Codex Tightens the Trust Boundary Between TUI Config, MCP Inventory, and Automated Hooks

The most important Codex changes on May 25 were about authority: who owns MCP state, who persists trust decisions, and when a dangerous automation flag should actually bypass a hook review. That sounds like terminal UI plumbing until you remember what Codex is becoming. A coding agent with remotes, app servers, MCP tools, hooks, and persistent sessions is not a local text box anymore. It is a policy-bearing runtime with a terminal attached.

OpenAI’s PR #24265, merged at 2026-05-25T16:56:22Z, changes the Codex TUI’s MCP inventory renderer so it reads from the app server’s mcpServerStatus/list payload instead of joining server status with the local TUI process’s config.mcp_servers. The diff is small by release-note standards — 30 additions, 147 deletions, and 6 changed files — but the architectural message is large: when a remote-capable agent runtime owns tool state, the screen should not improvise from stale local config.

This is the kind of bug class that matters more than it looks. MCP servers are not decorative integrations. They are capability boundaries: the agent may use them to reach internal APIs, filesystems, databases, browsers, search tools, credentials, or workflow systems. If the local terminal UI renders an MCP inventory by mixing authoritative server status with whatever happens to be in a local config file, it can show the wrong picture of what the agent can do. That is not just confusing. It is governance drift.

Stale config is how policy becomes theater

The PR notes a limitation: the current app-server status payload does not yet include disabled-state or disabled-reason fields, so remote /mcp should get that from app-server-owned status data in a follow-up rather than inferring it locally. That restraint is the right call. A bad system would keep patching around missing server data in the TUI until every screen had its own partial truth. A better system accepts a temporary display gap and moves the missing fields to the authority that should own them.

The same pattern appears in PR #24255, which merged minutes earlier with 137 additions and 33 deletions. Project trust onboarding now persists through the app-server config write path before reporting success, storing trust as projects.<project>.trust_level = "trusted". Crucially, if the app-server persistence fails, the UI stays on the trust screen instead of pretending the operation succeeded.

That failure behavior is worth calling out because agent tools are full of optimistic lies. A UI says “trusted,” the runtime disagrees. A local config says a provider changed, the background app server keeps using the old one. A terminal screen says an MCP server exists, the remote worker cannot see it. Each mismatch erodes operator trust. Better to block loudly than to let a developer believe a trust decision took effect when the runtime never accepted it.

PR #24254 applies the same cleanup to interactive codex --oss provider selection, routing persistence through the app-server config API while keeping auto-detected and explicit --local-provider starts ephemeral. That distinction is subtle but important. Persistent user choices should go through the system of record. Runtime-only choices should remain runtime-only. Mixing those categories is how one debugging session becomes tomorrow’s mysterious default.

The dangerous flag got a safer contract

The sharpest edge in this cluster is PR #24317, merged at 2026-05-25T16:44:22Z with 54 additions. It fixes issue #24093, where --dangerously-bypass-hook-trust was ignored in TUI mode for Codex 0.131.0–0.133.0. The result was especially painful for automated or headless launches: users explicitly supplied a bypass flag, but Codex still stopped on a “Hooks need review” prompt.

The temptation with a bug like that is to make the flag bulldoze everything. OpenAI did something more careful. The fix forwards bypass_hook_trust through app-server request config for fresh thread start, resume, and fork paths, applying it as a runtime-only ConfigOverrides value rather than a persistent config.toml setting. But persistent app-server resumes deliberately keep the startup review prompt because the already-running thread may not receive the bypass override. Hiding the prompt there would misrepresent the actual hook behavior.

That is exactly the kind of distinction serious agent tooling needs. Dangerous flags should be explicit, scoped, and honest about where they apply. If a runtime path cannot guarantee that the bypass reaches the running execution context, the UI should not imply safety or success. A “dangerously” flag is not a vibe-based permission slip. It is a contract with a specific code path.

For teams, the practical checklist is not optional. If you use Codex with MCP servers, test /mcp while connected to the same remote or app-server mode your developers actually use. Do not validate governance from a local-only happy path and assume the remote view matches. Confirm that disabled servers, authentication failures, and server-status details are visible from the authority that owns them. If the payload is missing fields your security program needs, file that as a product requirement, not as a local documentation workaround.

If you use project trust onboarding, test both writable and intentionally unwritable config paths in staging. The system should fail closed and keep the user on the trust screen when persistence fails. If your internal runbooks tell developers to manually edit config files while the app server is running, revisit that pattern. A runtime with a config API wants one write path for a reason.

If you rely on hooks in automation, treat --dangerously-bypass-hook-trust like a restricted operational tool. Validate whether your launch path is fresh, resumed, forked, or attached to a persistent app server. Log when the bypass is used. Scope it to known jobs. Do not let it become the copy-pasted fix for “Codex asked me a question.” That is how a convenience flag becomes an unreviewed policy exception.

The bigger story is that Codex is cleaning up the ownership model around trust and configuration. That is less exciting than a new agent demo and much more important for deployment. Agent systems fail when policy is spread across local files, remote services, background daemons, and UI assumptions. The May 25 TUI changes are a small but clear move toward the right rule: the component that enforces policy should be the component the UI reports from. Everything else is theater with a spinner.

Sources: OpenAI Codex PR #24265, PR #24255, PR #24254, PR #24317, issue #24093, PR #22914, PR #22915, PR #22916.