Skip to content

Bug Report: Version mismatch, ambiguous success state, and unnecessary Windows escaping #41

New issue
New issue
Open
Open
Bug Report: Version mismatch, ambiguous success state, and unnecessary Windows escaping#41
@xuxianbang1993

Description

@xuxianbang1993
xuxianbang1993
opened on Mar 24, 2026

Summary

After a thorough source code review of server.py, __init__.py, and pyproject.toml, I identified three technical issues.

Issue 1: Version mismatch between __init__.py and pyproject.toml

Severity: Low (maintenance)

File Version
src/codexmcp/__init__.py 0.1.0
pyproject.toml 0.7.4

__init__.py has never been updated since initial creation. Any code that reads codexmcp.__version__ will get the stale 0.1.0 instead of the actual 0.7.4.

Suggested fix: Either sync __init__.py manually, or use hatch-vcs / importlib.metadata to derive __version__ from pyproject.toml as the single source of truth.

Issue 2: Ambiguous success state — partial failure is treated as success

Severity: Medium

In server.py, both the "fail" and "error" handling paths use:

success = False if len(agent_messages) == 0 else success

This means: if Codex has already emitted some agent_message text before crashing or failing, the final result will still be {"success": True, ...} with potentially truncated or incomplete content.

The caller has no way to distinguish between:

  • A fully completed response
  • A response that was cut short mid-way due to an error

Suggested fix: Consider one of:

  1. Always set success = False on fail/error, and include agent_messages in the error result so no data is lost.
  2. Add a "partial": true flag to the result when errors occurred after some agent messages were already received.
  3. At minimum, always append err_message to the result (even when success: true), so callers can detect issues.

Issue 3: windows_escape() is unnecessary and potentially harmful under shell=False

Severity: Medium

The codex tool applies windows_escape(PROMPT) when os.name == "nt":

if os.name == "nt":
    PROMPT = windows_escape(PROMPT)

However, the command is executed via:

process = subprocess.Popen(
    popen_cmd,
    shell=False,   # <-- arguments passed directly, no shell interpretation
    ...
)

With shell=False, the OS passes arguments directly to the child process without any shell parsing. The escape function is therefore unnecessary, and worse, it corrupts the prompt content:

  • A literal newline \n in the user's prompt becomes the two characters \n
  • A literal quote " becomes \\"
  • Backslashes are doubled: \\

This means Codex receives mangled prompts on Windows that differ from what the user intended.

Suggested fix: Remove the windows_escape() call entirely, or guard it behind shell=True (which is not recommended for security reasons). Since shell=False is the correct and safe approach, the escape function is not needed.

Environment

  • Codex CLI: v0.115.0
  • CodexMCP: v0.7.4 (from pyproject.toml)
  • Python: 3.12+
  • Reviewed commit: latest on main branch as of 2026-03-24

Thank you for this useful project! Happy to submit PRs for any of these if you'd like.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions