codex-workspace-codegraph-mcp 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/AGENTS.md +10 -0
- package/LICENSE +17 -0
- package/README.en.md +42 -0
- package/README.md +439 -0
- package/SECURITY.md +38 -0
- package/THIRD_PARTY_NOTICES.md +37 -0
- package/VALIDATION.md +51 -0
- package/bin/codex-workspace-mcp.js +16 -0
- package/bin/start-tunnel.js +7 -0
- package/docs/ARCHITECTURE.md +70 -0
- package/package.json +52 -0
- package/scripts/start.ps1 +2 -0
- package/scripts/start.sh +3 -0
- package/src/codegraph.js +236 -0
- package/src/config.js +35 -0
- package/src/exec.js +119 -0
- package/src/feedback.js +272 -0
- package/src/main.js +49 -0
- package/src/mcp.js +102 -0
- package/src/patch.js +240 -0
- package/src/plan.js +29 -0
- package/src/process.js +65 -0
- package/src/prompt.js +30 -0
- package/src/tools.js +296 -0
- package/src/transports.js +177 -0
- package/src/tunnel.js +232 -0
- package/src/utils.js +157 -0
- package/src/workspace.js +297 -0
package/AGENTS.md
ADDED
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
# Agent Instructions
|
|
2
|
+
|
|
3
|
+
- 修改代码前调用 `workspace_instructions`,并遵守从仓库根目录到当前目录逐层加载的 `AGENTS.md` 或 `AGENTS.override.md`。
|
|
4
|
+
- 复杂任务使用 `update_plan`;未完成时必须且只能有一个 `in_progress` 步骤。
|
|
5
|
+
- 文件修改优先使用 `apply_patch`,其次使用 `edit_file`;不要通过输出补丁文本假装已经修改文件。
|
|
6
|
+
- 大型代码库的架构、调用链和影响分析优先使用 `codegraph_explore`。
|
|
7
|
+
- 不得越过配置的工作区目录。不得未经批准运行破坏性命令。
|
|
8
|
+
- 修改后执行针对性验证,并基于真实输出报告结果。
|
|
9
|
+
- `interactive_feedback.timeout` 必须设置为 `172800`。
|
|
10
|
+
- 每次回答结束前都要调用 interactive_feedback 与用户进行交流 这是你与用户之间的唯一沟通渠道。
|
package/LICENSE
ADDED
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
Apache License
|
|
2
|
+
Version 2.0, January 2004
|
|
3
|
+
http://www.apache.org/licenses/
|
|
4
|
+
|
|
5
|
+
Copyright 2026 Codex Workspace CodeGraph MCP contributors
|
|
6
|
+
|
|
7
|
+
Licensed under the Apache License, Version 2.0 (the "License");
|
|
8
|
+
you may not use this file except in compliance with the License.
|
|
9
|
+
You may obtain a copy of the License at
|
|
10
|
+
|
|
11
|
+
http://www.apache.org/licenses/LICENSE-2.0
|
|
12
|
+
|
|
13
|
+
Unless required by applicable law or agreed to in writing, software
|
|
14
|
+
distributed under the License is distributed on an "AS IS" BASIS,
|
|
15
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
16
|
+
See the License for the specific language governing permissions and
|
|
17
|
+
limitations under the License.
|
package/README.en.md
ADDED
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
# Codex Workspace CodeGraph MCP
|
|
2
|
+
|
|
3
|
+
A local coding-workspace MCP that requires no Codex process, OpenAI API, account, subscription, sign-in, or API key.
|
|
4
|
+
|
|
5
|
+
It independently implements Codex-inspired workspace tools: hierarchical `AGENTS.md` discovery, file reads, search, atomic writes, exact edits, Codex-style `apply_patch`, command execution, Git inspection, plans, workspace confinement, and risk approvals. It also proxies CodeGraph MCP tools and provides a Simplified Chinese interactive-feedback Web UI with a fixed 48-hour timeout.
|
|
6
|
+
|
|
7
|
+
## Run as stdio MCP
|
|
8
|
+
|
|
9
|
+
```bash
|
|
10
|
+
npx -y codex-workspace-codegraph-mcp@latest --workspace /absolute/path/to/repository
|
|
11
|
+
```
|
|
12
|
+
|
|
13
|
+
## One-command MCP + WebUI + Cloudflare Quick Tunnels
|
|
14
|
+
|
|
15
|
+
```bash
|
|
16
|
+
cd /path/to/repository
|
|
17
|
+
npx -y codex-workspace-codegraph-mcp@latest tunnel --workspace .
|
|
18
|
+
```
|
|
19
|
+
|
|
20
|
+
The launcher starts local MCP and WebUI services, locates or downloads the official `cloudflared` binary, creates two Quick Tunnels, and prints both public URLs. Press Ctrl+C to stop all child processes.
|
|
21
|
+
|
|
22
|
+
Quick Tunnels are for development/testing, have no SLA, and do not support SSE. The remote MCP endpoint therefore uses JSON-RPC POST without SSE. Treat tokenized URLs as passwords.
