feat: align Codex MCP setup with native CLI

[JMartinezRuiz]

Description

Codex already had a TOML configurator, but it was not shown as a first-class client in the user docs and the setup flow still presented manual TOML editing as the main path.

This updates Codex setup to use Codex's native MCP CLI for local HTTP and stdio registration, while keeping the existing TOML path for fallback and for remote-hosted auth cases that need X-API-Key.

Type of Change

• New feature (non-breaking change that adds functionality)
• Documentation update
• Test update

Changes Made

• Use codex mcp add / codex mcp remove for Codex local HTTP and stdio setup when the Codex CLI is available.
• Keep direct ~/.codex/config.toml writes as a fallback when the CLI is missing.
• Use TOML for remote-hosted Codex auth, since the Codex CLI does not expose an arbitrary HTTP header flag for X-API-Key.
• Detect missing or stale Codex X-API-Key headers during status checks so remote auth config can be refreshed.
• Warn when remote HTTP is configured without an API key, instead of silently making auth assumptions.
• Add Codex setup documentation, README entries, and configurator guide notes.
• Add Codex TOML tests for remote auth headers and removing Unity MCP entries while preserving other config.

Testing/Screenshots/Recordings

• git diff --check
• Verified Codex CLI local HTTP registration with a temporary server entry:
  • codex mcp add unityMCP-test-http --url http://127.0.0.1:8080/mcp
  • codex mcp get unityMCP-test-http --json
  • codex mcp remove unityMCP-test-http
• Verified Codex CLI stdio registration with temporary server entries:
  • codex mcp add unityMCP-test-stdio-order --env "SystemRoot=C:\Windows" -- uvx --from mcpforunityserver mcp-for-unity --transport stdio
  • codex mcp add unityMCP-test-stdio-transport --env "SystemRoot=C:\Windows" -- uvx --from mcpforunityserver mcp-for-unity --transport stdio
  • codex mcp get ... --json
  • codex mcp remove ...
• Restored/removed temporary local Codex config entries after the CLI checks.
• Unity 2022.3.4f1 batchmode compile of TestProjects/UnityMCPTests completed successfully with ScriptAssemblies build exit code 0.

Documentation Updates

• I have added/removed/modified tools or resources
• If yes, I have updated all documentation files using:
  • The LLM prompt at tools/UPDATE_DOCS_PROMPT.md (recommended)
  • Manual updates following the guide at tools/UPDATE_DOCS.md

Related Issues

Fixes #933

Additional Notes

The command-line Unity test runner did not emit a test result XML in my local environment, so I am not counting it as a passing test run. The project did compile cleanly in batchmode, and the Codex CLI registration paths were checked directly.

Summary by CodeRabbit

• New Features

  • Improved Codex setup: Configure now toggles register/unregister, tries CLI registration first and falls back to writing TOML when needed; status checks validate the expected X-API-Key header for remote-hosted Codex. Manual snippets now emit TOML instructions for remote-auth/TOML mode and URL-based HTTP snippets otherwise.

• Documentation

  • Added Codex setup guide and updated READMEs with step-by-step instructions and troubleshooting.

• Tests

  • Added tests for remote HTTP mode with API key and for removing Codex server entries.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8f58561d-db6a-43f8-af2a-6a128099a6b5

📥 Commits

Reviewing files that changed from the base of the PR and between fdd3d31 and fb9a1ef.

📒 Files selected for processing (2)

• MCPForUnity/Editor/Clients/McpClientConfiguratorBase.cs
• docs/guides/CODEX_HELP.md

🚧 Files skipped from review as they are similar to previous changes (1)

• MCPForUnity/Editor/Clients/McpClientConfiguratorBase.cs

---

📝 Walkthrough

Walkthrough

Adds CLI-first Codex registration with fallback to direct ~/.codex/config.toml writes, verifies remote-hosted X-API-Key in TOML during status checks (treating missing/stale header as VersionMismatch), introduces Register/Unregister flows and CLI/path helpers, and updates tests and docs for Codex setup.

