codex-web-bridge
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@codex-web-bridgesnapshot the project at /path/to/project and show git status"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Codex Web Bridge
Use ChatGPT Web as the planning UI while this local MCP bridge provides tools for files, code search, shell commands, tests, Git consistency checks, guarded writes, safe base-branch synchronization, and lightweight task/process state.
The recommended public setup is:
ChatGPT Web
-> your HTTPS domain
-> server reverse proxy
-> SSH reverse tunnel
-> local bridge on 127.0.0.1:3838
-> local projectsThis avoids ngrok and does not require exposing your Mac directly to the internet.
What It Provides
MCP over stdio for local MCP clients.
MCP over Streamable HTTP for ChatGPT Apps / Connectors.
Local project tools: read, search, list, write, patch, move, delete.
Shell/test/git tools with policy checks.
Multi-project workspace Git settings without repository-specific defaults.
Read-only Git preflight across local refs, live remotes, and worktrees.
Optional single-writer task locks that cover every project write entry point.
Fast-forward-only integration-branch synchronization with explicit confirmation.
Workspace/task/process helpers for longer work.
Optional HTTP token auth for
/mcp.Audit logs for write/destructive operations.
Related MCP server: opencode-chatgpt-bridge
Quick Start
npm install
npm run build
bash scripts/test-mcp.shRun locally:
CODEX_WEB_AUTH_TOKEN="$(openssl rand -hex 32)" node dist/index.js --http 3838
curl -sS http://127.0.0.1:3838/healthLocal macOS Service
Generate local-only config files:
bash scripts/configure-local.sh bridgeInstall the bridge as a user LaunchAgent:
bash scripts/install-launchd.shStop it:
bash scripts/stop-launchd.shGenerated files such as launchd/com.codexweb.bridge.plist, launchd/com.codexweb.tunnel.plist, and bridge.policy.json are intentionally ignored by git. Do not commit them; they contain local paths and, usually, a token.
Server Setup Without ngrok
You need:
A Linux server reachable over SSH.
A domain with HTTPS terminating on that server.
A reverse proxy such as nginx.
SSH key access from your Mac to the server.
1. Start The Local Bridge
bash scripts/install-launchd.sh
curl -sS http://127.0.0.1:3838/health2. Create An SSH Reverse Tunnel
For an interactive test:
SSH_TARGET="ubuntu@example.com" \
REMOTE_PORT=3839 \
LOCAL_PORT=3838 \
bash scripts/start-ssh-tunnel.shWith a key:
SSH_TARGET="ubuntu@example.com" \
SSH_KEY="$HOME/.ssh/id_ed25519" \
REMOTE_PORT=3839 \
LOCAL_PORT=3838 \
bash scripts/start-ssh-tunnel.shFor a macOS LaunchAgent:
SSH_TARGET="ubuntu@example.com" \
SSH_KEY="$HOME/.ssh/id_ed25519" \
REMOTE_PORT=3839 \
LOCAL_PORT=3838 \
bash scripts/configure-local.sh tunnel
bash scripts/install-launchd.shOn the server, this should respond:
curl -sS http://127.0.0.1:3839/health3. Reverse Proxy With A Secret Path
ChatGPT's app setup may not give you a place to add a custom bearer header. A practical pattern is:
Keep
CODEX_WEB_AUTH_TOKENenabled on the local bridge.Use a long random path on your HTTPS domain.
Have nginx inject the bearer token when proxying to the tunnel.
Example nginx location:
location /codex-mcp/<long-random-secret>/ {
proxy_pass http://127.0.0.1:3839/;
proxy_http_version 1.1;
proxy_set_header Authorization "Bearer <your-local-bridge-token>";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
}Then test:
curl -sS https://your-domain.example/codex-mcp/<long-random-secret>/healthThe MCP URL for ChatGPT is:
https://your-domain.example/codex-mcp/<long-random-secret>/mcpIn ChatGPT, choose No Auth for the app authentication if nginx is injecting the bearer token.
ChatGPT App Setup
Open ChatGPT Web.
Go to Apps -> Manage -> Create app.
Use
Server URL.MCP Server URL:
https://your-domain.example/codex-mcp/<long-random-secret>/mcpAuthentication:
No Authif your reverse proxy injects the bearer token.Accept the custom MCP server risk notice.
Create and connect the app.
Try a read-only prompt first:
Use Local Codex Bridge. Run project.snapshot for /absolute/path/to/my/project and summarize the project type, git status, and scripts.Stdio Config
For local MCP clients that support stdio:
{
"mcpServers": {
"codex-web-bridge": {
"command": "node",
"args": ["/absolute/path/to/codex-web/dist/index.js"],
"env": {
"CODEX_WEB_DATA_DIR": "~/.codex-web",
"CODEX_WEB_POLICY_PATH": "/absolute/path/to/codex-web/bridge.policy.json"
}
}
}
}Policy
bridge.policy.json controls what local paths and shell commands are allowed.
