INTEGRATION · CODEX (OPENAI CODEX CLI) · MCP
Add the Prufa MCP server to the Codex CLI. Codex calls one tool, Prufa drives a real browser against your URL, and hands back an evidence-gated verdict — not a screenshot to eyeball.
No signup. No card. Public URL in, shareable report out.
In our June 2026 audit of 49 Show HN launches, 78% (38 of 49) shipped a critical bug on day one — and 38 of 49 sent no analytics at all. See the 49-launch dataset.
Codex just wrote a change and told you it's done. Can it check that the
page still works — the analytics fire, the cookies are
Secure, the layout doesn't overflow on mobile — without you
opening a browser?
Add the Prufa MCP server to the Codex CLI and it can. Codex calls
prufa_run_audit, Prufa loads the URL in a real browser,
captures every network beacon, console error, cookie and response code,
runs a fixed suite of deterministic checks against that captured
evidence, and returns the verdict as JSON. Codex reads it, fixes what
broke, and runs it again. The first call needs no key and no card —
it's the same free 60-second website audit
you can run yourself, no agent required.
Codex writes code fast and checks it badly. It can read a stack trace, but it can't see that the signup button does nothing, that the analytics tag loaded but never fired, or that the hero overflows 103px past the viewport on a phone. The usual fallbacks break the loop: you open a browser and look (now it needs a human), or you hand-author a Playwright suite Codex then has to maintain. The Codex CLI speaks MCP — but most "MCP for testing" servers are browser drivers: they hand the agent click/type/screenshot primitives and leave the judging to you.
Prufa's architecture is agentic navigation + deterministic verification: an LLM-backed agent loop plans and drives the browser; a plain-code harness owns the session, records all network traffic over CDP, and grades the captured evidence against a versioned spec. The LLM navigates — it never judges whether a tracking beacon is correct. That separation is why the verdict is trustworthy enough for Codex to act on: same input, same verdict (determinism is regression-tested against a golden fixture site). The MCP server is a thin client over that — the same product as our CLI, HTTP API and dashboard, just spoken in tool calls; it's the Prufa MCP server. Read the long version in how Prufa verifies a signup flow.
pip install prufa-mcp, then either run codex mcp add prufa -- prufa-mcp or add the [mcp_servers.prufa] table to ~/.codex/config.toml by hand. Codex's config is TOML, not JSON — the table is [mcp_servers.<name>] (underscore, plural).
It runs prufa_run_audit({ url }). Prufa spins up a real browser, walks the public pages, and captures beacons, console output, cookies and response codes — no script for you to write.
Verified = a machine-checked fact (check name + captured evidence + timestamp, in mono). Advisory = a labeled LLM observation, never phrased as broken. Only verified findings move the section grades — there is no composite 0–100 score, ever.
Codex uses TOML — at ~/.codex/config.toml, or a project
.codex/config.toml in a trusted project — not the
mcpServers JSON other hosts use.
One command (recommended)
pip install prufa-mcp
codex mcp add prufa -- prufa-mcp
Everything after -- is the launch command Codex spawns,
passed untouched.
Or edit ~/.codex/config.toml by hand (stdio)
[mcp_servers.prufa]
command = "prufa-mcp"
# optional — only for persistent tools (monitors, history, Gremlin):
[mcp_servers.prufa.env]
PRUFA_API_TOKEN = "prk_..." Official Codex MCP docs
That's the whole setup. The server speaks JSON-RPC 2.0 over stdio (MCP
protocol 2025-06-18); Codex spawns it as a subprocess. The
free audit tools — prufa_run_audit and
prufa_get_report — work anonymously, with
no key and no card. A PRUFA_API_TOKEN (a
workspace token, format prk_…) is optional and
only needed for persistent tools (saved monitors, run history, Gremlin
chaos runs); set it via the [mcp_servers.prufa.env] table
shown above. An agent can self-provision a free, no-card trial
workspace by calling prufa_setup_workspace (it just needs
the human's email), or a human can mint the key in the
dashboard for a paid, persistent workspace.
One honest caveat, Codex-specific: earlier 2025 Codex
builds had bugs that ignored config.toml MCP entries and
project-scoped .codex/config.toml. The current docs list
stdio as supported, but if Codex doesn't pick up the server, update the
Codex CLI and confirm your installed version honors the config you
edited before assuming the integration is wrong. Use
~/.codex/config.toml (global) if a project-scoped config
doesn't load on your build.