Changes

Codex client configurator, TOML helpers, tests & docs

Layer / File(s)	Summary
Data Shape / TOML helpers MCPForUnity/Editor/Helpers/CodexConfigHelper.cs	Adds AddRemoteAuthHeaderIfNeeded() to conditionally set/remove unityMCP.http_headers, adds HasCodexHttpHeader(string toml, string headerName, string expectedValue), and adds RemoveCodexServerBlock(string existingToml) to remove unityMCP across mcp_servers/mcpServers.
Status Validation MCPForUnity/Editor/Clients/McpClientConfiguratorBase.cs	CheckStatus() now verifies ~/.codex/config.toml contains the expected X-API-Key when TOML-based remote auth is expected; missing/stale header forces matches=false and marks a VersionMismatch with a remote-auth-specific reason.
Core Registration / Unregistration MCPForUnity/Editor/Clients/McpClientConfiguratorBase.cs	Introduces Register(), RegisterWithToml(), Unregister() and supporting helpers (BuildCodexAddArgs, ResolveCodexCliPath, RemoveCodexRegistrations, RemoveCodexTomlRegistration, ShouldUseTomlForRemoteAuth, path/quote helpers). Auto-rewrite now invokes Register() on mismatch; Configure() toggles between Register() and Unregister().
Manual snippets & UI wiring MCPForUnity/Editor/Clients/McpClientConfiguratorBase.cs	GetManualSnippet() emits TOML guidance when remote-auth/TOML mode is used, otherwise emits CLI snippets (codex mcp add/remove or stdio/uvx commands). GetInstallationSteps() and GetConfigureActionLabel() updated.
Tests TestProjects/UnityMCPTests/Assets/Tests/EditMode/Helpers/CodexConfigHelperTests.cs	Fixture snapshots/restores HTTP-related EditorPrefs (HttpTransportScope, HttpRemoteBaseUrl, ApiKey), tightens local-http assertions (no http_headers), adds tests for remote HTTP with API key and for RemoveCodexServerBlock behavior.
Documentation docs/guides/CODEX_HELP.md, docs/guides/MCP_CLIENT_CONFIGURATORS.md, MCPForUnity/README.md, README.md, docs/i18n/README-zh.md	New Codex setup guide and README updates describing CLI-first behavior, TOML fallback, X-API-Key remote-hosted auth, manual CLI commands, and troubleshooting links.

Sequence Diagram

sequenceDiagram
    participant User as User / Editor
    participant Config as Codex Configurator
    participant Helper as CodexConfigHelper
    participant TOML as ~/.codex/config.toml
    participant CLI as Codex CLI
    participant Prefs as EditorPrefs

    rect rgba(100, 200, 150, 0.5)
    Note over Config,CLI: Register Flow
    User->>Config: Call Register()
    Config->>Config: ResolveCodexCliPath()
    alt CLI Found
        Config->>CLI: codex mcp add unityMCP ...
        alt Success
            Config->>Config: Set Configured + transport
        else Failure
            Config->>Helper: RegisterWithToml()
        end
    else CLI Not Found
        Config->>Helper: RegisterWithToml()
    end
    Helper->>Prefs: Read ApiKey (if remote)
    alt Remote + ApiKey
        Helper->>Helper: AddRemoteAuthHeaderIfNeeded()
    end
    Helper->>TOML: Write/patch unityMCP server block
    Helper-->>Config: Done
    end

    rect rgba(150, 100, 200, 0.5)
    Note over Config,TOML: Status Check Flow
    User->>Config: Call CheckStatus()
    Config->>Config: Validate remote URL match
    alt Remote HTTP Mode
        Config->>Helper: HasCodexHttpHeader(toml, ApiKeyHeader, expectedValue)
        Helper->>TOML: Parse and read http_headers
        Helper-->>Config: Header present & valid?
        alt Header Missing/Stale
            Config->>Config: Force VersionMismatch
        end
    end
    end

    rect rgba(200, 150, 100, 0.5)
    Note over Config,TOML: Unregister Flow
    User->>Config: Call Unregister()
    Config->>CLI: codex mcp remove unityMCP
    alt Success or CLI Missing
        Config->>Helper: RemoveCodexServerBlock(toml)
        Helper->>TOML: Parse and remove unityMCP entry
        Helper->>TOML: Delete empty server tables
        Helper-->>Config: Updated TOML
    end
    Config->>Config: Unregistration complete
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• CoplayDev/unity-mcp#328: Related TOML parsing/upsert/refactor work affecting Codex helpers.
• CoplayDev/unity-mcp#682: Related configurator status/check and auto-rewrite flow changes.
• CoplayDev/unity-mcp#325: Related Codex configuration flow and CodexConfigHelper adjustments.

