INTEGRATION · CODEX (OPENAI CODEX CLI) · MCP

Codex (OpenAI Codex CLI) QA testing, in one tool call

Add the Prufa MCP server to the Codex CLI. Codex calls one tool, Prufa drives a real browser against your URL, and hands back an evidence-gated verdict — not a screenshot to eyeball.

No signup. No card. Public URL in, shareable report out.

In our June 2026 audit of 49 Show HN launches, 78% (38 of 49) shipped a critical bug on day one — and 38 of 49 sent no analytics at all. See the 49-launch dataset.

codex
› test https://myapp.com and fix anything critical
Codex → prufa_run_audit({ url: "https://myapp.com", wait: true })
running real-browser audit … (blocks up to ~90s)
← {
"run_id": "a1b2c3d4-…",
"share_token": "k7m2p9",
"report_url": "https://prufa.dev/r/k7m2p9",
"report": { … verified findings + A–F section grades … }
}
✓ Codex reads the report, fixes the criticals, re-runs.
The real top-level keys: run_id, share_token, report_url, and the full report.json under report. Codex reads the findings straight out of report.json.

Codex just wrote a change and told you it's done. Can it check that the page still works — the analytics fire, the cookies are Secure, the layout doesn't overflow on mobile — without you opening a browser?

Add the Prufa MCP server to the Codex CLI and it can. Codex calls prufa_run_audit, Prufa loads the URL in a real browser, captures every network beacon, console error, cookie and response code, runs a fixed suite of deterministic checks against that captured evidence, and returns the verdict as JSON. Codex reads it, fixes what broke, and runs it again. The first call needs no key and no card — it's the same free 60-second website audit you can run yourself, no agent required.

Why give the Codex CLI a QA tool instead of letting it eyeball the diff?

Codex writes code fast and checks it badly. It can read a stack trace, but it can't see that the signup button does nothing, that the analytics tag loaded but never fired, or that the hero overflows 103px past the viewport on a phone. The usual fallbacks break the loop: you open a browser and look (now it needs a human), or you hand-author a Playwright suite Codex then has to maintain. The Codex CLI speaks MCP — but most "MCP for testing" servers are browser drivers: they hand the agent click/type/screenshot primitives and leave the judging to you.

Prufa's architecture is agentic navigation + deterministic verification: an LLM-backed agent loop plans and drives the browser; a plain-code harness owns the session, records all network traffic over CDP, and grades the captured evidence against a versioned spec. The LLM navigates — it never judges whether a tracking beacon is correct. That separation is why the verdict is trustworthy enough for Codex to act on: same input, same verdict (determinism is regression-tested against a golden fixture site). The MCP server is a thin client over that — the same product as our CLI, HTTP API and dashboard, just spoken in tool calls; it's the Prufa MCP server. Read the long version in how Prufa verifies a signup flow.

How do I add a QA MCP server to the Codex CLI?

  1. Add the server

    pip install prufa-mcp, then either run codex mcp add prufa -- prufa-mcp or add the [mcp_servers.prufa] table to ~/.codex/config.toml by hand. Codex's config is TOML, not JSON — the table is [mcp_servers.<name>] (underscore, plural).

  2. Ask Codex to test a URL

    It runs prufa_run_audit({ url }). Prufa spins up a real browser, walks the public pages, and captures beacons, console output, cookies and response codes — no script for you to write.

  3. Evidence keeps the verdict

    Verified = a machine-checked fact (check name + captured evidence + timestamp, in mono). Advisory = a labeled LLM observation, never phrased as broken. Only verified findings move the section grades — there is no composite 0–100 score, ever.

Add the Prufa MCP server to the Codex CLI

Codex uses TOML — at ~/.codex/config.toml, or a project .codex/config.toml in a trusted project — not the mcpServers JSON other hosts use.

One command (recommended)

install (run once)
pip install prufa-mcp
codex mcp add prufa -- prufa-mcp

Everything after -- is the launch command Codex spawns, passed untouched.

Or edit ~/.codex/config.toml by hand (stdio)

~/.codex/config.toml
[mcp_servers.prufa]
command = "prufa-mcp"

# optional — only for persistent tools (monitors, history, Gremlin):
[mcp_servers.prufa.env]
PRUFA_API_TOKEN = "prk_..."
Official Codex MCP docs

That's the whole setup. The server speaks JSON-RPC 2.0 over stdio (MCP protocol 2025-06-18); Codex spawns it as a subprocess. The free audit tools — prufa_run_audit and prufa_get_report — work anonymously, with no key and no card. A PRUFA_API_TOKEN (a workspace token, format prk_…) is optional and only needed for persistent tools (saved monitors, run history, Gremlin chaos runs); set it via the [mcp_servers.prufa.env] table shown above. An agent can self-provision a free, no-card trial workspace by calling prufa_setup_workspace (it just needs the human's email), or a human can mint the key in the dashboard for a paid, persistent workspace.

One honest caveat, Codex-specific: earlier 2025 Codex builds had bugs that ignored config.toml MCP entries and project-scoped .codex/config.toml. The current docs list stdio as supported, but if Codex doesn't pick up the server, update the Codex CLI and confirm your installed version honors the config you edited before assuming the integration is wrong. Use ~/.codex/config.toml (global) if a project-scoped config doesn't load on your build.

