MCP Integration

Key takeaways

MCP expands what Codex can see and do, which makes it valuable for enterprise workflows and risky when tool permissions are vague.
Decide server scope, tool allowlist, data exposure, auth model, and audit trail before connecting a server.
Prefer read-only resources first, gate write or side-effect tools behind approval, and mask secrets and customer data by default.
Audit plugins and servers with codex plugin list --json, --available --json, and codex plugin marketplace list --json, and treat JSON Schema fixtures (with preserved oneOf/allOf) as part of the MCP contract.
Any tool that could change money, permissions, customer records, or production state needs human approval and audit evidence.

MCP expands what Codex can see and do. That makes it useful for enterprise workflows and risky when tool permissions are vague.

Integration Decisions

Decision	Question
Server scope	Which workspace or team may use it?
Tool allowlist	Which tools are safe for Codex to call?
Data exposure	What sensitive data can be returned?
Auth model	User OAuth, service token, or scoped credential?
Audit trail	Where are tool calls recorded?

Use codex plugin list --json, codex plugin list --available --json, and codex plugin marketplace list --json for plugin/MCP inventory audits.
Tool and connector input schemas now preserve oneOf and allOf, and large schemas keep more shallow structure when compacted. Treat JSON Schema fixtures as part of the MCP contract.
MCP startup warnings from subagents are scoped to the owning thread, so monitoring should record parent and child thread identifiers separately.
Track marketplaceSource, bundled hooks, remote MCP servers, install policy, and auth policy when approving plugins.
App and app-server surfaces can show richer MCP server state; do not collapse "missing", "disabled", "auth required", and "no tools" into the same operational error.
Treat marketplace install/upgrade output as release evidence and preserve selected/upgraded/error fields in automation logs.

If a tool could change money, permissions, customer records, or production state, it needs human approval and audit evidence.

Key takeaways

MCP expands what Codex can see and do, which makes it valuable for enterprise workflows and risky when tool permissions are vague.
Decide server scope, tool allowlist, data exposure, auth model, and audit trail before connecting a server.
Prefer read-only resources first, gate write or side-effect tools behind approval, and mask secrets and customer data by default.
Audit plugins and servers with codex plugin list --json, --available --json, and codex plugin marketplace list --json, and treat JSON Schema fixtures (with preserved oneOf/allOf) as part of the MCP contract.
Any tool that could change money, permissions, customer records, or production state needs human approval and audit evidence.

MCP expands what Codex can see and do. That makes it useful for enterprise workflows and risky when tool permissions are vague.

Decision	Question
Server scope	Which workspace or team may use it?
Tool allowlist	Which tools are safe for Codex to call?
Data exposure	What sensitive data can be returned?
Auth model	User OAuth, service token, or scoped credential?
Audit trail	Where are tool calls recorded?

Use codex plugin list --json, codex plugin list --available --json, and codex plugin marketplace list --json for plugin/MCP inventory audits.
Tool and connector input schemas now preserve oneOf and allOf, and large schemas keep more shallow structure when compacted. Treat JSON Schema fixtures as part of the MCP contract.
MCP startup warnings from subagents are scoped to the owning thread, so monitoring should record parent and child thread identifiers separately.
Track marketplaceSource, bundled hooks, remote MCP servers, install policy, and auth policy when approving plugins.
App and app-server surfaces can show richer MCP server state; do not collapse "missing", "disabled", "auth required", and "no tools" into the same operational error.
Treat marketplace install/upgrade output as release evidence and preserve selected/upgraded/error fields in automation logs.

If a tool could change money, permissions, customer records, or production state, it needs human approval and audit evidence.