Suggested reviewers

• dsarno

"I hopped in with a CLI and a key,
Wrote TOML softly when the CLI would flee,
Headers snug and tests all bright,
Codex and Unity hop into the light. 🐇✨"

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 2.78% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title 'feat: align Codex MCP setup with native CLI' accurately summarizes the main change: improving Codex setup by using its native CLI for registrations.
Description check	✅ Passed	The PR description covers all required sections: clear problem statement, type of change, detailed changes made, testing performed, documentation updates, related issues, and additional notes.
Linked Issues check	✅ Passed	The PR comprehensively addresses issue #933 by adding first-class Codex support with native CLI integration, extensive documentation, TOML configuration handling for remote auth, and header detection/refresh logic.
Out of Scope Changes check	✅ Passed	All changes are directly related to Codex MCP client support: configurator enhancements, helper methods for TOML management, comprehensive documentation, tests for new functionality, and README updates.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (3)

docs/guides/CODEX_HELP.md (1)

57-63: 💤 Low value

Windows SystemRoot snippet: consider quoting the path for shell safety.

SystemRoot=C:\Windows works in bash because \W is a no-op escape, and on cmd.exe backslashes are literal. It is fine for the default value, but if a user copies the pattern with a path containing spaces (C:\Program Files\...) or other shell metachars, the unquoted form will silently break. A small quoting tweak makes the snippet robust:

-codex mcp add --env SystemRoot=C:\Windows unityMCP -- uvx --from mcpforunityserver mcp-for-unity --transport stdio
+codex mcp add --env "SystemRoot=C:\Windows" unityMCP -- uvx --from mcpforunityserver mcp-for-unity --transport stdio

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/guides/CODEX_HELP.md` around lines 57 - 63, The snippet in
docs/guides/CODEX_HELP.md uses an unquoted env assignment
(SystemRoot=C:\Windows) which will break for paths with spaces or special chars;
update the example command (the codex mcp add ... --env SystemRoot=...
invocation) to quote the assigned path (e.g., wrap the value in double quotes)
and mention quoting when explaining using an absolute uvx path so the command is
robust across shells and Windows paths.

TestProjects/UnityMCPTests/Assets/Tests/EditMode/Helpers/CodexConfigHelperTests.cs (1)

90-104: ⚡ Quick win

Clear HttpRemoteBaseUrl in SetUp for full test isolation.

HttpRemoteBaseUrl is captured/restored in OneTimeSetUp/OneTimeTearDown, but unlike HttpTransportScope and ApiKey it is not deleted in SetUp. After BuildCodexServerBlock_RemoteHttpModeWithApiKey_IncludesHttpHeaders (Line 563) sets it to "https://unity-mcp.example", that value leaks into subsequent tests. It happens to be harmless today because HttpTransportScope is cleared (so IsRemoteScope() returns false), but adding the deletion now guards future remote-mode tests from picking up an unintended base URL.

🧹 Proposed SetUp change

             EditorPrefs.DeleteKey(EditorPrefKeys.HttpTransportScope);
+            EditorPrefs.DeleteKey(EditorPrefKeys.HttpRemoteBaseUrl);
             EditorPrefs.DeleteKey(EditorPrefKeys.ApiKey);

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@TestProjects/UnityMCPTests/Assets/Tests/EditMode/Helpers/CodexConfigHelperTests.cs`
around lines 90 - 104, In SetUp(), also delete the EditorPrefs key for
EditorPrefKeys.HttpRemoteBaseUrl so per-test state is isolated; update the SetUp
method (the one that currently deletes EditorPrefKeys.GitUrlOverride,
HttpTransportScope, ApiKey and sets DevModeForceServerRefresh) to call
EditorPrefs.DeleteKey(EditorPrefKeys.HttpRemoteBaseUrl) before calling
EditorConfigurationCache.Instance.Refresh(); this mirrors the cleanup done in
OneTimeSetUp/OneTimeTearDown and prevents HttpRemoteBaseUrl set by tests like
BuildCodexServerBlock_RemoteHttpModeWithApiKey_IncludesHttpHeaders from leaking
into later tests.

MCPForUnity/Editor/Helpers/CodexConfigHelper.cs (1)

27-86: ⚡ Quick win

Consider deduplicating BuildCodexServerBlock and CreateUnityMcpTable.

Both methods now construct an identical unityMCP server table (HTTP url + remote auth header, or stdio command/args/env/timeout). After this PR they both call AddRemoteAuthHeaderIfNeeded, so the two HTTP branches are effectively the same code. Having BuildCodexServerBlock call CreateUnityMcpTable(uvPath) and then add features/serialize would reduce drift risk for future changes (e.g., header logic, env handling).

