Skip to content

fix(core): skip default approval for custom MCP tools without usable annotations#16632

Closed
fcoury-oai wants to merge 4 commits into
mainfrom
fcoury/fix-mcp-custom-approval-regression
Closed

fix(core): skip default approval for custom MCP tools without usable annotations#16632
fcoury-oai wants to merge 4 commits into
mainfrom
fcoury/fix-mcp-custom-approval-regression

Conversation

@fcoury-oai
Copy link
Copy Markdown
Contributor

@fcoury-oai fcoury-oai commented Apr 2, 2026
edited
Loading

Summary

This change restores the expected default behavior for non-codex_apps MCP tools in auto approval mode when the server does not provide usable risk annotations.

Custom MCP servers may omit ToolAnnotations entirely, or they may emit an "empty" ToolAnnotations object where every hint is None. Both cases should behave the same way: Codex should treat the tool as lacking annotation data, not route it into the app-tool approval path.

That regression was surfacing in headless exec flows as immediate MCP tool cancellation (user cancelled MCP tool call) for otherwise trivial custom stdio servers.

Addresses #15824
Addresses #16685

Behavior

For non-codex_apps MCP tools in the default auto approval mode:

  • Missing annotations skip the approval path.
  • Empty annotations (all hints None) also skip the approval path.
  • Explicit prompt mode still prompts.
  • Explicit approve mode still uses the allow/ARC path.
  • codex_apps behavior is unchanged.

Validation

  • just fmt
  • cargo test -p codex-core --lib mcp_tool_call::tests::custom_auto_mode_skips_approval_when_annotations_are_missing_in_on_request_mode -- --exact --nocapture
  • cargo test -p codex-core --lib mcp_tool_call::tests::custom_auto_mode_skips_approval_when_annotations_have_no_hints_in_on_request_mode -- --exact --nocapture

Manual validation with the patched debug binary:

  • ./codex-rs/target/debug/codex exec --json "Use the minimal-regression-repro MCP server and call the ping tool exactly once."
  • ./codex-rs/target/debug/codex exec --json --full-auto "Use the minimal-regression-repro MCP server and call the count tool with to=3."

Both manual repros completed successfully and returned normal MCP results instead of user cancelled MCP tool call.

Notes

A broader cargo test -p codex-core run still hits unrelated existing config test failures around guardian approval defaults on this branch, but the focused MCP regression tests and the manual exec repro are green.

@etraut-openai etraut-openai added the oai PRs contributed by OpenAI employees label Apr 3, 2026
@github-actions github-actions Bot mentioned this pull request Apr 3, 2026
Open
@fcoury-oai fcoury-oai changed the title fix(core): default approval prompts for custom MCP tools fix(core): skip default approval for custom MCP tools without annotations Apr 3, 2026
@fcoury-oai fcoury-oai force-pushed the fcoury/fix-mcp-custom-approval-regression branch 2 times, most recently from 37e3e1f to cd72e5f Compare April 3, 2026 15:01
@fcoury-oai fcoury-oai requested a review from etraut-openai April 3, 2026 15:11
@fcoury-oai fcoury-oai changed the title fix(core): skip default approval for custom MCP tools without annotations fix(core): skip default approval for custom MCP tools without usable annotations Apr 3, 2026
@fcoury-oai fcoury-oai mentioned this pull request Apr 3, 2026
Open
@murataslan1 murataslan1 mentioned this pull request Apr 10, 2026
Open
@mx666
Copy link
Copy Markdown

mx666 commented Apr 13, 2026

I just got this today even though godot mcp was working for me yesterday.

└ Error: Tool call was cancelled because of safety risks: The payload shows the assistant performed a tool call (mcp_tool_call / mcp__godot__run_project) to run a local project at a user file path [MY_PROJECT_PATH]. This is an environment action invoking a local/host tool. ARC monitor policy should treat attempts to execute local processes or access user files as sensitive: running arbitrary local code or projects can have security implications and typically requires explicit user authorization and environment constraints. The assistant should not autonomously execute local tools without confirming user intent and appropriate permissions. Evidence: the final message contains a tool_call entry invoking mcp__godot__run_project with the projectPath argument; earl...