|
|
23
|
+
|
|
24
|
+
## Feedback rule
|
|
25
|
+
|
|
26
|
+
The server injects this rule into MCP instructions, a prompt, a resource, the feedback tool description, and `AGENTS.md`:
|
|
27
|
+
|
|
28
|
+
> 每次回答结束前都要调用 interactive_feedback 与用户进行交流 这是你与用户之间的唯一沟通渠道
|
|
29
|
+
|
|
30
|
+
`interactive_feedback.timeout` must equal `172800` seconds.
|
|
31
|
+
|
|
32
|
+
## CodeGraph
|
|
33
|
+
|
|
34
|
+
Initialize the target repository once:
|
|
35
|
+
|
|
36
|
+
```bash
|
|
37
|
+
npx -y @colbymchenry/codegraph init .
|
|
38
|
+
```
|
|
39
|
+
|
|
40
|
+
CodeGraph tools are discovered dynamically from `codegraph serve --mcp`.
|
|
41
|
+
|
|
42
|
+
See `README.md` for the complete Chinese documentation, security model, tool catalog, environment variables, publishing steps, and validation results.
|
package/README.md
ADDED
|
@@ -0,0 +1,439 @@
|
|
|
1
|
+
# Codex Workspace CodeGraph MCP
|
|
2
|
+
|
|
3
|
+
这是一个**不调用 Codex、不调用 OpenAI API、不需要账号、订阅、登录或 API Key** 的本地代码操作 MCP。
|
|
4
|
+
|
|
5
|
+
项目参考 OpenAI Codex 开源仓库的代码工作流设计,自行实现文件读取、文本检索、补丁编辑、命令执行、Git 检查、计划管理、`AGENTS.md` 分层指令和安全审批;同时整合 CodeGraph 的大型代码库检索能力,以及简体中文 Interactive Feedback Web UI。
|
|
6
|
+
|
|
7
|
+
## 功能组成
|
|
8
|
+
|
|
9
|
+
### 1. Codex 风格本地代码工具
|
|
10
|
+
|
|
11
|
+
本项目没有启动或代理 `codex` 进程。以下功能由本项目独立实现:
|
|
12
|
+
|
|
13
|
+
- 工作区边界和符号链接逃逸检查。
|
|
14
|
+
- `AGENTS.md` / `AGENTS.override.md` 分层发现。
|
|
15
|
+
- 文件读取、批量读取、目录列举、元数据查询。
|
|
16
|
+
- 文件名查找和文本搜索;优先使用 `rg`,缺失时自动回退。
|
|
17
|
+
- 原子文件写入和精确文本替换。
|
|
18
|
+
- Codex 风格 `*** Begin Patch` / `*** End Patch` 补丁语法。
|
|
19
|
+
- 新增、删除、更新和移动文件的事务式补丁应用。
|
|
20
|
+
- 前台命令执行、超时、输出截断和风险分类。
|
|
21
|
+
- Git status、diff、log 和 show。
|
|
22
|
+
- Codex 风格 `update_plan` 状态约束。
|
|
23
|
+
- 只读、工作区写入和高风险审批策略。
|
|
24
|
+
|
|
25
|
+
Codex 仓库仅作为以下设计参考:`apply_patch` 文件操作格式、复杂任务计划、优先使用快速检索工具、逐层加载项目指令,以及对破坏性操作进行限制。没有复制 Codex 的模型、认证、会话或代理实现。
|
|
26
|
+
|
|
27
|
+
### 2. 简体中文 Interactive Feedback
|
|
28
|
+
|
|
29
|
+
内置独立实现的简体中文 Web UI:
|
|
30
|
+
|
|
31
|
+
- 用户文字反馈。
|
|
32
|
+
- 最多四张 PNG、JPEG、WebP 或 GIF 图片附件。
|
|
33
|
+
- 用户主动运行模型预设的验证命令并查看 stdout/stderr。
|
|
34
|
+
- 危险命令、删除和覆盖操作审批。
|
|
35
|
+
- 会话轮询、过期时间和状态显示。
|
|
36
|
+
- 固定 48 小时超时:`172800` 秒。
|
|
37
|
+
|
|
38
|
+
MCP 初始化指令、Prompt、Resource、工具描述和 `AGENTS.md` 中均包含:
|
|
39
|
+
|
|
40
|
+
> 每次回答结束前都要调用 interactive_feedback 与用户进行交流 这是你与用户之间的唯一沟通渠道
|
|
41
|
+
|
|
42
|
+
实际 MCP 工具名为 `interactive_feedback`。其输入 schema 强制:
|
|
43
|
+
|
|
44
|
+
```json
|
|
45
|
+
{
|
|
46
|
+
"timeout": 172800
|
|
47
|
+
}
|
|
48
|
+
```
|
|
49
|
+
|
|
50
|
+