♻️ Sketch of the consolidation

 public static string BuildCodexServerBlock(string uvPath)
 {
     var table = new TomlTable();
     var mcpServers = new TomlTable();
-    var unityMCP = new TomlTable();
-
-    // Check transport preference
-    bool useHttpTransport = EditorPrefs.GetBool(MCPForUnity.Editor.Constants.EditorPrefKeys.UseHttpTransport, true);
-
-    if (useHttpTransport)
-    {
-        // ... duplicated HTTP setup ...
-        EnsureRmcpClientFeature(table);
-    }
-    else
-    {
-        // ... duplicated stdio setup ...
-    }
+    var unityMCP = CreateUnityMcpTable(uvPath);
+    if (EditorPrefs.GetBool(EditorPrefKeys.UseHttpTransport, true))
+    {
+        EnsureRmcpClientFeature(table);
+    }

     mcpServers["unityMCP"] = unityMCP;
     table["mcp_servers"] = mcpServers;
     ...
 }

Also applies to: 227-274

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@MCPForUnity/Editor/Helpers/CodexConfigHelper.cs` around lines 27 - 86,
Refactor BuildCodexServerBlock to reuse CreateUnityMcpTable(uvPath) instead of
duplicating unityMCP construction: call CreateUnityMcpTable(uvPath) to obtain
the unityMCP TomlTable, then attach it to mcpServers/table and serialize as
before; ensure CreateUnityMcpTable contains the transport branching (use
HttpEndpointUtility.GetMcpRpcUrl, AddRemoteAuthHeaderIfNeeded, and
EnsureRmcpClientFeature for HTTP; AssetPathUtility.GetUvxCommandParts,
AddUvxModeFlags, AssetPathUtility.GetBetaServerFromArgsList, Windows env via
MCPServiceLocator.Platform.IsWindows/GetSystemRoot, and startup_timeout_sec for
stdio) so behavior is identical, and update any related callers to preserve
existing features and side-effects.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@MCPForUnity/Editor/Clients/McpClientConfiguratorBase.cs`:
- Around line 638-643: The remote-scope-without-key case is silently falling
through to the CLI registration path; update the registration flow so when
EditorConfigurationCache.Instance.UseHttpTransport &&
HttpEndpointUtility.IsRemoteScope() is true but
EditorPrefs.GetString(EditorPrefKeys.ApiKey, string.Empty) is empty, the code
does not call the CLI registration in Register() and instead surfaces a clear
warning/error and aborts registration. Implement a guard (either in
ShouldUseTomlForRemoteAuth or at the start of Register()) that checks for
IsRemoteScope() + empty API key and then logs/alerts the user (e.g.,
EditorUtility.DisplayDialog or Debug.LogWarning) and returns early rather than
proceeding to call the CLI add --url path.
- Around line 621-636: BuildCodexAddArgs currently places envArg before the
server name for the stdio transport path; change the returned stdio command
string in BuildCodexAddArgs so envArg appears after {CodexServerName} and before
the "--" token (i.e., format as "mcp add {CodexServerName}{envArg} --
{QuoteCliArg(uvxPath)} ... --transport stdio"), leaving all other variables
(uvxPath, devFlags, fromArgs, packageName) unchanged.

In `@MCPForUnity/Editor/Helpers/CodexConfigHelper.cs`:
- Around line 88-99: When TryParseToml returns null in RemoveCodexServerBlock,
do not silently return the original TOML; instead emit a visible warning so
callers (e.g., McpClientConfiguratorBase.RemoveCodexTomlRegistration) know the
file was not modified and manual cleanup of the unityMCP block in
~/.codex/config.toml may be required. Add a warning log right before the "return
existingToml ?? string.Empty;" in RemoveCodexServerBlock (use the project’s
logging facility or UnityEngine.Debug.LogWarning) that includes context about
the parse failure and the path/section (unityMCP) so the user can take manual
action.

---

Nitpick comments:
In `@docs/guides/CODEX_HELP.md`:
- Around line 57-63: The snippet in docs/guides/CODEX_HELP.md uses an unquoted
env assignment (SystemRoot=C:\Windows) which will break for paths with spaces or
special chars; update the example command (the codex mcp add ... --env
SystemRoot=... invocation) to quote the assigned path (e.g., wrap the value in
double quotes) and mention quoting when explaining using an absolute uvx path so
the command is robust across shells and Windows paths.

