claude-second-opinion-mcp
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@claude-second-opinion-mcpreview my deployment plan for security issues"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Claude Second Opinion MCP
A focused local MCP server that lets Codex—or any MCP client—ask a fresh Claude Code session for an independent second opinion without blocking the calling agent.
It is designed for consequential uncertainty: plans, architecture, difficult debugging, security/correctness risks, substantial code changes, and final completion checks. It is not intended to become a mandatory ritual for routine work.
What makes it different
start_claude_reviewreturns immediately with a review ID.get_claude_reviewchecks or retrieves the result later while the caller continues other work.cancel_claude_reviewterminates the Claude process group.Every review runs at
--effort max.The model is configurable; the default
bestselector can use Fable when available, with Claude Code's native fallback to Opus.A zero-cost capacity failure that performed no model work gets one explicit fallback attempt within the original timeout and budget; work is never replayed after model usage, spend, or permission denials.
The result reports the requested model plus every matching reviewer model in Claude's usage telemetry. The singular field is null when telemetry contains both the configured primary and fallback, avoiding guessed provenance.
Denied tool calls are surfaced by name and force an
insufficient_contextverdict instead of allowing a falsely complete review.Claude output must match a strict review schema and pass consistency checks.
Packet-only reviews remain tool-disabled and isolated from the workspace.
Workspace-aware reviews can inspect a trusted repository with Claude Code's built-in tools and a configurable permission mode.
The default authentication policy requires first-party Claude.ai Max login and strips alternate-provider overrides to avoid accidental API billing.
Runtime, input, output, concurrency, and subprocess cleanup are bounded.
Related MCP server: codex-claude-bridge
Review modes
Packet-only
Omit workspace. Claude receives only the supplied task, artifact, question,
and focus fields. Tools are disabled, safe mode is forced on, and the review
runs from a temporary directory.
This mode is useful for reviewing a plan, proposal, diagnosis, or draft answer without granting repository access.
Workspace-aware
Supply an absolute workspace path underneath one of the roots configured in
CLAUDE_SECOND_OPINION_WORKSPACE_ROOTS_JSON. The path is canonicalized and
validated before the background job is accepted. Claude starts in that
directory with normal built-in tools.
By default, workspace reviews use:
--safe-mode--permission-mode plana clean child-process environment
no project
CLAUDE.md, hooks, skills, plugins, or project MCP servers
This preserves an independent reviewer while still allowing Claude to inspect files and diffs. Every effective execution profile is returned with the job snapshot.
Safety model
Safe mode, permission mode, and sandboxing solve different problems:
Safe mode controls Claude Code customizations. It does not disable built-in tools and is not a sandbox.
Permission mode controls which tool actions Claude Code authorizes.
OS sandboxing controls what the subprocess can actually reach. A working directory or configured workspace root is not an OS boundary.
bypassPermissions—including the accepted
--dangerously-skip-permissions alias—disables Claude Code permission checks.
Anthropic recommends it only in externally isolated containers or VMs. In
that mode Claude can potentially read or modify files outside the selected
workspace, execute commands, use the network, invoke MCP tools, or expose
credentials available to the OS user.
The reviewer system prompt prohibits intentional edits, deployments,
publishing, contacting people, and external state changes. A prompt is not a
security boundary. Use plan or an external sandbox when those actions must be
technically prevented.
The packet scanner refuses several common secret formats, but it cannot protect secrets stored in files once workspace tools are enabled. Material Claude reads may be sent to Anthropic. Review SECURITY.md before enabling workspace access.
Requirements
Node.js 22 or newer
npm 10 or newer
Claude Code 2.1.207 or newer available on
PATHClaude Code authentication compatible with the configured auth policy
An MCP client such as Codex
Install
Install the command from npm:
npm install --global claude-second-opinion-mcpTo install from source instead:
git clone https://github.com/Borge-Labs/claude-second-opinion-mcp.git
cd claude-second-opinion-mcp
npm ci
npm run build
npm test
npm run smokedist/ is generated locally and intentionally not committed.
Codex configuration
Add a server entry to ~/.codex/config.toml, replacing the workspace root with
an absolute path on your machine:
[mcp_servers.claude_second_opinion]
command = "claude-second-opinion-mcp"
enabled = true
enabled_tools = ["start_claude_review", "get_claude_review", "cancel_claude_review"]
startup_timeout_sec = 20
tool_timeout_sec = 75
[mcp_servers.claude_second_opinion.env]
CLAUDE_SECOND_OPINION_CLAUDE_BIN = "claude"
CLAUDE_SECOND_OPINION_MODEL = "best"
CLAUDE_SECOND_OPINION_FALLBACK_MODEL = "opus"
CLAUDE_SECOND_OPINION_AUTH_POLICY = "max"
CLAUDE_SECOND_OPINION_ENV_POLICY = "clean"
CLAUDE_SECOND_OPINION_WORKSPACE_ROOTS_JSON = '["/absolute/path/to/projects"]'
CLAUDE_SECOND_OPINION_PERMISSION_MODE = "plan"
CLAUDE_SECOND_OPINION_SAFE_MODE = "true"If you prefer not to install globally, use command = "npx" and
args = ["--yes", "claude-second-opinion-mcp@latest"]. A source checkout can
still use command = "node", its built dist/index.js, and the checkout as
cwd.
