCPTools` to accept the engine ID and inject "web-fetch" into `mcpTools` only for the Codex engine. - Add `RenderWebFetchMCP` to `MCPConfigRendererUnified`, generating both the preliminary TOML and gateway JSON configs. - Add `case "web-fetch"` in `RenderJSONMCPConfig` and in the Codex TOML switch in `codex_mcp.go`. - Add `WebFetchMCPServerID` constant. - Add two unit tests: one verifying Codex includes the web-fetch server, one verifying Claude/Copilot do not. Agent-Logs-Url: https://github.com/github/gh-aw/sessions/4a89b377-91b0-4c54-9237-4e50fead8e64 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
- Add bounded redirect counter (MAX_REDIRECTS=5) to prevent infinite loops - Validate redirect target URL is http/https before following (SSRF guard) - Validate input URL protocol before making request - Add response size limit (MAX_RESPONSE_BYTES=10MiB) to prevent memory exhaustion - Extract duplicated serverScript path to package-level constant webFetchServerScript Agent-Logs-Url: https://github.com/github/gh-aw/sessions/4a89b377-91b0-4c54-9237-4e50fead8e64 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot created this pull request from a session on behalf of
pelikhan
May 5, 2026 17:00
View session
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Smoke-codex runs were failing because the model reported "web-fetch MCP tool was not exposed in this session." Unlike Claude/Copilot/Gemini which expose
web-fetchas a native built-in, Codex has no discoverable MCP tool by that name — the-c fetchconfig flag does not surface as a callable MCP tool.Changes
web_fetch_server.cjs— new minimal Node.js MCP stdio server providing afetchtool. Runs in anode:lts-alpinecontainer with--network host. Includes SSRF guards (http/https-only protocol validation, redirect URL validation), a bounded redirect counter (max 5), and a 10 MiB response size cap.mcp_setup_generator.go—collectMCPToolsnow accepts the engine ID; injects"web-fetch"intomcpToolsonly for Codex. Other engines are unaffected.mcp_renderer_builtin.go— addsRenderWebFetchMCP(dispatches to TOML or JSON),renderWebFetchTOML, andrenderWebFetchMCPConfigWithOptions. The generated gateway JSON entry:After the gateway starts the container,
convert_gateway_config_codex.cjsconverts it to an HTTP URL entry in the final Codexconfig.toml.mcp_renderer.go/mcp_renderer_types.go/mcp_rendering.go— addsRenderWebFetchfield toMCPToolRenderersand wires it throughbuildStandardJSONMCPRenderers; nil-safe so non-Codex engines silently skip it.codex_mcp.go— addscase "web-fetch"in the Codex TOML switch.job_constants.go— addsWebFetchMCPServerID = "web-fetch"constant.Tests —
TestCodexWebFetchMCPServerasserts the server appears in compiled Codex output;TestNonCodexEnginesDoNotGetWebFetchMCPServerasserts Claude and Copilot do not include it.