fix: deny codex bash when index mcp is available

Closes #1505

Author: andrewgazelka

packages/agent/codex/default.nix

@@ -140,6 +140,7 @@ let
   # Codex does not use Claude's `permissions.deny` JSON shape.
   sharedPermissions = import (ix.paths.packagesRoot + "/agent/policy/permissions.nix") {
     inherit lib;
+    mcpServers = mcpStdioServers;
   };
 in
 # These baked defaults also reach the Codex GUI app's remote-SSH sessions, not

packages/agent/policy/permissions.nix

@@ -14,13 +14,16 @@ let
       "WebFetch"
     ]
     ++ lib.optional (mcpServers ? index) "Bash";
+
+  supersededCodexTools = lib.optional (mcpServers ? index) "Bash";
 in
 {
   claude = {
     deniedToolPatterns = protectedMergeToolPatterns ++ supersededBuiltinTools;
   };
 
   codex = {
+    deniedToolPatterns = supersededCodexTools;
     protectedMergeCommandPatterns = [
       "gh pr merge*--admin*"
       "gh pr merge*--force*"

tests/default.nix

@@ -3384,6 +3384,17 @@ let
         assertion = !(builtins.elem "cursor-cli" developmentBase.packageNames);
         message = "development-base should keep unrelated unfree CLIs out of the image";
       }
+      {
+        assertion =
+          let
+            policy = import (paths.packagesRoot + "/agent/policy/permissions.nix") {
+              inherit lib;
+              mcpServers.index = { };
+            };
+          in
+          policy.codex.deniedToolPatterns == [ "Bash" ];
+        message = "Codex should deny the Bash tool when the index MCP is available";
+      }
       {
         # Bypass-permissions is enforced through Claude's managed-settings layer
         # (/etc/claude-code/managed-settings.json): read-only, highest precedence,