Restart Codex after adding the server or rebuilding it so the MCP process and tool inventory are refreshed.
Explicit full-agent configuration
If the Claude process already runs inside a trusted external sandbox and you want project customizations plus unrestricted tool authorization:
[mcp_servers.claude_second_opinion.env]
CLAUDE_SECOND_OPINION_WORKSPACE_ROOTS_JSON = '["/absolute/path/to/projects"]'
CLAUDE_SECOND_OPINION_PERMISSION_MODE = "bypassPermissions"
CLAUDE_SECOND_OPINION_SAFE_MODE = "false"The value --dangerously-skip-permissions is accepted as an alias and is
normalized internally to bypassPermissions. Environment values are parsed as
configuration, never appended as raw command-line flags.
Calling the tools
Start a workspace-aware review:
{
"kind": "final_check",
"task": "Review the current implementation before release.",
"workspace": "/absolute/path/to/projects/example",
"artifact": "Focus on the current git diff and the stated release criteria.",
"question": "Is any material correctness, security, or compatibility risk still unsupported by evidence?",
"focus": ["correctness", "security", "test evidence"]
}The start result includes a review_id and execution profile. Continue useful
work, then call get_claude_review with that ID. Omit the ID to retrieve the
most recently started review in the current MCP process.
Completed reviews include permission_denials. The bridge exposes only denied
tool names—not tool inputs—and changes the verdict to insufficient_context
whenever that list is non-empty.
MCP cannot reliably inject a completed background result into an already running model turn, so the caller must explicitly retrieve it later.
Suggested agent guidance
This belongs in user or project agent instructions, not in a hard-coded hook:
Use the optional Claude second-opinion MCP selectively when another model
perspective is likely to affect a consequential decision. Start a useful review
early, continue independent work while it runs, and retrieve and reconcile the
result before a relevant final handoff. Do not use it for routine or mechanical
work or repeat a review on materially unchanged input.Configuration reference
Variable | Default | Purpose |
|
| Claude Code executable |
|
| Primary model or selector |
|
| Native and zero-work capacity fallback model |
|
|
|
|
| Reviewed operational/network allowlist or explicit |
|
| JSON array of trusted absolute workspace roots |
|
| Valid Claude Code permission mode or dangerous alias |
|
| Disable Claude customizations for workspace reviews |
|
| JSON array passed as Claude allowed-tool rules |
|
| JSON array passed as Claude denied-tool rules |
|
| Review timeout, 90 minutes |
|
| Maximum serialized review packet size |
|
| Claude print-mode budget ceiling when applicable |
| unset | Set to |
--effort max is always passed, and the child environment is forced to
CLAUDE_CODE_EFFORT_LEVEL=max so an inherited lower setting cannot override
it.
Auth policies:
max: require first-party Claude.ai Max and remove provider overrides.first_party: require first-party Claude.ai authentication and remove provider overrides.any: accept any logged-in Claude Code provider configuration. Combine this withENV_POLICY=inheritonly when intentionally using credentials supplied through environment variables.
The clean environment is a reviewed operational allowlist, not a secret-free
boundary. It retains standard proxy, certificate, mTLS path, and
CLAUDE_CONFIG_DIR settings needed for supported Claude installations. Proxy
URLs can contain credentials. The mTLS key passphrase is deliberately omitted;
set ENV_POLICY=inherit only when that credential is required. Use an external
sandbox when workspace tools must not be able to observe process configuration.
Tool allow rules pre-authorize matching tools; they are not a filesystem sandbox. Deny rules and Claude Code sandbox settings provide additional layers.
Job lifecycle
Only one review runs at a time.
The default internal timeout is 90 minutes.
Start/get/cancel MCP calls remain short.
Job state is retained in memory for the active MCP process.
Restarting or disconnecting the MCP client cancels active work and clears retained results.
Timeout, cancellation, and shutdown send TERM and then KILL to the Claude process group on supported platforms.
Development
npm ci
npm test
npm run smoke
npm audit --omit=devThe unit suite uses a fake Claude executable and makes no model calls. The optional live test consumes Claude usage:
npm run smoke:liveTo exercise real workspace inspection, point the smoke test at a trusted root that is also covered by the configured workspace roots. The script creates and removes a temporary sentinel fixture, proves Claude read it, and verifies that the fixture was not modified. The live harness forces plan permission mode and safe mode for this check:
CLAUDE_SECOND_OPINION_WORKSPACE_ROOTS_JSON='["/absolute/path/to/projects"]' \
CLAUDE_SECOND_OPINION_SMOKE_WORKSPACE=/absolute/path/to/projects \
npm run smoke:liveSee CONTRIBUTING.md for contribution guidance and CHANGELOG.md for release history.
Project and trademark notice
The public GitHub repository is a mirror of the canonical Gitea repository. GitHub issues and pull requests are welcome and are integrated upstream before being mirrored back.
This is an independent open-source project. It is not affiliated with, endorsed by, or sponsored by Anthropic or OpenAI. Claude, Claude Code, Codex, and related names are trademarks of their respective owners.
License
MIT License. See LICENSE.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Borge-Labs/claude-second-opinion-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server