chatgpt-codex-tools-mcp
Provides tools for inspecting git state, including status and diff, and allows limited git commands through a review workflow.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@chatgpt-codex-tools-mcpshow git diff for my workspace"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
简体中文 | English
chatgpt-codex-tools-mcp
A local MCP server that gives ChatGPT a constrained, Codex-style toolbox for working with your own projects.
ChatGPT does the reasoning. This server provides workspace-scoped file reading, search, Git inspection, preview-before-confirm edits, structured process execution without a shell, and optional web and SQLite tools.
Community project; not affiliated with OpenAI or Codex.
The MCP endpoint has no application-layer authentication. Keep it bound to
127.0.0.1and connect through a private MCP tunnel. Do not expose it directly to the public internet.
Highlights
Local HTTP MCP endpoint:
http://127.0.0.1:3333/mcpWorkspace boundary through
CTM_ALLOWED_ROOTSBuilt-in deny rules for common private files and sensitive paths
Preview-then-confirm file and SQLite writes
Structured
command+args[]execution; no shell syntax or shell toolForeground and managed background processes with time/output limits
Best-effort secret redaction on tool output
Optional SearXNG search and public HTTP fetch, disabled by default
Optional allowlisted SQLite reads and bounded structured writes, disabled by default
Windows initializer and launchers for the MCP server and private tunnel
Related MCP server: BridgeDesk
Requirements
Node.js 20 or newer for the core server; Node.js 24 is recommended
npm
A ChatGPT custom connector with Secure MCP Tunnel support
OpenAI
tunnel-clientwhen ChatGPT must reach this local endpointSQLite tools require a runtime with
node:sqlitesupport (Node.js 22.5+; Node.js 24+ recommended)
On Windows, scripts/start-mcp.ps1 looks for Node in this order:
Codex bundled runtime under
%LOCALAPPDATA%\OpenAI\Codex\runtimes\cua_nodeOPENCLAW_NODE_BINnodeonPATH
Windows quick start
1. Get the project
Download the ZIP attached to the latest GitHub Release and extract it, or clone:
git clone https://github.com/Kerberos255/chatgpt-codex-tools-mcp.git
cd chatgpt-codex-tools-mcp2. Initialize once
Run:
init-windows.cmdThe initializer:
asks for narrow allowed workspace roots, such as
D:\Projectsinstalls npm dependencies and builds
dist/server.jslocates your local
tunnel-client.execreates an ignored local
config.jsoncreates local-only MCP and tunnel launchers
Generated local files include:
config.json
start-mcp.local.cmd
start-tunnel.local.cmd
start-tunnel.local.ps1CONTROL_PLANE_API_KEY is not stored. The tunnel launcher reads it from the
current environment or asks for it using a hidden prompt.
3. Start MCP and tunnel
Run:
start-all.cmdKeep both opened windows running while the ChatGPT connector is in use.
Single-purpose launchers are also available:
start-mcp.cmd # local MCP server only
start-tunnel.cmd # private tunnel only, after initialization4. Configure ChatGPT
Create a custom connector that uses the private tunnel and choose
No Authentication. The local server itself should remain bound to
127.0.0.1.
Manual installation (Windows, macOS, Linux)
git clone https://github.com/Kerberos255/chatgpt-codex-tools-mcp.git
cd chatgpt-codex-tools-mcp
npm ci
npm run buildCreate your local configuration from the public template:
cp config.example.json config.jsonOn Windows PowerShell:
Copy-Item config.example.json config.jsonEdit config.json, then start:
npm startEnvironment variables and explicit PowerShell parameters override
config.json. Without a config file, conservative defaults are used.
Connection path
ChatGPT custom connector
-> private Secure MCP Tunnel
-> tunnel-client on your machine
-> http://127.0.0.1:3333/mcp
-> chatgpt-codex-tools-mcp
-> allowed local workspaces onlyHealth endpoint:
http://127.0.0.1:3333/healthzA raw GET request to /mcp may return No valid MCP session; that is normal
until an MCP session has been initialized.
Tools
Group | Tools | Purpose |
Meta |
| Show version, access mode, roots, limits, and optional feature status. |
Workspace |
| Open a directory under |
Read |
| Inspect project content without writing. |
Git |
| Review working-tree state and staged/unstaged diffs. |
Edit |
| Preview and then apply bounded multi-file edits. |
Process |
| Run structured local executables without a shell. |
SQLite |
| Optional allowlisted database inspection and structured writes. |
Web |
| Optional SearXNG search and public HTTP fetch. |
Optional web and SQLite tools are registered only when enabled. Their status tools remain available for diagnostics.
Recommended workflow
open_workspace
-> inspect with read/search/tree and git tools
-> preview_edit
-> review the diff
-> confirm_editFor processes, pass a real executable and an argv array:
{
"command": "npm",
"args": ["run", "build"]
}Pipes, redirects, command chaining, shell expansion, and shell builtins are not supported.
Access modes
CTM_ACCESS_MODE=review # default
CTM_ACCESS_MODE=fullreviewpermits a small inspection/test process allowlist.fullpermits broader structured executables.Both modes still block direct shells (
cmd, PowerShell,sh,bash) and dangerous process patterns.Specialized read, Git, edit, web, and SQLite tools should be preferred over generic process execution.
Configuration
config.example.json is the public template. config.json is local, generated
or copied by the user, and ignored by Git.
{
"mcp": {
"host": "127.0.0.1",
"port": 3333,
"allowedRoots": ["D:\\Projects"],
"accessMode": "review",
"denyGlobs": ["**/.env", "**/key.txt"],
"maxReadBytes": 200000,
"maxOutputBytes": 200000
},
"runtime": {
"codexRuntimeRoot": "",
"fallbackNodeBin": "",
"npmCache": ""
},
"proxy": {
"url": "",
"noProxy": "127.0.0.1,localhost,::1",
"nodeUseEnvProxy": false
},
"web": {
"enabled": false,
"searchProvider": "none",
"searxngUrl": "",
"maxBytes": 200000,
"timeoutMs": 15000
},
"sqlite": {
"enabled": false,
"allowedDbs": [],
"maxRows": 100
},
"environment": {}
}Common environment overrides:
Setting | Environment variable | Default |
Host / port |
|
|
Allowed roots |
| current project directory |
Access mode |
|
|
Extra deny rules |
| built-in deny list |
Read/output caps |
|
|
Web tools |
| disabled |
Search provider |
|
|
Web limits |
|
|
SQLite tools |
| disabled |
SQLite allowlist |
| empty |
SQLite row cap |
|
|
Config path |
|
|
See env.example for advanced runtime and proxy overrides.
Do not put tunnel runtime keys in config.json. Keep
CONTROL_PLANE_API_KEY in the current environment or another private local
mechanism.
Optional web tools
Enable in config.json:
{
"web": {
"enabled": true,
"searchProvider": "searxng",
"searxngUrl": "http://127.0.0.1:8888"
}
}web_searchqueries only the configured SearXNG instance.web_fetchaccepts public HTTP(S) URLs and blocks localhost, private network targets, embedded credentials, and unsafe redirects.No cookies, browser login state, authorization headers, or client certificates are forwarded.
Optional SQLite tools
Enable SQLite and list exact database paths:
{
"sqlite": {
"enabled": true,
"allowedDbs": ["D:\\Data\\app.sqlite"],
"maxRows": 100
}
}sqlite_schemareads schema metadata.sqlite_selectaccepts one read-onlySELECT/WITHor safePRAGMA.Writes use
sqlite_preview_changefollowed bysqlite_confirm_change.Insert, bounded update/delete, expected-field revalidation, and
jsonSetdot paths such asjob_json.enabledare supported.Raw write SQL and subqueries are not exposed.
File edit operations
preview_edit accepts multi-file batches with these operation types:
replace_text replace_range insert_before insert_after
append create overwrite rename deleteThe preview returns an action id and per-file diffs. confirm_edit rechecks
workspace and deny boundaries before applying the batch. File batches are not
transactional, so keep related edits small and review the entire preview.
Security rules
Keep
HOST=127.0.0.1.Use narrow allowed roots; never use an entire system drive or
/.Keep
reviewmode unless broader process execution is required.Do not expose the endpoint directly to the internet.
Keep web and SQLite tools disabled unless needed.
Treat redaction as a final safety net, not the primary boundary.
Review every edit and SQLite preview before confirming.
See SECURITY.md for the full policy.
Development
npm ci
npm run typecheck
npm run build
npm test
npm run checkThe test suite covers configuration precedence, glob matching, secret redaction, optional SQLite loading, repository/version consistency, and CI/CD gates.
CI and releases
Pull requests run CI on Node.js 20 and 24, smoke-test the HTTP server, parse all PowerShell scripts on Windows, and perform a release-package dry run.
Pushing a tag that exactly matches package.json, such as v0.4.8, triggers
the Release workflow. It verifies that the tagged commit belongs to main,
runs the full checks, builds a ZIP containing source plus compiled dist,
generates SHA256SUMS.txt, and creates the GitHub Release.
Troubleshooting
ChatGPT asks for login
Create a new connector and choose No Authentication. Old connector settings may retain a previous OAuth choice.
Path is outside allowed roots
Add the project parent directory to mcp.allowedRoots or
CTM_ALLOWED_ROOTS, then restart the server.
Process command is blocked
Use specialized tools first. In review mode, only the small process allowlist
is accepted. Shell executables and shell syntax are blocked in every mode.
SQLite tools are unavailable
Enable SQLite, add an exact database path, and use a Node runtime with
node:sqlite support. sqlite_status reports whether the current runtime has
that module.
dist/server.js is missing
npm ci
npm run buildTunnel client is missing
Download tunnel-client from OpenAI Platform tunnel settings, place it at the
path shown by init-windows.cmd, and rerun initialization.
Repository boundaries
The repository and Release package do not include:
node_moduleslocal
config.jsontunnel runtime keys
generated local launchers
logs or workspace data
License
MIT. See LICENSE.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Kerberos255/chatgpt-codex-tools-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server