Skip to content

workspace.json / Codex

Portable repository history that changes Codex’s plan before an evidenced risky edit lands.

@workspacejson/codex-mcp reads a local workspace.json and exposes it to OpenAI Codex as MCP tools plus a deterministic pre-edit hook — so Codex sees which files are fragile and which files co-change before it proposes an edit, not just when asked.

PlaneRoleAuthority
Evidenceportable workspace.json historydescriptive
ActionMCP context + deterministic hookmechanical enforcement on supported edits
Challengeread-only GPT-5.6 revieweradvisory

The reviewer never controls the hook. A PASS verdict is not a safety certification.

  1. Run the managed installer from your repository root:

    Terminal window
    npx @workspacejson/codex-mcp install --with-hook
  2. Restart Codex, then run /mcp in the TUI to confirm workspacejson is connected.

  3. Ask Codex to edit a file your workspace.json flags as fragile and watch the hook cite the evidence and any omitted co-change partner before the edit lands.

This installs MCP context, the deterministic pre-edit hook, and the read-only GPT-5.6 reviewer. It’s idempotent and scoped to the current repo’s .codex/ directory — it never touches ~/.codex. Remove everything it wrote with npx @workspacejson/codex-mcp uninstall.

Six promises, each checkable against the source rather than taken on faith:

  1. Missing evidence never becomes a safety approval.
  2. Malformed evidence never crashes the edit loop.
  3. Reviewer output never controls deterministic enforcement.
  4. Installation never overwrites unmanaged configuration.
  5. Uninstall removes only owned artifacts.
  6. Every VERIFIED claim maps to a reproducible command.

Reproduce them yourself: clone the repository, run npm ci && npm run verify. Full citations for each guarantee, and how the system behaves under missing, malformed, or unavailable input, are documented in the repository.

  • Enforcement currently covers Codex apply_patch.
  • Other edit mechanisms may receive context without deterministic blocking.
  • fragile:false means the file has no recorded fragility, not that it is verified safe.
  • Missing or malformed workspace.json fails open with an explicit unavailable warning.
  • Stale evidence is not treated as proof of current risk.
  • This does not replace tests, review, or repository instructions.