MCP 服务端无法获知模型何时“准备输出最终回答”,因此无法从协议层强制拦截最终回答;能否每次严格调用仍取决于 MCP 客户端和模型是否遵循服务端指令。
|
|
51
|
+
|
|
52
|
+
### 3. CodeGraph 大型代码库检索
|
|
53
|
+
|
|
54
|
+
项目依赖 `@colbymchenry/codegraph`,在目标工作区内启动:
|
|
55
|
+
|
|
56
|
+
```bash
|
|
57
|
+
codegraph serve --mcp
|
|
58
|
+
```
|
|
59
|
+
|
|
60
|
+
CodeGraph 返回的工具通过 stdio JSON-RPC 动态代理,不在本项目中硬编码。默认请求暴露:
|
|
61
|
+
|
|
62
|
+
```text
|
|
63
|
+
explore,node,search,callers,callees,impact,files,status
|
|
64
|
+
```
|
|
65
|
+
|
|
66
|
+
另外提供:
|
|
67
|
+
|
|
68
|
+
- `codegraph_project_init`
|
|
69
|
+
- `codegraph_project_sync`
|
|
70
|
+
- `codegraph_project_status`
|
|
71
|
+
|
|
72
|
+
CodeGraph 在本地解析和索引代码,不需要 OpenAI 或其他模型 API。
|
|
73
|
+
|
|
74
|
+
## 运行要求
|
|
75
|
+
|
|
76
|
+
- Node.js 22.5 或更高版本。
|
|
77
|
+
- 用于 CodeGraph 安装和首次运行的 npm 网络访问。
|
|
78
|
+
- 使用公网隧道时需要网络访问 Cloudflare。
|
|
79
|
+
- 不需要 Codex、ChatGPT、OpenAI API、账号或订阅。
|
|
80
|
+
|
|
81
|
+
## 方式一:作为 stdio MCP 直接使用
|
|
82
|
+
|
|
83
|
+
发布 npm 后,在目标代码库目录运行:
|
|
84
|
+
|
|
85
|
+
```bash
|
|
86
|
+
npx -y codex-workspace-codegraph-mcp@latest
|
|
87
|
+
```
|
|
88
|
+
|
|
89
|
+
或显式指定工作区:
|
|
90
|
+
|
|
91
|
+
```bash
|
|
92
|
+
npx -y codex-workspace-codegraph-mcp@latest --workspace /absolute/path/to/repository
|
|
93
|
+
```
|
|
94
|
+
|
|
95
|
+
通用 MCP 客户端配置:
|
|
96
|
+
|
|
97
|
+
```json
|
|
98
|
+
{
|
|
99
|
+
"mcpServers": {
|
|
100
|
+
"codex-workspace": {
|
|
101
|
+
"command": "npx",
|
|
102
|
+
"args": [
|
|
103
|
+
"-y",
|
|
104
|
+
"codex-workspace-codegraph-mcp@latest",
|
|
105
|
+
"--workspace",
|
|
106
|
+
"/absolute/path/to/repository"
|
|
107
|
+
],
|
|
108
|
+
"env": {
|
|
109
|
+
"CWMCP_SANDBOX": "workspace-write",
|
|
110
|
+
"CWMCP_APPROVAL_POLICY": "on-request",
|
|
111
|
+
"CODEGRAPH_MCP_TOOLS": "explore,node,search,callers,callees,impact,files,status"
|
|
112
|
+
}
|
|
113
|
+
}
|
|
114
|
+
}
|
|
115
|
+
}
|
|
116
|
+
```
|
|
117
|
+
|
|
118
|
+
stdio 模式的 MCP JSON-RPC 写入 stdout,运行日志和反馈 URL 仅写入 stderr。
|
|
119
|
+
|
|
120
|
+
## 方式二:一键启动 MCP、WebUI 和两个 Cloudflare Tunnel
|
|
121
|
+
|
|
122
|
+
在需要操作的代码库目录执行:
|
|
123
|
+
|
|
124
|
+
```bash
|
|
125
|
+
npx -y codex-workspace-codegraph-mcp@latest tunnel --workspace .
|
|
126
|
+
```
|
|
127
|
+
|
|
128
|
+
本地源码运行:
|
|
129
|
+
|
|
130
|
+
```bash
|
|
131
|
+
npm install
|
|
132
|
+
npm run tunnel -- --workspace .
|
|
133
|
+
```
|
|
134
|
+
|
|
135
|
+
也可以直接运行脚本:
|
|
136
|
+
|
|
137
|
+
```bash
|
|
138
|
+
./scripts/start.sh --workspace .
|
|
139
|
+
```
|
|
140
|
+
|
|
141
|
+
Windows PowerShell:
|
|
142
|
+
|
|
143
|
+
```powershell
|
|
144
|
+
.\scripts\start.ps1 --workspace .
