codex-mcp-rs

The server implements robust security measures for an AI agent wrapper. It defaults to safe sandbox policies (read-only) and requires explicit environment variable flags (CODEX_ALLOW_DANGEROUS, CODEX_ALLOW_YOLO, CODEX_ALLOW_SKIP_GIT_CHECK) to enable potentially dangerous modes. It enforces timeouts (MAX_TIMEOUT_SECS) to prevent unbounded execution and performs thorough path validation (working directory, image files) to mitigate file system manipulation risks. Output streaming includes size limits (MAX_AGENT_MESSAGES_SIZE, MAX_ALL_MESSAGES_SIZE, MAX_STDERR_SIZE, MAX_LINE_LENGTH) to prevent Out-Of-Memory attacks from large responses. The npm installation process downloads pre-built binaries from GitHub releases, which is a common and generally trusted distribution method. No 'eval' or obvious hardcoded secrets found. The primary remaining risk would be vulnerabilities within the underlying third-party Codex CLI itself, which this server wraps.