Default template:
{
"allowedProjectRoots": ["/Users/example/Projects"],
"denyGlobs": [
"**/.env",
"**/.env.*",
"**/*.pem",
"**/*.key",
"**/*.p12",
"**/*.pfx",
"**/.npmrc",
"**/.netrc",
"**/.ssh/**",
"**/id_rsa",
"**/id_ed25519"
],
"shell": {
"enabled": true,
"denyPatterns": [
"sudo",
"rm\\s+-rf\\s+/",
"chmod\\s+-R",
"chown\\s+-R",
"security\\s+find-",
"launchctl\\s+bootout\\s+system",
"\\bgit\\s+pull\\b",
"\\bgit\\s+merge\\b",
"\\bgit\\s+rebase\\b",
"\\bgit\\s+reset\\b",
"\\bgit\\s+clean\\b.*(?:^|\\s)-[^\\s]*f",
"\\bgit\\s+push\\b.*(?:--force(?:-with-lease)?|(?:^|\\s)-f(?:\\s|$))"
]
}
}The built-in default is fail-closed: if no allowedProjectRoots are configured, project tools are denied. Replace the neutral example path with the smallest local root or exact project directories you intend to expose. Existing local bridge.policy.json files are not rewritten.
Shell denyPatterns, including the built-in Git patterns, are best-effort guardrails against accidental direct commands. They are not a security boundary or a complete shell parser. Scripts, variables, aliases, command construction, and forms such as git -C <path> ... can bypass simple regular expressions. Keep allowed roots narrow, use guarded write tasks, and prefer the dedicated Git tools instead of relying on shell regexes for adversarial isolation.
Tools
The server exposes these MCP tools:
Tool | Purpose |
| Project summary, git status, language/package hints, bounded file tree |
| Read package scripts |
| Higher-level project index |
| Read files or line ranges |
| Search with ripgrep-compatible output |
| Inspect files without reading full contents |
| Modify files inside policy boundaries |
| Delete files, requires |
| Run a shell command after policy checks |
| Detect and run tests |
| Basic Git inspection and guarded revert |
| Read-only consistency check for HEAD, integration refs, live remote state, divergence, worktrees, and write locks |
| Confirmed fetch plus fast-forward-only integration-branch synchronization |
| Register project path, remote, integration branch, and write mode |
| Read-only/write tasks, single-writer locks, finish, and explicit recovery |
| Start/list/stop managed long-running processes |
| Check local TCP ports |
| Inspect bridge service health and logs |
| Restart fixed local bridge/tunnel services, requires |
Multi-project Git Safety
Workspace Git settings are stored only in the local runtime data directory (workspaces.json). They are not source-controlled.
Register each project with its own verified integration branch:
{"name":"project-a","projectPath":"/Users/example/Projects/project-a","remote":"origin","integrationBranch":"main","writeMode":"guarded"}
{"name":"project-b","projectPath":"/Users/example/Projects/project-b","remote":"origin","integrationBranch":"develop","writeMode":"guarded"}
{"name":"project-c","projectPath":"/Users/example/Projects/project-c","remote":"upstream","integrationBranch":"release/current","writeMode":"guarded"}workspace.add is an upsert. Older workspaces.json records containing only name, path, timestamps, and default state remain readable. Missing Git fields behave as:
remote:
origin;integration branch: unresolved until supplied by the call, workspace configuration, or the remote HEAD symref;
write mode:
legacy, preserving existing unguarded behavior.
Creating a workspace and upgrading legacy to guarded remain simple operations. Changing an existing guarded workspace's writeMode requires its active write taskId. A guarded workspace cannot change projectPath; register a new workspace name instead. Adding a workspace alias for a target that is already guarded or has an active write lock also requires that target's active write taskId.
For guarded operation, start one write task and pass its taskId to every project-writing call:
{"title":"Implement feature","workspace":"project-a","mode":"write","leaseMinutes":120}
{"projectPath":"/Users/example/Projects/project-a","file":"src/example.ts","content":"export {};\n","taskId":"task_..."}
{"taskId":"task_...","status":"done","note":"Validated and complete"}The atomic lock is keyed by the canonical Git repository plus canonical worktree. It applies even if another caller uses the physical path instead of the workspace name. It covers file creation/modification/deletion, shell commands, test runs, Git revert/sync, managed process start/stop, and guarded workspace setting changes. Durable in-flight markers include the bridge PID and, for shell/test calls, the spawned shell PID and process group. Recovery stays fail-closed while any of them may still be alive. A task also cannot finish while one of its managed processes is still active.
workspaces.json, tasks.json, and processes.json use small cross-process file locks around each complete read-modify-write transaction, while final writes still use a temporary file plus atomic rename. A lock is reclaimed automatically only when its metadata is readable, its owner PID is proven stopped, and it is older than the conservative stale threshold. Unreadable or ambiguous locks fail closed instead of being overwritten.