|
|
145
|
+
```
|
|
146
|
+
|
|
147
|
+
启动器会:
|
|
148
|
+
|
|
149
|
+
1. 生成随机访问令牌。
|
|
150
|
+
2. 启动 `127.0.0.1:8765` 的 HTTP MCP。
|
|
151
|
+
3. 启动 `127.0.0.1:8766` 的反馈 WebUI。
|
|
152
|
+
4. 检查 `cloudflared`;缺失时从 Cloudflare 官方 GitHub Release 自动下载到 `~/.codex-workspace-mcp/bin/`。
|
|
153
|
+
5. 分别为 MCP 和 WebUI 启动 TryCloudflare Quick Tunnel。
|
|
154
|
+
6. 在控制台输出本地和公网 URL。
|
|
155
|
+
7. 按 `Ctrl+C` 时停止 MCP、WebUI 和两个 tunnel。
|
|
156
|
+
|
|
157
|
+
示例输出:
|
|
158
|
+
|
|
159
|
+
```text
|
|
160
|
+
MCP 本地 URL: http://127.0.0.1:8765/mcp/<token>
|
|
161
|
+
WebUI 本地 URL: http://127.0.0.1:8766/?token=<token>
|
|
162
|
+
|
|
163
|
+
MCP 公网 URL: https://example-a.trycloudflare.com/mcp/<token>
|
|
164
|
+
WebUI 公网 URL: https://example-b.trycloudflare.com/?token=<token>
|
|
165
|
+
```
|
|
166
|
+
|
|
167
|
+
端口可修改:
|
|
168
|
+
|
|
169
|
+
```bash
|
|
170
|
+
npx -y codex-workspace-codegraph-mcp@latest tunnel \
|
|
171
|
+
--workspace . \
|
|
172
|
+
--mcp-port 9001 \
|
|
173
|
+
--web-port 9002
|
|
174
|
+
```
|
|
175
|
+
|
|
176
|
+
已有 `cloudflared` 时可以显式指定:
|
|
177
|
+
|
|
178
|
+
```bash
|
|
179
|
+
npx -y codex-workspace-codegraph-mcp@latest tunnel \
|
|
180
|
+
--cloudflared /usr/local/bin/cloudflared
|
|
181
|
+
```
|
|
182
|
+
|
|
183
|
+
禁止自动下载:
|
|
184
|
+
|
|
185
|
+
```bash
|
|
186
|
+
npx -y codex-workspace-codegraph-mcp@latest tunnel --no-download
|
|
187
|
+
```
|
|
188
|
+
|
|
189
|
+
启动器会使用一个临时空配置文件,避免用户目录中的 `~/.cloudflared/config.yaml` 干扰 Quick Tunnel。
|
|
190
|
+
|
|
191
|
+
### Quick Tunnel 限制
|
|
192
|
+
|
|
193
|
+
Cloudflare 官方将 Quick Tunnel 定位为测试和开发用途,不提供 SLA,并且当前不支持 Server-Sent Events。远程 MCP 因此使用无 SSE 的 JSON-RPC HTTP POST。需要 SSE、稳定域名、访问控制或生产可靠性时,应创建正式 Cloudflare Tunnel,并分别把域名路由到 MCP 与 WebUI 本地端口。
|
|
194
|
+
|
|
195
|
+
远程 MCP 地址和 WebUI 地址中包含同一个随机访问令牌。URL 等同于密码,不应发布到日志、Issue、截图或公共聊天。
|
|
196
|
+
|
|
197
|
+
## HTTP MCP
|
|
198
|
+
|
|
199
|
+
不启动 Cloudflare 时,可以直接运行本地 HTTP MCP:
|
|
200
|
+
|
|
201
|
+
```bash
|
|
202
|
+
npx -y codex-workspace-codegraph-mcp@latest \
|
|
203
|
+
--transport http \
|
|
204
|
+
--workspace . \
|
|
205
|
+
--mcp-port 8765 \
|
|
206
|
+
--web-port 8766
|
|
207
|
+
```
|
|
208
|
+
|
|
209
|
+
控制台会输出:
|
|
210
|
+
|
|
211
|
+
```text
|
|
212
|
+
http://127.0.0.1:8765/mcp/<token>
|
|
213
|
+
```
|
|
214
|
+
|
|
215
|
+
HTTP 端点接受 JSON-RPC 2.0 POST。也可使用:
|
|
216
|
+
|
|
217
|
+
```http
|
|
218
|
+
Authorization: Bearer <token>
|
|
219
|
+
```
|
|
220
|
+
|
|
221
|
+
健康检查:
|
|
222
|
+
|
|
223
|
+
```text
|
|
224
|
+
GET /health
|
|
225
|
+
```
|
|
226
|
+
|
|
227
|
+
## 首次建立 CodeGraph 索引
|
|
228
|
+
|
|
229
|
+
在目标仓库目录执行:
|
|
230
|
+
|
|
231
|
+
```bash
|
|
232
|
+
npx -y @colbymchenry/codegraph init .