The server is open source — prufa-mcp on PyPI, Apache-2.0, source at github.com/prufa-dev/prufa-mcp. It registers 20+ tools across three tiers: a free setup tier (audits, flows, reports), a Pro persistent tier (monitors, alerts, usage), and Gremlin chaos tools. Every mutating tool takes an optional idempotency_key, so a retry replays the original response instead of re-executing — which matters because the Codex CLI retries on network blips.

What does the verdict Codex reads look like?

critical No analytics events detected on any public page.
✓ verified
tracking.none_detected · / , /pricing · 0 beacons captured

You're flying blind — no pageviews, no conversions, nothing reaching analytics. The single most common critical in our 49-launch audit (38 of 49). (Its sibling, tracking.container_no_events, fires when a tag container loads but never sends — 3 more launches hit that.)

warning Content Security Policy header missing.
✓ verified
security.missing_csp · response headers · no CSP

No CSP means the browser won't block injected scripts. 11 of 14 sites in our companion r/SideProject audit served no CSP header at all.

advisory · opinion The hero may bury the primary call to action below denser secondary copy.

An LLM observation, not a machine-checked fact — excluded from every severity count and grade. Codex (and you) decide whether it matters.

Verified findings are facts the harness can prove from captured traffic. Advisory findings are fenced off in their own tier, so Codex never treats an opinion as a defect to chase.

Is this just Playwright MCP for Codex with extra steps?

Isn't this the same as Playwright MCP or a browser-driver MCP?

No — and Playwright MCP is genuinely good at what it does. It hands Codex raw browser primitives (click, type, navigate, screenshot); Codex still has to decide what to do and judge whether the result is correct. That's the right tool when you want fine-grained scripted control. Prufa is the opposite contract: one tool call returns a graded verdict — deterministic checks over captured network traffic, tiered into verified vs advisory. Use Playwright MCP to drive; use Prufa to get a verdict without authoring and maintaining a suite. We dug into the trade-off in agentic testing vs scripted testing.

Can Codex rack up charges, or do I need a card?

The audit tools (prufa_run_audit, prufa_get_report) run anonymously — no key, no card, rate-limited per IP. Persistent tools (monitors, alerts, Gremlin) are Pro and return a 402 with a checkout hint on the free tier — explicit, never a silent charge. We don't meter deterministic checks or pinned-selector flow replays, and a request that never returns doesn't count.

Is it safe to point Codex at production, and do you see my data?

The audit loads your public pages in a real browser — the same thing a visitor's browser does. It doesn't mutate state. In Gremlin chaos mode, mutations are dry-run by default and only become real on a host you've explicitly authorized; payments are never executed. Flow credentials are write-only — stored encrypted, never returned by any read tool, never placed in an LLM prompt; they're resolved at the tool boundary at run time.

Frequently asked questions

The questions Codex users (and the agents themselves) ask before wiring a QA MCP server into the CLI.

How do I add a QA MCP server to the Codex (OpenAI Codex CLI)?

Run pip install prufa-mcp, then codex mcp add prufa -- prufa-mcp — or add [mcp_servers.prufa] with command = "prufa-mcp" to ~/.codex/config.toml. Codex uses TOML, not JSON, and the table is [mcp_servers.<name>] (underscore, plural). Earlier 2025 Codex builds had bugs ignoring config.toml and project-scoped MCP entries, so update the CLI and confirm your version honors the config before assuming the integration is broken. The free audit tools work anonymously; a PRUFA_API_TOKEN is only needed for persistent tools and can be set via the [mcp_servers.prufa.env] table.

Can Codex run a full website test for free through Prufa?

Yes. Codex's first tool call — prufa_run_audit({url}) — runs a full real-browser audit of a public URL and returns the report as JSON, with no key and no card (rate-limited per IP). The audit returns six graded sections (works, fast, found, measured, accessible, compliant) — no composite score, just verified severity counts and A–F grades. Persistent tools (monitors, Gremlin) need a paid workspace.

What's the difference between Playwright MCP and the Prufa QA MCP server in Codex?

Playwright MCP gives Codex low-level browser primitives — click, type, navigate, screenshot — and leaves the judging to you; it's a driver. A QA MCP server like Prufa returns a graded verdict from one tool call: deterministic checks over captured network traffic, split into verified (machine-checked) and advisory (labeled opinion) tiers. Playwright MCP wins for scripted control; Prufa wins when you want a verdict without authoring a test suite.

Is the Prufa MCP server safe to use from the Codex CLI?

Yes. The audit loads your public pages in a real browser and doesn't mutate state. The server runs locally over stdio as a subprocess Codex spawns; the free audit needs no credentials. Flow credentials, if you set any, are write-only — encrypted, never returned by a read tool, never placed in an LLM prompt. In Gremlin chaos mode mutations are dry-run unless you authorize a specific host, and payments are never executed.

Wire Prufa into Codex and let it run the first test

Or skip the agent and try it yourself: paste a URL, get a shareable report in about a minute. Persistent monitors and Gremlin chaos runs start on Pro ($99/mo).

See plans →