Chatgpt Codex Tools
БесплатноНе проверенEnables ChatGPT to inspect and edit local projects through a secure MCP interface, offering workspace management, file operations, git integration, and safe com
Описание
Enables ChatGPT to inspect and edit local projects through a secure MCP interface, offering workspace management, file operations, git integration, and safe command execution.
README
简体中文 | English
chatgpt-codex-tools-mcp
A local MCP server that gives ChatGPT a constrained, Codex-style toolbox for working with your own projects.
ChatGPT does the reasoning. This server provides workspace-scoped file reading, search, Git inspection, preview-before-confirm edits, structured process execution without a shell, and optional web and SQLite tools.
Community project; not affiliated with OpenAI or Codex.
The MCP endpoint has no application-layer authentication. Keep it bound to
127.0.0.1and connect through a private MCP tunnel. Do not expose it directly to the public internet.
Highlights
- Local HTTP MCP endpoint:
http://127.0.0.1:3333/mcp - Workspace boundary through
CTM_ALLOWED_ROOTS - Built-in deny rules for common private files and sensitive paths
- Preview-then-confirm file and SQLite writes
- Structured
command+args[]execution; no shell syntax or shell tool - Foreground and managed background processes with time/output limits
- Best-effort secret redaction on tool output
- Optional SearXNG search and public HTTP fetch, disabled by default
- Optional allowlisted SQLite reads and bounded structured writes, disabled by default
- Windows initializer and launchers for the MCP server and private tunnel
Requirements
- Node.js 20 or newer for the core server; Node.js 24 is recommended
- npm
- A ChatGPT custom connector with Secure MCP Tunnel support
- OpenAI
tunnel-clientwhen ChatGPT must reach this local endpoint - SQLite tools require a runtime with
node:sqlitesupport (Node.js 22.5+; Node.js 24+ recommended)
On Windows, scripts/start-mcp.ps1 looks for Node in this order:
- Codex bundled runtime under
%LOCALAPPDATA%\OpenAI\Codex\runtimes\cua_node OPENCLAW_NODE_BINnodeonPATH
Windows quick start
1. Get the project
Download the ZIP attached to the latest GitHub Release and extract it, or clone:
git clone https://github.com/Kerberos255/chatgpt-codex-tools-mcp.git
cd chatgpt-codex-tools-mcp
2. Initialize once
Run:
init-windows.cmd
The initializer:
- asks for narrow allowed workspace roots, such as
D:\Projects - installs npm dependencies and builds
dist/server.js - locates your local
tunnel-client.exe - creates an ignored local
config.json - creates local-only MCP and tunnel launchers
Generated local files include:
config.json
start-mcp.local.cmd
start-tunnel.local.cmd
start-tunnel.local.ps1
CONTROL_PLANE_API_KEY is not stored. The tunnel launcher reads it from the
current environment or asks for it using a hidden prompt.
3. Start MCP and tunnel
Run:
start-all.cmd
Keep both opened windows running while the ChatGPT connector is in use.
Single-purpose launchers are also available:
start-mcp.cmd # local MCP server only
start-tunnel.cmd # private tunnel only, after initialization
4. Configure ChatGPT
Create a custom connector that uses the private tunnel and choose
No Authentication. The local server itself should remain bound to
127.0.0.1.
Manual installation (Windows, macOS, Linux)
git clone https://github.com/Kerberos255/chatgpt-codex-tools-mcp.git
cd chatgpt-codex-tools-mcp
npm ci
npm run build
Create your local configuration from the public template:
cp config.example.json config.json
On Windows PowerShell:
Copy-Item config.example.json config.json
Edit config.json, then start:
npm start
Environment variables and explicit PowerShell parameters override
config.json. Without a config file, conservative defaults are used.
Connection path
ChatGPT custom connector
-> private Secure MCP Tunnel
-> tunnel-client on your machine
-> http://127.0.0.1:3333/mcp
-> chatgpt-codex-tools-mcp
-> allowed local workspaces only
Health endpoint:
http://127.0.0.1:3333/healthz
A raw GET request to /mcp may return No valid MCP session; that is normal
until an MCP session has been initialized.
