Codex CLI MCP Setup
Connect Codex CLI to MCP with scoped AGENTS.md rules, safe permissions, and a verification loop your team can review.

Use Codex CLI with MCP when you want OpenAI Codex to work against real engineering context without pasting credentials, docs, tickets, or repo state into every prompt. The safe setup is simple: connect only the MCP servers Codex needs, describe the boundary in AGENTS.md, and require a verification loop before any diff is ready for review.
OpenAI Codex, OpenAI’s coding agent, is strongest in production codebases when the workflow is explicit. MCP is a protocol for exposing tools and context from external systems to an agent through a controlled server boundary. For Codex CLI workflows, that means your team can make useful context available while still keeping access narrow, auditable, and easy to turn off.
Put the MCP boundary in the repo, not in someone’s head
The first job is to decide what Codex may read, what it may write, and what it must never touch. Do this before adding a codex mcp server to a shared workflow.
As of July 1, 2026, the official Codex changelog lists Codex CLI 0.142.5. I would treat a point release as a good moment to re-check team workflow habits, not as a reason to loosen permissions by default.
Prerequisites:
- A repo that already runs locally.
- Codex CLI installed and authenticated.
- At least one MCP server you want Codex to use.
- A root
AGENTS.mdfile, plus nested files for high-risk areas like billing, auth, migrations, or deployment code.
Step 1: name the boundary.
Write down the systems the MCP server touches. For example, a GitHub MCP server might read issues and pull requests, while a docs MCP server might read internal architecture pages.
Step 2: make the first server read-only.
Start with read access unless there is a concrete reason to allow writes. A read-only codex cli mcp server is still useful for issue context, API docs, design notes, and release constraints.
Step 3: record the rule in AGENTS.md.
Put the permission rule where Codex will see it during normal CLI work. This matters because the reviewer should not need to reconstruct your safety model from shell history.
Step 4: verify with a harmless task.
Ask Codex to summarize an issue, inspect the repo, and propose a plan without editing files. The setup works when the answer cites the right context, avoids private areas, and produces no diff.
The trap is adding MCP like a convenience plugin. Treat it like a production integration. If it can see customer data, deployment state, or private tickets, it deserves a named boundary.
For more on the broader operating model, keep this inside your team’s Codex CLI workflows rather than as a one-off local setup.
Teach Codex how to use context before it edits
Once the MCP boundary exists, tell Codex how to turn that context into code work. Good AGENTS.md instructions are short, local, and testable.
A practical root rule might say: “Use MCP context to understand the ticket and constraints, but do not copy external text into source files unless the user asks.” A nested services/payments/AGENTS.md might add: “Do not change settlement logic without adding or updating reconciliation tests.”
That kind of rule helps the codex agent slow down at the right places. It also gives the human reviewer something concrete to check.
Step 1: put durable rules in AGENTS.md.
Use AGENTS.md for architecture constraints, verification commands, data-handling rules, and review expectations. Do not use it for task-specific instructions that only belong in today’s prompt.
Step 2: scope risky directories with nested files.
A payments service, auth middleware, or database migration folder should have local rules. Local scope beats one giant root instruction file because it gives Codex the right caution exactly where it needs it.
Step 3: include the expected verification command.
For a TypeScript API repo, that might be pnpm test -- --runInBand services/billing or pnpm lint && pnpm test. For a Rails app, it might be bin/rails test test/models/invoice_test.rb.
Step 4: ask Codex to explain the rule it is following.
Before edits, ask for a short plan that names the relevant AGENTS.md file and MCP context. The setup works when the plan references the right boundary without dumping secrets or unrelated docs.
The trap is writing AGENTS.md like a policy binder. Codex needs crisp operating rules, not a novella. If a rule cannot change a diff or a command, it probably does not belong there.
Keep the CLI loop reviewable
A good Codex CLI session should leave a reviewer with three things: the task, the changed files, and the verification result. That is the whole loop.
For a real repo, imagine a bug where refunds fail when an invoice has multiple partial payments. Codex can use MCP to read the issue, inspect the payment service, update the refund calculation, and run the focused test. The reviewer should not need to replay the chat to understand why the change exists.
Step 1: start with a small task.
Ask for one bug, one test, or one refactor boundary. “Fix refund rounding for partial payments and add the missing regression test” is better than “clean up billing.”
Step 2: require a plan before edits.
The plan should name files, risks, and verification commands. This gives you a pause point before Codex changes production code.
