Codex module: MCP server subprocesses fail TLS verification when enable_boundary=true

[shanewhite97]

Description

When enable_boundary = true in the Codex module, MCP server subprocesses (both the built-in Coder MCP and any additional_mcp_servers) fail to make HTTPS requests because they don't trust Boundary's dynamically-generated CA certificate.

Root Cause

Boundary sandboxes the Codex process using a network namespace with transparent HTTPS interception. It generates a CA certificate and injects env vars like SSL_CERT_FILE, NODE_EXTRA_CA_CERTS, etc. into the Codex process environment.

However, Codex CLI calls .env_clear() when spawning MCP server subprocesses (source), only passing through a small default whitelist (HOME, PATH, SHELL, USER, LANG, LC_ALL, TERM, TMPDIR, TZ) plus whatever is explicitly defined in the env block of config.toml.

The append_mcp_servers_section function in install.sh does not include Boundary's CA cert env vars in the Coder MCP server's env block, so they are stripped when Codex spawns the MCP subprocess.

Symptoms

• Coder MCP (coder exp mcp server): Failed to report task status: Patch "https://<coder-url>/api/v2/workspaceagents/me/app-status": tls: failed to verify certificate: x509: certificate signed by unknown authority
• Additional MCP servers (e.g. GitLab via npx): TLS handshake failures when connecting to external APIs

Current Workaround

Coder MCP (Go binary)

Use post_install_script to sed-patch config.toml and inject SSL_CERT_FILE and SSL_CERT_DIR into the Coder MCP server's inline env block:

post_install_script = <<-EOF
  #!/bin/bash
  CONFIG_PATH="$HOME/.codex/config.toml"
  sed -i 's|"CODER_MCP_ALLOWED_TOOLS" = "coder_report_task"|"CODER_MCP_ALLOWED_TOOLS" = "coder_report_task", "SSL_CERT_FILE" = "/home/coder/.config/coder_boundary/ca-cert.pem", "SSL_CERT_DIR" = "/home/coder/.config/coder_boundary"|' "$CONFIG_PATH"
EOF

Node.js-based MCP servers (e.g. GitLab)

Only NODE_EXTRA_CA_CERTS is needed in the env block, plus startup_timeout_sec to account for slower npx downloads through Boundary:

[mcp_servers.gitlab]
command = "npx"
args = ["-y", "@zereight/mcp-gitlab"]
type = "stdio"
startup_timeout_sec = 180

[mcp_servers.gitlab.env]
NODE_EXTRA_CA_CERTS = "/home/coder/.config/coder_boundary/ca-cert.pem"
# ... other GitLab-specific env vars

Important note

HTTPS_PROXY/HTTP_PROXY are might not be needed. Boundary intercepts traffic transparently at the network namespace level; the proxy port (8087) is not reachable via localhost from inside the sandbox.

Proposed Fix

When enable_boundary = true, the append_mcp_servers_section function in scripts/install.sh should automatically inject Boundary's CA cert env vars into the built-in Coder MCP server env block. At minimum:

• SSL_CERT_FILE = <boundary_config_dir>/ca-cert.pem
• SSL_CERT_DIR = <boundary_config_dir>

The CA cert path is deterministic based on the boundary_config_path directory.

Additionally, the README should document that:

• Users must add NODE_EXTRA_CA_CERTS (or equivalent) to additional_mcp_servers env blocks when using Boundary
• MCP servers using npx may need increased startup_timeout_sec (e.g. 180) when running behind Boundary due to package download overhead

Environment

• Codex module version: 4.3.0
• Coder version: v2.30.2
• enable_boundary = true
• enable_aibridge = true

Relevant Source Files

• registry/coder-labs/modules/codex/scripts/install.sh - append_mcp_servers_section function
• registry/coder/modules/agentapi/scripts/boundary.sh - Boundary setup
• Codex CLI MCP env handling: https://github.com/openai/codex/blob/main/codex-rs/rmcp-client/src/utils.rs#L92
• Boundary CA cert injection: https://github.com/coder/boundary/blob/main/landjail/child.go

[matifali]

We will be addressing this as part of the #840 and a sperate standalone Codex module similar to #861