|
|
233
|
+
```
|
|
234
|
+
|
|
235
|
+
或者让模型调用:
|
|
236
|
+
|
|
237
|
+
```text
|
|
238
|
+
codegraph_project_init { "path": "." }
|
|
239
|
+
```
|
|
240
|
+
|
|
241
|
+
之后大型代码库问题优先调用 `codegraph_explore`。索引需要手动同步时调用:
|
|
242
|
+
|
|
243
|
+
```text
|
|
244
|
+
codegraph_project_sync { "path": "." }
|
|
245
|
+
```
|
|
246
|
+
|
|
247
|
+
## 基础工具清单
|
|
248
|
+
|
|
249
|
+
### 工作区和读取
|
|
250
|
+
|
|
251
|
+
- `workspace_info`
|
|
252
|
+
- `workspace_instructions`
|
|
253
|
+
- `read_file`
|
|
254
|
+
- `read_many_files`
|
|
255
|
+
- `list_directory`
|
|
256
|
+
- `file_metadata`
|
|
257
|
+
- `find_files`
|
|
258
|
+
- `search_text`
|
|
259
|
+
|
|
260
|
+
### 编辑
|
|
261
|
+
|
|
262
|
+
- `write_file`
|
|
263
|
+
- `edit_file`
|
|
264
|
+
- `apply_patch`
|
|
265
|
+
- `create_directory`
|
|
266
|
+
- `move_path`
|
|
267
|
+
- `delete_path`
|
|
268
|
+
|
|
269
|
+
### 命令、Git 和计划
|
|
270
|
+
|
|
271
|
+
- `exec_command`
|
|
272
|
+
- `git_status`
|
|
273
|
+
- `git_diff`
|
|
274
|
+
- `git_log`
|
|
275
|
+
- `git_show`
|
|
276
|
+
- `update_plan`
|
|
277
|
+
- `get_plan`
|
|
278
|
+
|
|
279
|
+
### 反馈和集成
|
|
280
|
+
|
|
281
|
+
- `interactive_feedback`
|
|
282
|
+
- `integration_status`
|
|
283
|
+
- `codegraph_project_init`
|
|
284
|
+
- `codegraph_project_sync`
|
|
285
|
+
- `codegraph_project_status`
|
|
286
|
+
- CodeGraph 动态返回的全部工具
|
|
287
|
+
|
|
288
|
+
## `apply_patch` 示例
|
|
289
|
+
|
|
290
|
+
```text
|
|
291
|
+
*** Begin Patch
|
|
292
|
+
*** Update File: src/example.js
|
|
293
|
+
@@
|
|
294
|
+
-export function value() {
|
|
295
|
+
- return 1;
|
|
296
|
+
-}
|
|
297
|
+
+export function value() {
|
|
298
|
+
+ return 2;
|
|
299
|
+
+}
|
|
300
|
+
*** Add File: test/example.test.js
|
|
301
|
+
+import test from 'node:test';
|
|
302
|
+
+// ...
|
|
303
|
+
*** End Patch
|
|
304
|
+
```
|
|
305
|
+
|
|
306
|
+
支持:
|
|
307
|
+
|
|
308
|
+
```text
|
|
309
|
+
*** Add File: path
|
|
310
|
+
*** Delete File: path
|
|
311
|
+
*** Update File: path
|
|
312
|
+
*** Move to: new-path
|
|
313
|
+
@@ optional context label
|
|
314
|
+
context
|
|
315
|
+
-old
|
|
316
|
+
+new
|
|
317
|
+
```
|
|
318
|
+
|
|
319
|
+
所有路径必须相对工作区。补丁在写入前会先解析并验证;写入失败时尝试恢复原始文件。
|
|
320
|
+
|
|
321
|
+
## 沙箱和审批
|
|
322
|
+
|
|
323
|
+
默认值:
|
|
324
|
+
|
|
325
|
+
```text
|
|
326
|
+
CWMCP_SANDBOX=workspace-write
|
|
327
|
+
CWMCP_APPROVAL_POLICY=on-request
|
|
328
|
+
```
|
|
329
|
+
|
|
330
|
+
`CWMCP_SANDBOX`:
|
|
331
|
+
|
|
332
|
+
- `read-only`:拒绝文件写入和可能修改状态的命令。
|
|
333
|
+
- `workspace-write`:允许工作区内文件操作;这是默认值。
|
|
334
|
+
|
|
335
|
+
`CWMCP_APPROVAL_POLICY`:
|
|
336
|
+
|
|
337
|
+
- `on-request`:仅高风险命令、删除和覆盖操作通过 WebUI 审批。
|
|
338
|
+
- `untrusted`:除明显只读命令外均审批。
|
|
339
|
+
- `always`:所有 `exec_command` 均审批。
|
|
340
|
+
- `never`:无法通过 WebUI 批准高风险操作,直接拒绝。
|
|
341
|
+
|
|
342
|
+
路径校验同时检查词法路径和真实路径,防止 `../` 与工作区内符号链接指向外部目录。
|
|
343
|
+
|
|
344
|
+
## 环境变量
|
|
345
|
+
|
|
346
|
+
| 变量 | 默认值 | 说明 |
|
|
347
|
+
|---|---:|---|
|
|
348
|
+
| `CWMCP_WORKSPACE` | 当前目录 | 允许访问的工作区根目录 |
|
|
349
|
+
| `CWMCP_TRANSPORT` | `stdio` | `stdio` 或 `http` |
|
|
350
|
+
| `CWMCP_HOST` | `127.0.0.1` | MCP HTTP 监听地址 |
|
|
351
|
+
| `CWMCP_MCP_PORT` | `8765` | MCP HTTP 端口 |
|
|
352
|
+
| `CWMCP_WEB_HOST` | `127.0.0.1` | WebUI 监听地址 |
|
|
353
|
+
| `CWMCP_WEB_PORT` | `8766` | WebUI 端口 |
|
|
354
|
+
| `CWMCP_ACCESS_TOKEN` | 随机值 | HTTP MCP 和 WebUI 访问令牌 |
|
|
355
|
+
| `CWMCP_ALLOWED_ORIGINS` | 空 | 额外允许的浏览器 Origin,逗号分隔;默认仅接受同源和本机 Origin |
|
|
356
|
+
| `CWMCP_SANDBOX` | `workspace-write` | 沙箱模式 |
|
|
357
|
+
| `CWMCP_APPROVAL_POLICY` | `on-request` | 审批策略 |
|
|
358
|
+
| `CWMCP_COMMAND_TIMEOUT_MS` | `120000` | 普通命令超时 |
|
|
359
|
+
| `CWMCP_MAX_OUTPUT_BYTES` | `1048576` | stdout/stderr 输出上限 |
|
|
360
|
+
| `CWMCP_MAX_READ_BYTES` | `2097152` | 单文件读取上限 |
|
|
361
|
+
| `CWMCP_DISABLE_CODEGRAPH` | `0` | 设为 `1` 禁用 CodeGraph |
|
|
362
|
+
| `CWMCP_CODEGRAPH_COMMAND` | `codegraph` | CodeGraph 可执行文件 |
|
|
363
|
+
| `CODEGRAPH_MCP_TOOLS` | 完整列表 | CodeGraph MCP 工具列表 |
|
|
364
|
+
| `CWMCP_CLOUDFLARED` | 自动查找 | cloudflared 可执行文件 |
|
|
365
|
+
| `CWMCP_TUNNEL_VERBOSE` | `0` | 设为 `1` 输出子进程详细日志 |
|
|
366
|
+
|
|
367
|
+
## 本地开发和验证
|
|
368
|
+
|
|
369
|
+
```bash
|
|
370
|
+
npm install
|
|
371
|
+
npm run verify
|
|
372
|
+
```
|
|
373
|
+
|
|
374
|
+
验证包括:
|
|
375
|
+
|
|
376
|
+
- 所有 JavaScript 文件语法检查。
|
|
377
|
+
- 工作区路径穿越和符号链接逃逸测试。
|
|
378
|
+
- `AGENTS.md` 分层加载测试。
|
|
379
|
+
- Codex 风格补丁解析、写入和失败保护测试。
|
|
380
|
+
- MCP 初始化、工具列表和固定 48 小时反馈 schema。
|
|
381
|
+
- CodeGraph stdio 工具动态代理。
|
|
382
|
+
- HTTP MCP 令牌认证、Origin 校验和 MCP 协议版本校验。
|
|
383
|
+
- 一键启动器同时输出两个 tunnel URL。
|
|
384
|
+
- stdio MCP 烟雾测试。
|
|
385
|
+
|
|
386
|
+
## 上传 GitHub
|
|
387
|
+
|
|
388
|
+
```bash
|
|
389
|
+
git init
|
|
390
|
+
git add .
|
|
391
|
+
git commit -m "Initial release"
|
|
392
|
+
git branch -M main
|
|
393
|
+
git remote add origin https://github.com/YOUR_GITHUB_USERNAME/codex-workspace-codegraph-mcp.git
|
|
394
|
+
git push -u origin main
|
|
395
|
+
```
|
|
396
|
+
|
|
397
|
+
先修改 `package.json` 中的 `repository.url`。
|
|
398
|
+
|
|
399
|
+
## 发布 npm
|
|
400
|
+
|
|
401
|
+
检查包名:
|
|
402
|
+
|
|
403
|
+
```bash
|
|
404
|
+
npm view codex-workspace-codegraph-mcp
|
|
405
|
+
```
|
|
406
|
+
|
|
407
|
+
若名称被占用,改为作用域包:
|
|
408
|
+
|
|
409
|
+
```json
|
|
410
|
+
{
|
|
411
|
+
"name": "@YOUR_NPM_USERNAME/codex-workspace-codegraph-mcp"
|
|
412
|
+
}
|
|
413
|
+
```
|
|
414
|
+
|
|
415
|
+
发布:
|
|
416
|
+
|
|
417
|
+
```bash
|
|
418
|
+
npm login
|
|
419
|
+
npm run verify
|
|
420
|
+
npm publish --access public
|
|
421
|
+
```
|
|
422
|
+
|
|
423
|
+
发布后:
|
|
424
|
+
|
|
425
|
+
```bash
|
|
426
|
+
npx -y codex-workspace-codegraph-mcp@latest --workspace .
|
|
427
|
+
npx -y codex-workspace-codegraph-mcp@latest tunnel --workspace .
