rstream MCP and Codex workflows

rstream now gives Codex a native way to reach the resources around a repository: local services, hosted project state, remote machines, remote-local services, bounded filesystem roots, and device-local MCP servers.

The Codex integration requires rstream CLI 1.19.0 or later.

There are two MCP surfaces with different trust boundaries. The hosted /api/mcp endpoint is for Control plane work: discovery, identity, workspaces, projects, plan and usage data, logs, TURN, stable domains, settings, token minting, and explicit project creation or checkout. It uses bearer-token authentication and the same permission and resource boundaries as the API.

The local CLI server is the agent runtime surface. rstream codex setup registers rstream mcp serve, which reuses the operator's local rstream context and private tunnel dialer. Codex can expose a local development server, inspect WebTTY machines behind NAT, run non-interactive remote commands, use the WebDAV filesystem sidecar when it is enabled, expose a service that only listens on the remote host, and bridge a device-local MCP server without opening inbound ports on that device.

This changes the Codex workflow from repository-only automation to controlled connectivity. Codex can check plan and usage state before using a feature, ask before billing-sensitive or mutating operations, publish a temporary URL for a local service, gather logs from labeled remote devices, move files through an explicit filesystem root, bridge device-local MCP tools, and clean up the tunnels it created.

The token model is now explicit in the MCP docs and tool descriptions. Developer workstations use the rstream login credential and linked contexts. Remote devices use project-scoped credentials when they need their own durable access. Short-lived delegated tokens are kept for immediate URL, browser, published MCP, or runtime handoff flows.

The WebDAV sidecar is still a filesystem boundary, not a sandbox. It is opt-in, rooted by --fs-root, and runs with the WebTTY server process permissions. For remote agent runtimes that cannot start a local stdio MCP process, rstream mcp publish can expose the same local MCP surface as a token-protected Streamable HTTP endpoint at /mcp.

See Codex, Agent Native, WebTTY, and Use rstream as a Connectivity Layer for Codex.