Tools
| Group | Tools | Purpose |
|---|---|---|
| Meta | local_status |
Show version, access mode, roots, limits, and optional feature status. |
| Workspace | open_workspace |
Open a directory under CTM_ALLOWED_ROOTS and return a workspaceId. |
| Read | list_dir, read_file, search_files, find_files, project_tree |
Inspect project content without writing. |
| Git | git_status, git_diff |
Review working-tree state and staged/unstaged diffs. |
| Edit | preview_edit, confirm_edit |
Preview and then apply bounded multi-file edits. |
| Process | exec_process, process_start, process_read, process_stop |
Run structured local executables without a shell. |
| SQLite | sqlite_status, sqlite_schema, sqlite_select, sqlite_preview_change, sqlite_confirm_change |
Optional allowlisted database inspection and structured writes. |
| Web | web_status, web_search, web_fetch |
Optional SearXNG search and public HTTP fetch. |
Optional web and SQLite tools are registered only when enabled. Their status tools remain available for diagnostics.
Recommended workflow
open_workspace
-> inspect with read/search/tree and git tools
-> preview_edit
-> review the diff
-> confirm_edit
For processes, pass a real executable and an argv array:
{
"command": "npm",
"args": ["run", "build"]
}
Pipes, redirects, command chaining, shell expansion, and shell builtins are not supported.
Access modes
CTM_ACCESS_MODE=review # default
CTM_ACCESS_MODE=full
reviewpermits a small inspection/test process allowlist.fullpermits broader structured executables.- Both modes still block direct shells (
cmd, PowerShell,sh,bash) and dangerous process patterns. - Specialized read, Git, edit, web, and SQLite tools should be preferred over generic process execution.
Configuration
config.example.json is the public template. config.json is local, generated
or copied by the user, and ignored by Git.
{
"mcp": {
"host": "127.0.0.1",
"port": 3333,
"allowedRoots": ["D:\\Projects"],
"accessMode": "review",
"denyGlobs": ["**/.env", "**/key.txt"],
"maxReadBytes": 200000,
"maxOutputBytes": 200000
},
"runtime": {
"codexRuntimeRoot": "",
"fallbackNodeBin": "",
"npmCache": ""
},
"proxy": {
"url": "",
"noProxy": "127.0.0.1,localhost,::1",
"nodeUseEnvProxy": false
},
"web": {
"enabled": false,
"searchProvider": "none",
"searxngUrl": "",
"maxBytes": 200000,
"timeoutMs": 15000
},
"sqlite": {
"enabled": false,
"allowedDbs": [],
"maxRows": 100
},
"environment": {}
}
Common environment overrides:
| Setting | Environment variable | Default |
|---|---|---|
| Host / port | HOST, PORT |
127.0.0.1, 3333 |
| Allowed roots | CTM_ALLOWED_ROOTS |
current project directory |
| Access mode | CTM_ACCESS_MODE |
review |
| Extra deny rules | CTM_DENY_GLOBS |
built-in deny list |
| Read/output caps | CTM_MAX_READ_BYTES, CTM_MAX_OUTPUT_BYTES |
200000 |
| Web tools | CTM_WEB_TOOLS |
disabled |
| Search provider | CTM_SEARCH_PROVIDER, CTM_SEARXNG_URL |
none |
| Web limits | CTM_WEB_MAX_BYTES, CTM_WEB_TIMEOUT_MS |
200000, 15000 |
| SQLite tools | CTM_SQLITE_TOOLS |
disabled |
| SQLite allowlist | CTM_SQLITE_ALLOWED_DBS |
empty |
| SQLite row cap | CTM_SQLITE_MAX_ROWS |
100 |
| Config path | CTM_CONFIG_PATH |
<project>/config.json |
See env.example for advanced runtime and proxy overrides.
Do not put tunnel runtime keys in config.json. Keep
CONTROL_PLANE_API_KEY in the current environment or another private local
mechanism.