Step 3: run the verification command in the CLI loop.
Let Codex run the narrow test first, then the broader suite if the change touches shared code. Verification is not polish; it is how you convert agent output into reviewable engineering work.
Step 4: review the diff, not the vibe.
Use git diff, test output, and the AGENTS.md boundary. The setup works when a teammate can review the pull request without trusting the chat transcript.
The trap is accepting a fluent explanation with an unverified diff. Codex training for engineering teams should make verification boring and automatic.
If your team also runs remote agent tasks, this pairs well with the handoff pattern in Codex Remote in Real Repos.
Use this integration checklist
Paste this into your repo issue, pull request template, or internal Codex workshop notes. It is intentionally small. Small checklists survive busy weeks.
# Codex CLI MCP integration checklist
## MCP boundary
- [ ] Name the MCP server: __________________________
- [ ] Purpose: read issue context / read docs / inspect PRs / other: __________
- [ ] Default mode is read-only.
- [ ] Write access is disabled unless this task explicitly needs it.
- [ ] Secrets, customer data, production consoles, and deploy actions are out of scope.
## AGENTS.md rules
- [ ] Root AGENTS.md explains how Codex may use MCP context.
- [ ] Risky directories have nested AGENTS.md files.
- [ ] Each nested file includes the local verification command.
- [ ] Rules are short enough for a reviewer to check quickly.
## CLI workflow
- [ ] Codex states a plan before editing files.
- [ ] The plan names relevant files, tests, and MCP context.
- [ ] The first task is small enough for one reviewable diff.
- [ ] Codex runs the narrow verification command.
- [ ] Codex reports changed files and test results in the handoff.
## Review
- [ ] Reviewer can understand the change from the diff and handoff.
- [ ] No sensitive MCP context was copied into source, tests, logs, or PR text.
- [ ] Any failed verification is listed with the exact command and failure.
The checklist works because it joins permissions, instructions, CLI behavior, and review in one place. The trap is splitting those across Slack, local shell config, and memory.
Best ways to use this research
- Best for: Teams connecting Codex CLI MCP to repo work without giving tools broad write access.
- Best first artifact: The Codex CLI MCP integration checklist above.
- Best comparison angle: Compare a read-only MCP task with a write-capable task, then promote writes only after the read-only loop is boring.
Common questions
-
How do I set up Codex CLI with MCP safely?
Start with one read-only MCP server, then describe its purpose and limits in AGENTS.md. The citable rule is simple: no write access, secrets, customer data, production consoles, or deploy actions until a human explicitly approves that boundary for the task.
-
Do I need a separate codex mcp server for every system?
Not always, but separate servers make boundaries easier to reason about. A docs server, issue tracker server, and repository server can each have different permissions; one catch-all integration is convenient, but it is harder to audit and harder to disable safely.
-
Where should AGENTS.md mention MCP permissions?
Put broad MCP rules in the root AGENTS.md and local exceptions in nested AGENTS.md files. A billing folder can require reconciliation tests, while an auth folder can forbid token-handling changes without a focused test and human review.
-
What proves the Codex CLI MCP setup is working?
A harmless read-only task is the best proof. Ask Codex to inspect a ticket through MCP, read the relevant repo files, propose a plan, and make no edits; success means it finds the right context and respects the boundary.
-
Should Codex ever write through MCP?
Yes, but only after the read-only workflow is boring and reliable. Write access should be task-specific, reversible, and reviewed like a production permission change; for many teams, code edits in Git plus human-reviewed pull requests are the safer default.
Further reading
- OpenAI Developers - Codex quickstart
- OpenAI Developers - Codex CLI
- OpenAI Developers - Codex CLI features
- OpenAI Developers - Codex slash commands
- Model Context Protocol - specification
- GitHub - openai/codex
- GitHub - openai/skills
Start with one safe server
Add one read-only MCP server, write the AGENTS.md boundary, and run a no-edit verification task. Once that feels boring, let Codex make one small diff and prove it with tests.
One methodology lens
One useful way to read this through our methodology is the Plan step: delegate first-pass decomposition and dependency mapping, review the sequencing and assumptions, and keep ownership of scope and priorities. If that split is still fuzzy, the workflow usually is too.
Related training topics
Related research

Codex CLI, Appshots, and Goal Mode
A practical Codex CLI comparison for codex cli vs claude code, with AGENTS.md, MCP, and verification loops.

Codex CLI 0.132.0: workflows and integrations
Codex CLI 0.132.0 tightens AGENTS.md, MCP, and verification loops for reviewable diffs.

Codex governance: four contracts that hold in review
A codex governance note for engineering teams: the slash catalog, verification latch, browser bridge note, and model pin that keep Codex CLI work reviewable.