Back to Blog

Use GPT-5.5 Pro in Claude Code with Proxide MCP Bridge

Tutorials and Guides7765
Use GPT-5.5 Pro in Claude Code with Proxide MCP Bridge

Abstract

When access to Claude Fable is restricted, developers can route GPT-5.5 Pro to run natively inside Claude Code using the open-source Rust-based MCP proxy tool Proxide. This technical deep dive explains two core operating modes (Bridge Mode and MCP Connector Mode), layered tiered permission control architecture, standardized MCP protocol security design, step-by-step onboarding workflow, audit trail logging, and key differentiation from generic simple LLM bridges. The tool enables any MCP-compatible agent (Claude Code, Codex, Cursor/CLI, web-based GPT Pro) to safely interact with local Git repositories, code files, and development workflows without granting unrestricted full local filesystem access. Teams managing mixed multi-model agent workloads can streamline unified endpoint routing via an API gateway such as 4sapi to coordinate cross-model traffic alongside Proxide deployments.

1. Background: Pain Points of Cross-Agent Local Repository Access

Developers commonly need web-side flagship models like GPT-5.5 Pro to audit local codebases, generate edit plans, and participate in pull request workflows, yet native cross-environment access carries two major pain points:

  1. Crude manual copy-paste workflow: Manually copying code snippets between local IDE agents and web ChatGPT Pro creates fragmented context, lost file dependency logic, and massive repetitive manual overhead.
  2. Uncontrolled raw MCP exposure risk: Directly exposing a local MCP server to web LLMs grants full unrestricted read/write, shell execution and file deletion permissions, introducing severe security vulnerabilities for private code repositories and local environment secrets.

Proxide solves both challenges by acting as a permission-gated intermediate proxy layer. It creates a constrained entry point for web-side GPT Pro to read local repository content, while blocking unfettered direct local filesystem access by default.

Core Initial Validation Test Logic

Proxide’s minimal proof-of-concept test limits GPT Pro to two restricted operations only:

  1. open_workspace: Initialize access to a designated local code workspace
  2. read README.md: Pull static project introductory documentation

If the model cannot complete these two basic actions reliably, complex tasks like code review, edit plan drafting, and PR handoff workflows will fail entirely. After successful initialization, the ChatGPT tool call panel only records minimal, auditable resource access logs, confirming the local Rust MCP server only exposes a narrow /mcp entry point to the web model, rather than the full directory tree.

2. Two Core Operating Modes of Proxide

Proxide provides dual operational modes to match different agent capabilities, with strict security boundaries separating the two workflows.

2.1 Bridge Mode (For Browser/Web-Based Agents Only)

Bridge Mode packages the entire local project into a sanitized context packet, automatically stripping sensitive data including API secrets, private keys, internal intranet URLs, and local environment variables. Sanitized payloads are stored inside local outbox/inbox directories under the codex-web-bridge path. Hard security boundary of Bridge Mode: Web-side LLMs cannot invoke native local tooling at all; they only receive static packaged context snapshots, with no live filesystem read/write permissions. This mode is ideal for lightweight code review without live modification rights.

2.2 MCP Connector Mode (For Full MCP-Capable Agents)

This mode enables GPT-5.5 Pro to act as an active MCP host that initiates JSON-RPC POST requests to the local Proxide /mcp endpoint. The handshake process follows standardized MCP session rules:

  1. Initial initialize handshake generates a unique Mcp-Session-Id attached to every subsequent tool call
  2. Authorized tool invocations include open_workspace, read, search, and git_diff for full repository analysis
  3. All operations remain bounded by pre-configured trust levels, write access rules, and shell execution limits

Proxide defaults to trust_level: readonly to prevent unintended destructive file edits or shell command execution out of the box.

Standard Core Configuration Schema

json
{
  "allowed_roots": ["/Users/you/work/your-repo"],
  "skill_roots": ["/Users/you/work/codex-pro/skills"],
  "trust_level": "readonly",
  "tool_mode": "full",
  "write_mode": "workspace",
  "shell_mode": "minimal",
  "host": "127.0.0.1",
  "port": 8765,
  "public_base_url": "https://your-tunnel-host.example.com"
}

Two critical restrictive fields govern security:

The open_workspace endpoint never returns absolute local file paths, only workspace-scoped relative identifiers, and the read tool prioritizes parsing SKILL.md skill definition files before scanning supplementary directory resources to constrain context scope.

3. Three-Tier Staircase Permission Architecture

Proxide abandons a single binary permission toggle and implements a progressive tiered trust model that incrementally unlocks capabilities with explicit human handoff approval at every stage.

  1. Tier 1: Readonly Trust Level (Base Access) Permitted operations: list, search, git_diff, static file preview, workspace initialization. No file edits, shell calls, or content overwrites allowed. All tool actions are logged to the audit trail before execution.
  2. Tier 2: Handoff Intermediate State The model generates review notes, structured edit plans, and patch previews but cannot apply changes independently. All proposed modifications are handed off to the local native agent (Claude Code / Codex) for human review and final execution. No direct write permissions are granted to the web LLM at this stage.
  3. Tier 3: Full Execute Scope (Explicit Intent Required) Only after human owner approval can the model run write, edit, apply_patch, shell, branch publishing and PR handoff workflows. Even at this highest tier, Proxide maintains granular sub-restrictions for shell command whitelisting and destructive file operations.