Optional web tools
Enable in config.json:
{
"web": {
"enabled": true,
"searchProvider": "searxng",
"searxngUrl": "http://127.0.0.1:8888"
}
}
web_searchqueries only the configured SearXNG instance.web_fetchaccepts public HTTP(S) URLs and blocks localhost, private network targets, embedded credentials, and unsafe redirects.- No cookies, browser login state, authorization headers, or client certificates are forwarded.
Optional SQLite tools
Enable SQLite and list exact database paths:
{
"sqlite": {
"enabled": true,
"allowedDbs": ["D:\\Data\\app.sqlite"],
"maxRows": 100
}
}
sqlite_schemareads schema metadata.sqlite_selectaccepts one read-onlySELECT/WITHor safePRAGMA.- Writes use
sqlite_preview_changefollowed bysqlite_confirm_change. - Insert, bounded update/delete, expected-field revalidation, and
jsonSetdot paths such asjob_json.enabledare supported. - Raw write SQL and subqueries are not exposed.
File edit operations
preview_edit accepts multi-file batches with these operation types:
replace_text replace_range insert_before insert_after
append create overwrite rename delete
The preview returns an action id and per-file diffs. confirm_edit rechecks
workspace and deny boundaries before applying the batch. File batches are not
transactional, so keep related edits small and review the entire preview.
Security rules
- Keep
HOST=127.0.0.1. - Use narrow allowed roots; never use an entire system drive or
/. - Keep
reviewmode unless broader process execution is required. - Do not expose the endpoint directly to the internet.
- Keep web and SQLite tools disabled unless needed.
- Treat redaction as a final safety net, not the primary boundary.
- Review every edit and SQLite preview before confirming.
See SECURITY.md for the full policy.
Development
npm ci
npm run typecheck
npm run build
npm test
npm run check
The test suite covers configuration precedence, glob matching, secret redaction, optional SQLite loading, repository/version consistency, and CI/CD gates.
CI and releases
Pull requests run CI on Node.js 20 and 24, smoke-test the HTTP server, parse all PowerShell scripts on Windows, and perform a release-package dry run.
Pushing a tag that exactly matches package.json, such as v0.4.8, triggers
the Release workflow. It verifies that the tagged commit belongs to main,
runs the full checks, builds a ZIP containing source plus compiled dist,
generates SHA256SUMS.txt, and creates the GitHub Release.
Troubleshooting
ChatGPT asks for login
Create a new connector and choose No Authentication. Old connector settings may retain a previous OAuth choice.
Path is outside allowed roots
Add the project parent directory to mcp.allowedRoots or
CTM_ALLOWED_ROOTS, then restart the server.
Process command is blocked
Use specialized tools first. In review mode, only the small process allowlist
is accepted. Shell executables and shell syntax are blocked in every mode.
SQLite tools are unavailable
Enable SQLite, add an exact database path, and use a Node runtime with
node:sqlite support. sqlite_status reports whether the current runtime has
that module.
dist/server.js is missing
npm ci
npm run build
Tunnel client is missing
Download tunnel-client from OpenAI Platform tunnel settings, place it at the
path shown by init-windows.cmd, and rerun initialization.
Repository boundaries
The repository and Release package do not include:
node_modules- local
config.json - tunnel runtime keys
- generated local launchers
- logs or workspace data
License
MIT. See LICENSE.
Установка Chatgpt Codex Tools
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/Kerberos255/chatgpt-codex-tools-mcpFAQ
Chatgpt Codex Tools MCP бесплатный?
Да, Chatgpt Codex Tools MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для Chatgpt Codex Tools?
Нет, Chatgpt Codex Tools работает без API-ключей и переменных окружения.
Chatgpt Codex Tools — hosted или self-hosted?
Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.
Как установить Chatgpt Codex Tools в Claude Desktop, Claude Code или Cursor?
Открой Chatgpt Codex Tools на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
GitHub
PRs, issues, code search, CI status
автор: GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
автор: mcpdotdirectCompare Chatgpt Codex Tools with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории development
