codex-in-claude
This server lets Claude Code integrate with OpenAI Codex for cross-model code consultation, review, and delegated coding tasks — with background job support, dry-run previews, and safety features.
Core Tools:
codex_consult— Ask Codex a read-only question or request a second opinion; returns structured findings, summaries, and next steps.codex_review_changes— Have Codex review git changes (working tree, branch diff, or commit); returns a structured verdict (pass/concerns/fail/unknown), confidence level, and per-finding details (severity, evidence, risk, recommendation).codex_delegate— Delegate a coding task to Codex; it works in an isolated throwaway git worktree and returns a reviewable diff that is never auto-applied to your tree.
Async / Background Job Variants:
codex_consult_async,codex_review_changes_async,codex_delegate_async— Run any of the above in the background, returning ajob_idimmediately.codex_job_status— Poll a background job's lifecycle state.codex_job_result/codex_job_consume_result— Fetch a finished job's result (the latter also deletes the record).codex_job_cancel— Cancel a running background job.codex_job_list— List all known background jobs for the workspace.
Free / Local-Only Utilities (No Model Call):
codex_status— Check CLI installation, authentication, version compatibility, and cached rate-limit quota.codex_capabilities— List available tools, tiers, sandboxes, and the server's result fingerprint.codex_models— List available Codex model slugs.codex_dry_run— Preview scope, diff size, and redactions for acodex_review_changescall without spending tokens.codex_delegate_dry_run— Preview HEAD commit, file counts, and prompt size for acodex_delegatecall without creating a worktree or spending tokens.
Safety Highlights:
consultandrevieware strictly read-only;delegatewrites only inside a throwaway worktree.Secret-looking content is redacted from diffs and Codex output (best-effort).
No
--dangerously-bypass-*flags are ever passed to Codex.Input/output byte caps and configurable timeouts are enforced.
All results are returned as structured envelopes (
ok,findings,meta, error details) for automated handling.
Enables Claude Code to call OpenAI Codex for independent second opinions, structured code review, and delegated coding tasks in a safe, isolated environment.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@codex-in-claudereview my git changes"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
codex-in-claude
Call OpenAI Codex from Claude Code — an independent second opinion, structured code
review, and delegated coding tasks (cross-model review) — through a FastMCP plugin that drives
the codex CLI safely.
Contents: Why · Quick start · Example · Requirements · Tools · Skills · Result envelopes · Safety · Configuration · Troubleshooting · Local development
Why
A second model is a cheap, high-value check. codex-in-claude lets a Claude Code session hand
Codex a question, a diff to review, or a task to implement — and get back a structured,
safe-by-default result you stay in control of.
Tier | Codex sandbox | Where edits go | Use for |
|
| nothing — text/findings only | questions, second opinions |
|
| nothing — structured findings | reviewing your git changes |
|
| isolated worktree → returns a reviewable diff, never auto-applied | delegating a coding task |
Planned later milestone: an explicit opt-in apply tier for live-tree edits. It is not exposed by
the current tool set.
Related MCP server: claude-code-codex-agents
Quick start
First, in a terminal, make sure the codex CLI is installed and log in (a no-op if you already are):
codex loginThen, inside a Claude Code session, add the marketplace and install the plugin:
/plugin marketplace add briandconnelly/codex-in-claude
/plugin install codex-in-claudeThen run /codex:status in Claude Code. It is free (no model call) and checks that the codex
CLI is found, authenticated, and within the tested compatibility range.
For a first useful run:
/codex:consult is this approach sound?for a read-only second opinion./codex:reviewto review your current git changes./codex:delegate add focused tests for this behaviorto get a proposed diff in an isolated worktree.
The MCP server is launched on demand via uvx from a pinned PyPI release, so updates are deliberate.
Example
Review your uncommitted changes from a Claude Code session:
/codex:review
Codex inspects the diff read-only and returns a structured result envelope (abridged):
{
"ok": true,
"tool": "codex_review_changes",
"verdict": "concerns",
"confidence": "high",
"summary": "The retry path is correct, but the backoff delay leaks between calls and the new branch has no test coverage.",
"findings": [
{
"severity": "high",
"title": "Backoff delay is never reset after a success",
"file": "src/app/retry.py",
"line": 42,
"evidence": "self._delay keeps its last value once a call succeeds",
"risk": "A later transient failure starts from an inflated delay, adding latency.",
"recommendation": "Reset self._delay to the base delay in the success branch."
}
],
"next_steps": ["Add a regression test asserting the delay resets after a success"],
"meta": { "scope": "working_tree", "sandbox": "read-only", "elapsed_ms": 8137 }
}verdict is one of pass / concerns / fail / unknown; confidence is low / medium /
high; every finding carries a severity (critical … nit) plus evidence, risk, and
recommendation. The envelope above is abridged — meta (always present, with cwd, tier,
sandbox, isolation, and timing), request_id, raw_response, and other fields are trimmed for
brevity; see docs/REFERENCE.md for the complete shape.