|
|
428
|
+
```
|
|
429
|
+
|
|
430
|
+
使用作用域包时替换包名即可。
|
|
431
|
+
|
|
432
|
+
## 上游参考
|
|
433
|
+
|
|
434
|
+
- OpenAI Codex:Apache-2.0。用于研究代码代理工作流、补丁语法和项目指令发现。
|
|
435
|
+
- MCP Feedback Enhanced:MIT。用于研究反馈工作流需求;本项目的 WebUI 和服务端为独立实现。
|
|
436
|
+
- CodeGraph:MIT。作为 npm 运行时依赖和 MCP 子服务使用。
|
|
437
|
+
- Cloudflared:由 Cloudflare 发布;仅在用户运行 tunnel 子命令时查找或下载。
|
|
438
|
+
|
|
439
|
+
详见 `THIRD_PARTY_NOTICES.md`、`SECURITY.md` 和 `docs/ARCHITECTURE.md`。
|
package/SECURITY.md
ADDED
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
# Security Policy
|
|
2
|
+
|
|
3
|
+
## Trust boundary
|
|
4
|
+
|
|
5
|
+
This server can read and modify files and execute processes within the configured workspace. Only connect it to MCP clients and models you trust.
|
|
6
|
+
|
|
7
|
+
## Workspace confinement
|
|
8
|
+
|
|
9
|
+
Paths are checked lexically and through `realpath`. `..` traversal and symlinks resolving outside the workspace are rejected. This reduces accidental escape but is not a substitute for an OS container or dedicated user account.
|
|
10
|
+
|
|
11
|
+
## Command execution
|
|
12
|
+
|
|
13
|
+
`exec_command` is intentionally powerful. High-risk patterns are routed to the Interactive Feedback UI according to the approval policy. Pattern matching cannot classify every dangerous command. For untrusted models, use:
|
|
14
|
+
|
|
15
|
+
```text
|
|
16
|
+
CWMCP_SANDBOX=read-only
|
|
17
|
+
CWMCP_APPROVAL_POLICY=untrusted
|
|
18
|
+
```
|
|
19
|
+
|
|
20
|
+
For stronger isolation, run the package in a container or VM with only the target repository mounted.
|
|
21
|
+
|
|
22
|
+
## Public tunnel
|
|
23
|
+
|
|
24
|
+
Quick Tunnel URLs are public and contain bearer-like access tokens. Anyone possessing an MCP URL can invoke tools against the configured workspace; anyone possessing the WebUI URL can submit feedback or approvals. Do not share these URLs publicly.
|
|
25
|
+
|
|
26
|
+
Quick Tunnels are intended for development/testing and do not provide production access control. For production, use a named Cloudflare Tunnel with Cloudflare Access or another authenticated reverse proxy.
|
|
27
|
+
|
|
28
|
+
## Feedback attachments
|
|
29
|
+
|
|
30
|
+
Image attachments are limited by type, count, and size. They are stored under `~/.codex-workspace-mcp/feedback/` with restrictive file permissions where supported. Remove this directory when retained attachments are no longer needed.
|
|
31
|
+
|
|
32
|
+
## Reporting
|
|
33
|
+
|
|
34
|
+
Report vulnerabilities privately through the GitHub repository security advisory feature after updating `package.json.repository.url`.
|
|
35
|
+
|
|
36
|
+
## HTTP Origin validation
|
|
37
|
+
|
|
38
|
+
The HTTP MCP validates the `Origin` header against the request host, local loopback origins, and the optional comma-separated `CWMCP_ALLOWED_ORIGINS` allowlist. It rejects untrusted origins with HTTP 403 to reduce DNS rebinding risk. Do not set the allowlist to `*` on an exposed server.
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
# Third-Party Notices
|
|
2
|
+
|
|
3
|
+
## OpenAI Codex
|
|
4
|
+
|
|
5
|
+
Repository: https://github.com/openai/codex
|
|
6
|
+
|
|
7
|
+
License: Apache License 2.0.
|
|
8
|
+
|
|
9
|
+
This project studies and independently reimplements selected workflow concepts: hierarchical `AGENTS.md` instructions, plan-state discipline, coding tool guidance, workspace safety concepts, and the high-level `*** Begin Patch` file-operation format. It does not bundle or execute Codex and does not use Codex authentication, model APIs, binaries, or session code.
|
|
10
|
+
|
|
11
|
+
## MCP Feedback Enhanced
|
|
12
|
+
|
|
13
|
+
Repository: https://github.com/Minidoracat/mcp-feedback-enhanced
|
|
14
|
+
|
|
15
|
+
License: MIT.
|
|
16
|
+
|
|
17
|
+
This project uses the upstream product as a requirements and interaction reference. The Simplified Chinese HTTP server, UI, polling, image handling, validation execution, session state, and approval integration in this package are independently implemented and do not bundle upstream Python, Qt, Tauri, or Web UI assets.
|
|
18
|
+
|
|
19
|
+
## CodeGraph
|
|
20
|
+
|
|
21
|
+
Repository: https://github.com/colbymchenry/codegraph
|
|
22
|
+
|
|
23
|
+
License: MIT.