In `@MCPForUnity/Editor/Helpers/CodexConfigHelper.cs`:
- Around line 27-86: Refactor BuildCodexServerBlock to reuse
CreateUnityMcpTable(uvPath) instead of duplicating unityMCP construction: call
CreateUnityMcpTable(uvPath) to obtain the unityMCP TomlTable, then attach it to
mcpServers/table and serialize as before; ensure CreateUnityMcpTable contains
the transport branching (use HttpEndpointUtility.GetMcpRpcUrl,
AddRemoteAuthHeaderIfNeeded, and EnsureRmcpClientFeature for HTTP;
AssetPathUtility.GetUvxCommandParts, AddUvxModeFlags,
AssetPathUtility.GetBetaServerFromArgsList, Windows env via
MCPServiceLocator.Platform.IsWindows/GetSystemRoot, and startup_timeout_sec for
stdio) so behavior is identical, and update any related callers to preserve
existing features and side-effects.

In
`@TestProjects/UnityMCPTests/Assets/Tests/EditMode/Helpers/CodexConfigHelperTests.cs`:
- Around line 90-104: In SetUp(), also delete the EditorPrefs key for
EditorPrefKeys.HttpRemoteBaseUrl so per-test state is isolated; update the SetUp
method (the one that currently deletes EditorPrefKeys.GitUrlOverride,
HttpTransportScope, ApiKey and sets DevModeForceServerRefresh) to call
EditorPrefs.DeleteKey(EditorPrefKeys.HttpRemoteBaseUrl) before calling
EditorConfigurationCache.Instance.Refresh(); this mirrors the cleanup done in
OneTimeSetUp/OneTimeTearDown and prevents HttpRemoteBaseUrl set by tests like
BuildCodexServerBlock_RemoteHttpModeWithApiKey_IncludesHttpHeaders from leaking
into later tests.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 77d4188e-ce86-4595-be2a-fa103e77961a

📥 Commits

Reviewing files that changed from the base of the PR and between a2a5edf and 06c1e87.

📒 Files selected for processing (8)

• MCPForUnity/Editor/Clients/McpClientConfiguratorBase.cs
• MCPForUnity/Editor/Helpers/CodexConfigHelper.cs
• MCPForUnity/README.md
• README.md
• TestProjects/UnityMCPTests/Assets/Tests/EditMode/Helpers/CodexConfigHelperTests.cs
• docs/guides/CODEX_HELP.md
• docs/guides/MCP_CLIENT_CONFIGURATORS.md
• docs/i18n/README-zh.md

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

docs/guides/CODEX_HELP.md (1)

65-75: 💤 Low value

LGTM! Clear remote auth documentation.

The TOML configuration example is syntactically correct and clearly explains when direct TOML editing is necessary. The note about the CLI's current limitation regarding arbitrary HTTP headers appropriately sets expectations.

Optional security consideration: While storing API keys in ~/.codex/config.toml is a standard pattern for CLI tools, you might consider adding a brief note about file permissions or referencing Codex's documentation on secure credential management, if applicable.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/guides/CODEX_HELP.md` around lines 65 - 75, Add a brief security note
after the Remote-hosted auth TOML example advising users to restrict permissions
on their config file (e.g., set restrictive file permissions like 600) and/or
use secure credential management; reference the config file path
(~/.codex/config.toml) and the section/header name ([mcp_servers.unityMCP] /
http_headers) so readers know exactly where the secret is stored and add a
pointer to Codex docs on secure credential management if available.

MCPForUnity/Editor/Clients/McpClientConfiguratorBase.cs (1)

682-690: 💤 Low value

Skip the file write when nothing changed to avoid unnecessary I/O on parse failure.

When RemoveCodexServerBlock hits the parse-failure path (warning logged, original content returned), WriteAtomicFile still rewrites the file with the same bytes. This is harmless but wasteful, and slightly muddies the "file unchanged on parse failure" guarantee that the warning message implies. A simple if (!ReferenceEquals(updatedToml, existingToml)) check (or comparing strings) avoids the no-op write.