The server is open source — prufa-mcp on PyPI, Apache-2.0,
source at github.com/prufa-dev/prufa-mcp. It registers
20+ tools across three tiers: a free setup tier (audits,
flows, reports), a Pro persistent tier (monitors, alerts, usage), and
Gremlin chaos tools. Every mutating tool takes an optional
idempotency_key, so a retry replays the original response
instead of re-executing — which matters because the Codex CLI retries on
network blips.
You're flying blind — no pageviews, no conversions, nothing reaching
analytics. The single most common critical in our 49-launch audit
(38 of 49). (Its sibling, tracking.container_no_events,
fires when a tag container loads but never sends — 3 more launches
hit that.)
No CSP means the browser won't block injected scripts. 11 of 14 sites in our companion r/SideProject audit served no CSP header at all.
An LLM observation, not a machine-checked fact — excluded from every severity count and grade. Codex (and you) decide whether it matters.
Verified findings are facts the harness can prove from captured traffic. Advisory findings are fenced off in their own tier, so Codex never treats an opinion as a defect to chase.
No — and Playwright MCP is genuinely good at what it does. It hands Codex raw browser primitives (click, type, navigate, screenshot); Codex still has to decide what to do and judge whether the result is correct. That's the right tool when you want fine-grained scripted control. Prufa is the opposite contract: one tool call returns a graded verdict — deterministic checks over captured network traffic, tiered into verified vs advisory. Use Playwright MCP to drive; use Prufa to get a verdict without authoring and maintaining a suite. We dug into the trade-off in agentic testing vs scripted testing.
The audit tools (prufa_run_audit,
prufa_get_report) run anonymously — no key, no card,
rate-limited per IP. Persistent tools (monitors, alerts, Gremlin) are
Pro and return a 402 with a checkout hint on the free tier
— explicit, never a silent charge. We don't meter deterministic checks
or pinned-selector flow replays, and a request that never returns
doesn't count.
The audit loads your public pages in a real browser — the same thing a visitor's browser does. It doesn't mutate state. In Gremlin chaos mode, mutations are dry-run by default and only become real on a host you've explicitly authorized; payments are never executed. Flow credentials are write-only — stored encrypted, never returned by any read tool, never placed in an LLM prompt; they're resolved at the tool boundary at run time.
The questions Codex users (and the agents themselves) ask before wiring a QA MCP server into the CLI.
Run pip install prufa-mcp, then codex mcp add prufa -- prufa-mcp — or add [mcp_servers.prufa] with command = "prufa-mcp" to ~/.codex/config.toml. Codex uses TOML, not JSON, and the table is [mcp_servers.<name>] (underscore, plural). Earlier 2025 Codex builds had bugs ignoring config.toml and project-scoped MCP entries, so update the CLI and confirm your version honors the config before assuming the integration is broken. The free audit tools work anonymously; a PRUFA_API_TOKEN is only needed for persistent tools and can be set via the [mcp_servers.prufa.env] table.
Yes. Codex's first tool call — prufa_run_audit({url}) — runs a full real-browser audit of a public URL and returns the report as JSON, with no key and no card (rate-limited per IP). The audit returns six graded sections (works, fast, found, measured, accessible, compliant) — no composite score, just verified severity counts and A–F grades. Persistent tools (monitors, Gremlin) need a paid workspace.
Playwright MCP gives Codex low-level browser primitives — click, type, navigate, screenshot — and leaves the judging to you; it's a driver. A QA MCP server like Prufa returns a graded verdict from one tool call: deterministic checks over captured network traffic, split into verified (machine-checked) and advisory (labeled opinion) tiers. Playwright MCP wins for scripted control; Prufa wins when you want a verdict without authoring a test suite.
Yes. The audit loads your public pages in a real browser and doesn't mutate state. The server runs locally over stdio as a subprocess Codex spawns; the free audit needs no credentials. Flow credentials, if you set any, are write-only — encrypted, never returned by a read tool, never placed in an LLM prompt. In Gremlin chaos mode mutations are dry-run unless you authorize a specific host, and payments are never executed.
Or skip the agent and try it yourself: paste a URL, get a shareable report in about a minute. Persistent monitors and Gremlin chaos runs start on Pro ($99/mo).