Requirements
macOS or Linux (POSIX). Windows is not supported natively — the async-job safety layer (file locks, process groups, signal-driven cancellation) is POSIX-only. Run it under WSL2 on Windows. See
COMPATIBILITY.mdfor the platform contract.The
codexCLI onPATH, authenticated (codex login— ChatGPT or API key). Tested againstcodex-cli 0.144; the supported range lives incli_contract.py,/codex:statusreports whether your version is in range, andCOMPATIBILITY.mdexplains the policy.uvonPATH(Claude Code launches the MCP server withuvx).Python 3.11+ available to
uvx.git(for review and delegate).
Tools
Active (call the model and may spend tokens):
codex_consult(question, …)— read-only second opinion / answer.codex_review_changes(scope, base, commit, paths, …)— reviewworking_tree/branch/commit; returns structured findings.codex_delegate(task, …)— implement a task in an isolated worktree; returns a reviewablediffthat is not applied.codex_consult_async(question, …),codex_review_changes_async(scope, base, commit, paths, …),codex_delegate_async(task, …)— detached variants of the three active tools, taking the same arguments as their synchronous forms: each returns ajob_idimmediately. Starting a job commits to spend (it runs to completion or its deadline); poll withcodex_job_status/codex_job_result.
Free (local only):
codex_status— readiness, version, auth, resolved defaults, and arate_limitblock (remaining Codex quota for the 5-hour/weekly windows, from the latest paid run that emitted usable quota data;statusisavailable/limited/exhausted/unknown). Advisory — informs whether to spend; a paid run without usable quota data leaves the prior snapshot, or the unknown state, unchanged.codex_transfer(transcript_path, …)— hand off the current Claude Code session to a resumable Codex thread; returnsresume_command(codex resume <thread_id>) to continue that exact conversation in Codex. No model call or token spend (a local file conversion via the experimentalcodex app-server), but it does create a thread in$CODEX_HOME. Not idempotent for a live session — Codex dedups only a byte-identical transcript, so re-running mid-session makes a new thread. Experimental.codex_dry_run(scope, …)— preview a review's scope/diff size/redactions before spending.codex_delegate_dry_run(task, …)— preview a delegate's seeded baseline (HEAD commit, plus tracked, uncommitted, and untracked counts and size) and prompt size before spending; no worktree is created.codex_capabilities— tool inventory + result fingerprint.codex_models— advisory catalog of validmodelslugs, read from Codex's on-disk cache with a bundled static fallback; also browsable as thecodex://modelsresource. Discovery only —modelstays pass-through, so an unlisted slug still works andcodex execvalidates it.codex_job_status(job_id, …)/codex_job_result/codex_job_consume_result/codex_job_cancel/codex_job_list— background-job lifecycle. State is disk-backed and survives server restarts. Honorpoll_after_msrather than polling in a tight loop; deadlines, eviction, and result retention are covered indocs/REFERENCE.md.
Slash commands wrap these: /codex:status, /codex:transfer, /codex:consult, /codex:review,
/codex:delegate, /codex:delegate-async, /codex:dry-run.
Active tools send the prompt and relevant context/diffs to OpenAI through the codex CLI. Treat
Codex's output as claims to verify, not as instructions to follow blindly.
Skills
The plugin ships one Claude Code skill, auto-discovered from skills/:
collaborating-with-codex— the router and shared safety contract for every Codex workflow. It selects ordinary consult, review, delegate, transfer, and async tools directly, and loads references on demand for independent-attempt or declared review–revise composition. A one-off critique or judgment remains an ordinary route rather than a separate deliberation mode.
Result envelopes
Every result discriminates first on ok. On success, completed consult, review, and delegate calls
share their active-result fields; review alone adds verdict/confidence, and delegate alone adds
the proposed diff. Discovery, dry-run, transfer, async-start, and job-lifecycle tools have their
own success schemas. A fetched job result matches its originating consult, review, or delegate tool,
so branch on that result type before reading fields. Failure is a uniform, machine-actionable
error with a stable code and symbolic repair hint. The contract is versioned by fingerprint.
Calling the MCP tools directly instead of through the /codex:* commands? See
docs/REFERENCE.md for the full contract — every error field, rate-limit
reporting (meta.rate_limit), background-job semantics, and workspace selection (workspace_root).