♻️ Proposed refactor

         private void RemoveCodexTomlRegistration()
         {
             string path = GetConfigPath();
             if (!File.Exists(path)) return;

             string existingToml = File.ReadAllText(path);
             string updatedToml = CodexConfigHelper.RemoveCodexServerBlock(existingToml);
-            McpConfigurationHelper.WriteAtomicFile(path, updatedToml);
+            if (!string.Equals(existingToml, updatedToml, StringComparison.Ordinal))
+            {
+                McpConfigurationHelper.WriteAtomicFile(path, updatedToml);
+            }
         }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@MCPForUnity/Editor/Clients/McpClientConfiguratorBase.cs` around lines 682 -
690, RemoveCodexTomlRegistration currently always calls
McpConfigurationHelper.WriteAtomicFile even when
CodexConfigHelper.RemoveCodexServerBlock returned the original content
(parse-failure), causing unnecessary rewrites; update
RemoveCodexTomlRegistration (use GetConfigPath to read the file, call
RemoveCodexServerBlock to get updatedToml) to compare updatedToml with
existingToml (ReferenceEquals or string equality) and only call
McpConfigurationHelper.WriteAtomicFile(path, updatedToml) when they differ,
skipping the write when unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@MCPForUnity/Editor/Clients/McpClientConfiguratorBase.cs`:
- Around line 515-521: The branch guarded by ShouldUseTomlForRemoteAuth() must
not call GetUvxPathOrError() because in HTTP remote-auth mode uvx may be absent;
remove that call and instead invoke CodexConfigHelper.BuildCodexServerBlock
without fetching uvx (pass null/empty or use the overload that does not require
uvx) so the TOML snippet for HTTP auth is returned without throwing; update the
code in McpClientConfiguratorBase around the ShouldUseTomlForRemoteAuth() block
to stop calling GetUvxPathOrError() and to call BuildCodexServerBlock in a way
that does not depend on uvx.
- Around line 523-545: The stdio MCP registration string wrongly includes the
explicit "--transport stdio" flag; update the stdio branch in the method that
builds the return string (references: CodexServerName, GetCodexStdioEnvArg(),
QuoteCliArg(), AssetPathUtility.GetUvxCommandParts(),
AssetPathUtility.GetUvxDevFlags(), AssetPathUtility.GetBetaServerFromArgs()) to
remove the " --transport stdio" suffix so the stdio registration uses the form
"codex mcp add {CodexServerName}{envArg} -- {QuoteCliArg(uvxPath)}
{devFlags}{fromArgs} {packageName}" followed by the unregister and list lines.

---

Nitpick comments:
In `@docs/guides/CODEX_HELP.md`:
- Around line 65-75: Add a brief security note after the Remote-hosted auth TOML
example advising users to restrict permissions on their config file (e.g., set
restrictive file permissions like 600) and/or use secure credential management;
reference the config file path (~/.codex/config.toml) and the section/header
name ([mcp_servers.unityMCP] / http_headers) so readers know exactly where the
secret is stored and add a pointer to Codex docs on secure credential management
if available.

In `@MCPForUnity/Editor/Clients/McpClientConfiguratorBase.cs`:
- Around line 682-690: RemoveCodexTomlRegistration currently always calls
McpConfigurationHelper.WriteAtomicFile even when
CodexConfigHelper.RemoveCodexServerBlock returned the original content
(parse-failure), causing unnecessary rewrites; update
RemoveCodexTomlRegistration (use GetConfigPath to read the file, call
RemoveCodexServerBlock to get updatedToml) to compare updatedToml with
existingToml (ReferenceEquals or string equality) and only call
McpConfigurationHelper.WriteAtomicFile(path, updatedToml) when they differ,
skipping the write when unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 04e184aa-3fd4-4897-baf1-210d2de9e36c

📥 Commits

Reviewing files that changed from the base of the PR and between 06c1e87 and fdd3d31.

📒 Files selected for processing (4)

• MCPForUnity/Editor/Clients/McpClientConfiguratorBase.cs
• MCPForUnity/Editor/Helpers/CodexConfigHelper.cs
• TestProjects/UnityMCPTests/Assets/Tests/EditMode/Helpers/CodexConfigHelperTests.cs
• docs/guides/CODEX_HELP.md

🚧 Files skipped from review as they are similar to previous changes (1)

• TestProjects/UnityMCPTests/Assets/Tests/EditMode/Helpers/CodexConfigHelperTests.cs

[JMartinezRuiz]

Follow-up pushed in fb9a1ef.

This addresses the remote-auth manual snippet so it no longer depends on uvx, skips no-op TOML writes when the Codex config is unchanged, and adds a short note about keeping ~/.codex/config.toml private when http_headers contains an API key.

I intentionally kept --transport stdio in the stdio command. It appears after Codex's -- separator, so Codex stores it as an argument to the mcp-for-unity server process, not as a Codex CLI flag. I verified that path with codex mcp add/get/remove; the stored entry has command: uvx and args including --transport, stdio for the server.