feat: Restrict to workdir by lyonsno · Pull Request #14 · agynio/codex-tools-mcp

lyonsno · 2026-03-04T19:18:38Z

Summary

This PR hardens --restrict-to-workdir path validation for apply_patch and codifies the intended safety contract with integration tests.

The key policy is:

Add / Update / Move to must not escape the configured workdir (including symlink traversal).
Delete is validated as a directory-entry operation, so deleting an in-tree symlink entry is allowed (including broken symlinks), even if the symlink target points outside workdir.

Added a new CLI flag wiring for restriction mode handling through server config.
Added path-kind-aware validation for patch operations (WriteLike vs Delete).
Enforced symlink-aware containment checks for write-like operations.
Allowed terminal symlink deletion in delete mode while preserving containment checks on parent traversal.
Expanded integration test coverage for restriction behavior and symlink edge cases.

Allows in-tree patch paths under restriction.
Blocks .. parent directory escapes.
Blocks Add through outside-pointing symlinks.
Blocks Update through outside-pointing symlinks.
Blocks Move to destinations through outside-pointing symlinks.
Allows deleting broken in-tree symlinks.
Allows deleting non-broken in-tree symlink entries without mutating outside targets.

Ran:

Result:

lyonsno added 2 commits March 4, 2026 13:09

feat: add --workdir flag for deterministic relative patch paths

c3f9616

feat: harden --restrict-to-workdir path validation

ce4fdb7

lyonsno changed the title ~~Pr restrict to workdir contract~~ feat: Restrict to workdir Mar 4, 2026