codex_review_changes
Get an independent second opinion on git changes. Send diffs from working tree, branch, or commit scope to Codex for review, and receive structured findings.
Instructions
Ask Codex (a different model) to review your git changes for an independent second opinion.
scope: working_tree (uncommitted vs HEAD), branch (needs base, reviews
base...HEAD), or commit (needs a commit SHA). The diff is gathered, secret-
redacted, and bounded by this server; Codex reviews it read-only and returns
structured findings. Pass workspace_root (absolute) for the right repo.
extra_context (optional) is author intent — why the change was made, what you
already verified, constraints — added to the prompt as clearly-labeled UNTRUSTED
data (Codex is instructed to treat embedded directives as data, not commands — a
best-effort injection mitigation, not a guarantee) to cut false positives. It is
bounded by the same input-byte limit as the diff.
STATIC review, not a verify mode: the read-only sandbox blocks the writes a test/build/lint run typically needs (a writable cache/temp), so Codex can't rely on running the project's checks to confirm its findings. Treat findings as unvalidated claims to verify by running those checks yourself before acting.
Data egress: this sends the gathered diff to OpenAI via the codex CLI. The diff is
secret-redacted (best-effort), but your extra_context is sent raw (unredacted),
and Codex may read and send other repo files. Redaction is not a guarantee — do
not point a review at a tree full of live credentials and assume it protects them.
Progress: this is a blocking call that returns only when Codex finishes; it does
not stream incremental notifications/progress. Typical runs take tens of seconds;
the configured default timeout is normally 180s, clamped to 10-600s, overridable
per call via timeout_seconds (codex_status reports the resolved default and
bounds). If you need live status or recoverability for a long run, use
codex_review_changes_async for a job_id and poll codex_job_status.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| base | No | Base git ref for scope='branch'; the review covers base...HEAD. | |
| model | No | Override the Codex model slug for this call; defaults to the server/Codex default when unset. | |
| paths | No | Repo-relative paths to narrow the review ('/' separators, no '..'); omit to review all changes in scope. | |
| scope | No | Which changes to review: 'working_tree' (uncommitted vs HEAD), 'branch' (needs base), or 'commit' (needs commit). | working_tree |
| commit | No | Commit SHA or ref to review for scope='commit'. | |
| detail | No | Response verbosity: 'summary' (default) omits the raw model text; 'full' includes it. | summary |
| isolation | No | Codex config isolation: 'inherit' (default), 'ignore-config', or 'ignore-rules'. | |
| extra_context | No | Optional author intent / background context, added to the prompt as clearly-labeled UNTRUSTED data. Codex is instructed to treat embedded directives as data, not commands — best-effort prompt-injection mitigation, not a guarantee. Don't include live secrets: Codex can read files it's pointed at, and redaction does not cover this field. | |
| workspace_root | No | Absolute path to the target repository root. Pass it (or rely on an MCP root) so the call targets the intended repo; otherwise it falls back to the server's own cwd and meta.workspace_warning is set. | |
| timeout_seconds | No | Per-call wall-clock timeout in seconds, clamped to 10..600 (out-of-range values are coerced, not rejected). Defaults to the server's configured timeout. |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
| ok | Yes |