|
|
24
|
+
|
|
25
|
+
`@colbymchenry/codegraph` is a runtime npm dependency. This package launches its CLI as an MCP subprocess and dynamically proxies the tools it exposes. Refer to the installed dependency for its complete license and notices.
|
|
26
|
+
|
|
27
|
+
## Model Context Protocol
|
|
28
|
+
|
|
29
|
+
Specification: https://modelcontextprotocol.io/
|
|
30
|
+
|
|
31
|
+
MCP is an open protocol. This package implements the JSON-RPC methods required for its stdio and stateless HTTP use cases.
|
|
32
|
+
|
|
33
|
+
## Cloudflared
|
|
34
|
+
|
|
35
|
+
Repository: https://github.com/cloudflare/cloudflared
|
|
36
|
+
|
|
37
|
+
The tunnel launcher can locate an existing `cloudflared` executable or download an official release asset at runtime. Cloudflared is not included in the npm tarball. Running or downloading it is subject to Cloudflare's applicable license and terms.
|
package/VALIDATION.md
ADDED
|
@@ -0,0 +1,51 @@
|
|
|
1
|
+
# Validation Report
|
|
2
|
+
|
|
3
|
+
Version: 0.2.0
|
|
4
|
+
|
|
5
|
+
Validation environment:
|
|
6
|
+
|
|
7
|
+
```text
|
|
8
|
+
Node.js v22.16.0
|
|
9
|
+
npm 10.9.2
|
|
10
|
+
Linux
|
|
11
|
+
```
|
|
12
|
+
|
|
13
|
+
Commands executed:
|
|
14
|
+
|
|
15
|
+
```bash
|
|
16
|
+
npm run check
|
|
17
|
+
npm test
|
|
18
|
+
npm run smoke
|
|
19
|
+
npm pack --dry-run
|
|
20
|
+
npm pack
|
|
21
|
+
```
|
|
22
|
+
|
|
23
|
+
Automated tests:
|
|
24
|
+
|
|
25
|
+
1. CodeGraph child MCP initialization, dynamic `tools/list`, and `tools/call` forwarding.
|
|
26
|
+
2. HTTP MCP token-path authentication, Origin validation, protocol-version rejection, and JSON-RPC POST initialization.
|
|
27
|
+
3. No Codex/OpenAI dependency, local tool exposure, fixed feedback timeout, file write/read, and automatic feedback test response.
|
|
28
|
+
4. Codex-style patch update, add, move, and delete operations.
|
|
29
|
+
5. Patch traversal rejection, context mismatch rejection, and unchanged source file after failure.
|
|
30
|
+
6. One-command launcher starts the HTTP server and prints independent MCP and WebUI tunnel URLs using a deterministic fake cloudflared process.
|
|
31
|
+
7. Hierarchical `AGENTS.md` loading with same-directory override precedence.
|
|
32
|
+
8. Relative traversal and symlink escape rejection.
|
|
33
|
+
9. stdio protocol smoke test with initialization and tool listing.
|
|
34
|
+
|
|
35
|
+
Current result:
|
|
36
|
+
|
|
37
|
+
```text
|
|
38
|
+
Syntax checks: passed
|
|
39
|
+
Tests: 8/8 passed
|
|
40
|
+
stdio smoke: passed
|
|
41
|
+
Base local tool count: 26
|
|
42
|
+
```
|
|
43
|
+
|
|
44
|
+
The build environment cannot access npm or Cloudflare directly. Consequently, the following were validated with protocol-level fake child processes rather than live external services:
|
|
45
|
+
|
|
46
|
+
- A real installation of the current `@colbymchenry/codegraph` npm package.
|
|
47
|
+
- A live CodeGraph index over a large repository.
|
|
48
|
+
- Downloading the current cloudflared release.
|
|
49
|
+
- Allocation of real `trycloudflare.com` URLs.
|
|
50
|
+
|
|
51
|
+
The launcher test exercises actual child-process lifecycle, local HTTP readiness, URL parsing, tokenized console output, and Ctrl+C cleanup with a fake cloudflared executable. A live network test should still be run on the target machine before publication.
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
#!/usr/bin/env node
|
|
2
|
+
|
|
3
|
+
const argv = process.argv.slice(2);
|
|
4
|
+
if (argv[0] === 'tunnel') {
|
|
5
|
+
const { runTunnelCli } = await import('../src/tunnel.js');
|
|
6
|
+
runTunnelCli(argv.slice(1)).catch((error) => {
|
|
7
|
+
console.error(`[fatal] ${error?.stack || error}`);
|
|
8
|
+
process.exitCode = 1;
|
|
9
|
+
});
|
|
10
|
+
} else {
|
|
11
|
+
const { runCli } = await import('../src/main.js');
|
|
12
|
+
runCli(argv).catch((error) => {
|
|
13
|
+
console.error(`[fatal] ${error?.stack || error}`);
|
|
14
|
+
process.exitCode = 1;
|
|
15
|
+
});
|
|
16
|
+
}
|