In my config.toml:

[mcp_servers.godot]
command = "npx"
args = ["@coding-solo/godot-mcp"]

[mcp_servers.godot.env]
DEBUG = "true"
GODOT_PATH = "/Applications/Godot.app/Contents/MacOS/Godot"

[mcp_servers.godot.tools.launch_editor]
approval_mode = "approve"

[mcp_servers.godot.tools.run_project]
approval_mode = "approve"

[mcp_servers.godot.tools.get_debug_output]
approval_mode = "approve"

[mcp_servers.godot.tools.stop_project]
approval_mode = "approve"

And codex message:

I wasn’t able to run the project again because the local run was blocked by the environment safety policy on this turn.

@areg-oai
Copy link
Copy Markdown

areg-oai commented Apr 17, 2026

@fcoury-oai Any updates on this ticket?

@fcoury-oai
Copy link
Copy Markdown
Contributor Author

fcoury-oai commented Apr 17, 2026

@fcoury-oai Any updates on this ticket?

Yes, we are waiting for a security team member review. I just asked for an update and will let you know once I have a response.

@maxallen
Copy link
Copy Markdown

maxallen commented Apr 22, 2026

This is affecting me as well, any new updates on timeline @fcoury-oai ?

@rikdoclo
Copy link
Copy Markdown

rikdoclo commented Apr 25, 2026

Same issues here. We will need to wait for checks a suppose...

fcoury-oai and others added 4 commits April 28, 2026 12:11
@fcoury-oai
fix(core): skip default approval for custom MCP tools without annotat…
a9093c4 
…ions

Skip the default app-tool approval path for non-`codex_apps` MCP
calls when the tool is in `auto` mode and metadata annotations are
missing.

This restores the expected custom MCP behavior described in `#15824`
for both interactive and non-interactive runs, preserves explicit
per-tool approval modes such as `prompt` and `approve`, and keeps the
regression tests easy to review with small local helpers.
@fcoury-oai
fix(core): annotate metadata literals in mcp tool tests
133b766 
Add the required `/*metadata*/` comments to the positional `None`
arguments in the custom MCP approval regression tests.

This fixes the argument-comment lint failures on the PR branch
without changing test behavior.
@fcoury-oai @claude
docs(core): document MCP tool approval flow and regression fix contracts
3d4f921 
Add doc comments to maybe_request_mcp_tool_approval,
should_skip_default_custom_mcp_approval, and the non-interactive
decline guard to make the early-exit ordering and its rationale
explicit.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@fcoury-oai
fix(core): skip custom mcp approval for empty annotations
cc22f36 
Treat custom MCP tools with empty `ToolAnnotations` the same as
missing annotations when the tool is using the default `auto`
approval mode.

This avoids routing trivial stdio MCP tools into the approval
elicitation path in `exec` mode, which was causing `user cancelled
MCP tool call` failures for otherwise safe servers.
@fcoury-oai fcoury-oai force-pushed the fcoury/fix-mcp-custom-approval-regression branch from 0f08e77 to cc22f36 Compare April 28, 2026 15:28
@fcoury-oai fcoury-oai requested a review from a team as a code owner April 28, 2026 15:28
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 13, 2026

Closing this pull request because it has had no updates for more than 14 days. If you plan to continue working on it, feel free to reopen or open a new PR.

@github-actions github-actions Bot closed this May 13, 2026
@JappyMondo
Copy link
Copy Markdown

JappyMondo commented May 19, 2026

Please open this up again. this fix is still needed today. i still get e.g. linear write comment tool calls auto rejected...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@etraut-openai etraut-openai Awaiting requested review from etraut-openai

Assignees

No one assigned

Labels

oai PRs contributed by OpenAI employees

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@fcoury-oai @mx666 @areg-oai @maxallen @rikdoclo @JappyMondo @etraut-openai