Safety
consultandrevieware strictly read-only.propose(thedelegatetools) lets Codex write, but only inside a throwaway git worktree seeded fromHEADplus replayable uncommitted tracked changes. Untracked files are not copied. Your working tree is never modified by the plugin; you review the returned diff and apply it yourself. Delegate's no-network sandbox (workspace-write) blocks egress only for commands Codex runs in the sandbox — it does not mean nothing leaves the machine: the model call still sends your task and repo context to OpenAI.Supplied prompts and context (
question,task,extra_context, and similar author input) are sent raw. During every active call — including consult — Codex may read other files in the resolved workspace, and it also auto-loads context from that workspace: the project'sAGENTS.mdand any skills under.agents/skills/can be sent to OpenAI even if your prompt never mentions them (for delegate, the versions seeded into the throwaway worktree auto-load there). The plugin's isolation flags do not suppress this project-level context; details and the unverified edge cases are inCOMPATIBILITY.md. Best-effort redaction protects gathered diffs and returned free text (summary,findings,raw_response.text): secret-looking file hunks are dropped, and inline matches become[redacted: secret value]. It is output/diff defense-in-depth, not input protection or a guarantee; do not target a workspace containing secrets you cannot disclose.The plugin never passes Codex's
--dangerously-bypass-*flags.Found a vulnerability? Report it privately — see
SECURITY.md.
Configuration (env, CODEX_IN_CLAUDE_*)
Var | Default | Meaning |
| unset | Codex model override |
| unset | Codex reasoning-effort override, sent as a |
| 180 | per-call timeout (clamped 10–600) |
|
|
|
| unset | extra global |
| 200000 | byte cap on author input: gathered diffs are truncated to it, author text above it is rejected with |
| 200000 | cap on the inline diff a delegate run returns; larger diffs are truncated with |
| 10485760 | byte cap for captured stdout (head+tail window; run not killed); stderr is bounded to a separate ~1 MiB reserve |
| 60 | git command timeout |
|
| disk-backed background-job records |
| 86400 | seconds a finished job record is kept (min 60) |
| 1800 | background-job wall-clock cap (clamped 60–7200) |
| 50 | retained jobs per workspace (clamped 1–1000) |
|
| where the cached rate-limit snapshot is stored |
| 1800 | snapshot age beyond which |
| built-in tested set | comma-separated |
|
| server diagnostic log level ( |
| unset | also mirror diagnostic logs to this file path |
| unset | set to |
Two further variables, CODEX_IN_CLAUDE_TIER_DEFAULT and CODEX_IN_CLAUDE_SANDBOX_DEFAULT, exist
ahead of the planned apply tier. They only change the defaults codex_status reports — every
shipped tool pins its own tier and sandbox and ignores them.
Troubleshooting
Run /codex:status first — it's free (no model call) and diagnoses most setup problems.
Symptom | Cause | Fix |
| CLI not installed or not on | |
Not authenticated | No Codex login |
|
Unsupported-version warning | Your | Update |
| Server fell back to its own launch directory | Run from the target repo, or pass |
| The temp worktree is seeded from | Make at least one commit first |
| Account hit a usage/rate limit | Back off for |
| The stdio MCP server is down | Reconnect with the |
A stdio MCP server can't be transparently auto-restarted (the client owns the pipe and the
initialize handshake), so recovery is a manual reconnect. On a fatal crash the server writes a
breadcrumb to stderr (server name, version, reason, and a /mcp reconnect hint) before exiting,
and logs clean disconnects (EOF / broken pipe / SIGINT / SIGTERM) as shutdown rather than crashes
— so the server logs tell you whether it died or was stopped.
If the MCP server is down, you can fall back to the codex CLI directly for a read-only consult or
review (prompt on stdin; set WORKSPACE to a directory you approve for disclosure):
WORKSPACE=/absolute/approved/path codex exec --sandbox read-only --ephemeral \
--ignore-user-config --ignore-rules --disable remote_plugin \
--cd "$WORKSPACE" --skip-git-repo-check -Keep every flag — together they apply the plugin's guarantee-bearing flags at its strictest config
isolation — but this still bypasses the plugin's diff gathering, secret redaction, input-byte
bounding, and structured envelope, so sanitize input yourself and prefer restoring the server. See
the collaborating-with-codex skill for the full fallback guidance.
Local development
uv sync
uv run pytest # unit tests (95% coverage floor)
uv run pytest -m integration --no-cov # live tests; needs codex installed + logged in
uv run codex-in-claude-mcp # run the MCP server over stdioThe full pre-PR gate — lint, format, types, tests — is defined once in
AGENTS.md → Tooling.
To test the plugin from a local checkout, point .mcp.json at
uv run --project /path/to/codex-in-claude codex-in-claude-mcp instead of the version-pinned
uvx --from codex-in-claude==<version> invocation it ships with.
See CONTRIBUTING.md for branch, commit, and PR conventions.
Related projects
claude-in-codex— the mirror image: lets Codex call Claude Code.Inspired by
openai/codex-plugin-cc, rebuilt aroundcodex execfor robustness: every paid call goes through it, and onlycodex_transfertouches the experimental app-server protocol.
License
MIT
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/briandconnelly/codex-in-claude'
If you have feedback or need assistance with the MCP directory API, please join our Discord server