Summary:
Codex CLI 0.125.0-alpha.3 appears to incorrectly cancel MCP tool calls under managed sandbox permission profiles (read-only / workspace-write), returning user cancelled MCP tool call, while the same MCP server and tool succeed under danger-full-access and via direct JSON-RPC.
Observed behavior:
codex exec -s read-only → MCP tool call starts, then fails with user cancelled MCP tool call
codex exec -s workspace-write → same failure
codex exec -s danger-full-access → same MCP tool succeeds
Direct JSON-RPC call to the MCP server → succeeds
Additional evidence:
The same failure also occurs with another MCP server/tool (openaiDeveloperDocs/search_openai_docs), so this does not appear specific to my custom MCP server implementation.
Expected behavior:
A read-only MCP tool should be callable under read-only or workspace-write, or Codex CLI should return a precise permission/sandbox error rather than user cancelled MCP tool call.
Reproduction command pattern:
codex exec -C --skip-git-repo-check -s read-only
“Use <mcp_tool_name> and report the result.”
codex exec -C --skip-git-repo-check -s workspace-write
“Use <mcp_tool_name> and report the result.”
codex exec -C --skip-git-repo-check -s danger-full-access
“Use <mcp_tool_name> and report the result.”
That issue includes comments from etraut-openai with some useful context and guidance.
If it matches your situation, consider adding a reaction to increase visibility.
If not, it’s worth searching existing issues; if nothing aligns, open a new report with clear reproduction details.
reaction to increase visibility.