Read-only tasks do not acquire a lock. Expired locks remain blocking until explicitly recovered:
{"taskId":"task_...","reason":"The previous client crashed and the lease expired","confirm":true}Use task.recover_lock only for an orphaned lock whose task record is no longer active or readable. Both recovery paths append an audit event.
Git preflight
Run preflight before editing or synchronizing:
{"workspace":"project-a"}Integration branch resolution is fail-closed and uses this priority:
explicit
integrationBranchcall argument;workspace
integrationBranch;the selected remote's advertised HEAD symref.
It never guesses main or master. Remote selection uses the explicit call argument, then workspace configuration, then the neutral origin default.
git.preflight does not fetch or change refs. It reports full SHAs, dirty/staged/untracked/conflict state, upstream, local and remote-tracking refs, live remote SHA, ahead/behind when locally verifiable, every worktree, duplicate branch checkouts, active write tasks, and a machine-readable verdict. If the remote cannot be reached or its live commit is not locally verifiable, the result is unknown/unverified, never “clean by assumption.”
Fast-forward-only base sync
{"workspace":"project-a","taskId":"task_...","confirm":true}git.sync_base may fetch only the selected remote and may update only the currently checked-out integration branch via --ff-only. It refuses dirty worktrees, detached HEAD, a different checked-out branch, local-only commits, divergence, stale/unverified remote state, another worktree checking out the integration branch, or write-lock conflicts. It never falls back to force, reset, merge commits, rebase, or history rewriting.
ChatGPT Web and Codex App together
Treat a physical worktree as single-writer:
use guarded mode whenever both clients can reach the same project;
let only the active write task mutate that worktree;
use separate Git worktrees for genuinely parallel implementation;
run
git.preflightbefore handing writing control from one client to the other;finish or explicitly recover the old write task before starting the next writer.
Separate worktrees can have separate write locks, but Git still prevents the same branch from being checked out normally in two worktrees. Preflight reports any conflicting branch checkout instead of trying to repair it.
Security Notes
Do not expose
/mcppublicly without auth or a protected reverse proxy path.Do not commit generated plist files, tokens, SSH key paths, logs, or real domains if they are private.
Prefer a long random URL segment even when token injection is enabled.
Keep
CODEX_WEB_AUTH_TOKENenabled for public HTTP use.Keep
.env,.ssh, key files,.npmrc, and.netrcdenied.Keep
allowedProjectRootsnarrow; the default with no configured roots denies project access.Use read-only tools first before write/shell tools.
Prefer
git.sync_baseover shell-driven pull/merge/rebase. Built-in shell patterns catch common direct spellings of destructive or history-rewriting Git commands, but remain best-effort and bypassable rather than a security boundary.Treat shell output and logs as potentially sensitive.
For long-term use, rotate the secret path and token if they are ever pasted into a public place.
If your Mac is asleep/offline, ChatGPT cannot reach the local bridge through the tunnel.
macOS LaunchAgents start after user login, not before login.
Restart Behavior
Server reboot:
nginx/systemd usually comes back automatically.
The Mac-side SSH LaunchAgent reconnects when the server is reachable.
No ChatGPT app reconfiguration is needed if the domain and secret path stay the same.
Mac reboot:
The LaunchAgents start after you log in.
The tunnel reconnects if SSH credentials still work.
You need to reconfigure only if the domain, secret path, bridge token, SSH target, SSH key, or ChatGPT app is changed or deleted.
Validation
Local:
curl -sS http://127.0.0.1:3838/healthServer:
curl -sS http://127.0.0.1:<remote-port>/healthPublic:
curl -sS https://your-domain.example/codex-mcp/<long-random-secret>/healthMCP initialize:
curl -sS https://your-domain.example/codex-mcp/<long-random-secret>/mcp \
-H 'Content-Type: application/json' \
-H 'Accept: application/json, text/event-stream' \
--data '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-06-18","capabilities":{},"clientInfo":{"name":"verify","version":"1.0"}}}'Development
npm run typecheck
npm run build
bash scripts/test-mcp.shThis server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/truongvknnlthao-gif/codex-web-bridge'
If you have feedback or need assistance with the MCP directory API, please join our Discord server