Additional granular control parameters fine-tune risk exposure:

4. Standardized Step-by-Step Onboarding Workflow

Proxide encapsulates all deployment steps into a single runbook sequential pipeline to eliminate misconfiguration for first-time users, with six mandatory ordered stages:

  1. Init: Define workspace root paths, skill directories, and public tunnel base URL in the core config file
  2. Doctor: Automated pre-flight validation checking environment dependencies, tunnel connectivity, and permission schema integrity
  3. Serve: Launch the local Rust MCP server on the designated port and bind local workspace resources
  4. Tunnel: Establish secure HTTPS tunnel forwarding to expose the MCP endpoint to remote web agents
  5. ChatGPT Client Setup: Enable Developer Mode, create an MCP connector, input the tunnel public URL, and complete owner approval authentication
  6. Smoke Test Validation: Run the minimal golden prompt test to verify two core capabilities: open_workspace initialization and read README.md file access

Minimal Golden Validation Prompt

text
First only open the workspace with path absolute/project, do not use web projecting prematurely.
Use only the codex MCP tools you read via the first heading line from README.md.

This lightweight smoke test confirms end-to-end connectivity without triggering complex modification workflows, serving as a reliable baseline before enabling full edit and PR automation functionality.

5. Built-In Audit Trail & Security Safeguards

A core design priority of Proxide is immutable audit logging, solving the critical gap of untraceable model filesystem operations present in generic bridge tools.

Additional hard security guardrails enforced at the proxy layer:

  1. Mandatory HTTPS-only tunnel endpoints; plain HTTP connections are blocked entirely
  2. DNS rebinding protection to prevent unauthorized network endpoint hijacking
  3. Scope isolation for shell, Git, and PR workflow tools; each capability set operates under independent permission limits
  4. Immutable session binding: MCP session IDs cannot be reused across separate tunnel connections to prevent replay attacks

6. Differentiation From Generic Simple LLM Bridges

Most conventional cross-agent bridge tools suffer three critical flaws that Proxide mitigates with its Rust MCP-first architecture:

Generic Simple BridgeProxide MCP Proxy
Single-agent locked design, incompatible with multi-type agentsUniversal compatibility with any MCP-supporting agent (Claude Code, Codex, web GPT Pro, Cursor CLI)
Browser-only operation, no native local MCP server integrationDual-mode support: Browser fallback Bridge Mode + native Rust MCP Connector Mode
Weak static authentication with no progressive permission tiersThree-tier staircase trust system with explicit human handoff approval
No persistent audit trail for model filesystem activityComplete immutable audit logging for every tool call and file modification

Proxide’s core design principle prioritizes boundary definition before automation: all workspace access rules are locked in configuration first, and automated agent workflows are only enabled after security constraints are fully validated.

7. Applicable Scenarios & Limitations

Ideal Use Cases

  1. Developers restricted from native Claude Fable access, requiring GPT-5.5 Pro reasoning inside Claude Code’s local IDE workflow
  2. Teams needing web-side flagship model code review without granting full local filesystem write access to remote LLMs
  3. Multi-agent hybrid stacks combining local desktop agents (Codex / Cursor) and web-based GPT Pro for split responsibility code workflows
  4. Enterprise teams requiring full audit traceability of all LLM repository read/write operations for compliance requirements

Not Recommended Scenarios

  1. Simple one-off snippet queries: Basic Bridge Mode manual copy-paste is sufficient, no need for full MCP server deployment
  2. Long-term public exposed MCP tunnels without strict IP whitelisting: Unrestricted public endpoints expand attack surface
  3. Teams lacking standardized Git/PR workflow rules: Proxide only enforces access boundaries, it cannot replace internal code review governance processes

8. Conclusion

Proxide delivers a secure, universal cross-agent MCP proxy solution that resolves the core conflict between leveraging powerful web-side models like GPT-5.5 Pro and protecting private local code repository security within Claude Code and other desktop IDE agents. Its dual-mode operation caters to lightweight read-only review and full interactive MCP automation respectively, while the tiered staircase permission architecture eliminates the all-or-nothing access risk of generic bridge tools.

The standardized sequential onboarding runbook lowers entry barriers for new developers, and the built-in immutable audit trail addresses enterprise compliance demands for traceable LLM filesystem activity. For engineering teams operating mixed fleets of local desktop agents and web flagship models, unified traffic orchestration via platforms such as 4sapi can centralize cross-model endpoint management alongside Proxide’s local MCP proxy deployments.

Built on Rust’s high-performance secure runtime and fully aligned with official MCP protocol specifications, Proxide establishes a production-grade secure workflow to integrate alternate flagship LLMs into restricted native agent environments without sacrificing local repository data security.

Tags:GPT-5.5 ProClaude CodeProxideMCPAI Agent

Recommended reading

Explore more frontier insights and industry know-how.