Abstract
When access to Claude Fable is restricted, developers can route GPT-5.5 Pro to run natively inside Claude Code using the open-source Rust-based MCP proxy tool Proxide. This technical deep dive explains two core operating modes (Bridge Mode and MCP Connector Mode), layered tiered permission control architecture, standardized MCP protocol security design, step-by-step onboarding workflow, audit trail logging, and key differentiation from generic simple LLM bridges. The tool enables any MCP-compatible agent (Claude Code, Codex, Cursor/CLI, web-based GPT Pro) to safely interact with local Git repositories, code files, and development workflows without granting unrestricted full local filesystem access. Teams managing mixed multi-model agent workloads can streamline unified endpoint routing via an API gateway such as 4sapi to coordinate cross-model traffic alongside Proxide deployments.
1. Background: Pain Points of Cross-Agent Local Repository Access
Developers commonly need web-side flagship models like GPT-5.5 Pro to audit local codebases, generate edit plans, and participate in pull request workflows, yet native cross-environment access carries two major pain points:
- Crude manual copy-paste workflow: Manually copying code snippets between local IDE agents and web ChatGPT Pro creates fragmented context, lost file dependency logic, and massive repetitive manual overhead.
- Uncontrolled raw MCP exposure risk: Directly exposing a local MCP server to web LLMs grants full unrestricted read/write, shell execution and file deletion permissions, introducing severe security vulnerabilities for private code repositories and local environment secrets.
Proxide solves both challenges by acting as a permission-gated intermediate proxy layer. It creates a constrained entry point for web-side GPT Pro to read local repository content, while blocking unfettered direct local filesystem access by default.
Core Initial Validation Test Logic
Proxide’s minimal proof-of-concept test limits GPT Pro to two restricted operations only:
open_workspace: Initialize access to a designated local code workspaceread README.md: Pull static project introductory documentation
If the model cannot complete these two basic actions reliably, complex tasks like code review, edit plan drafting, and PR handoff workflows will fail entirely. After successful initialization, the ChatGPT tool call panel only records minimal, auditable resource access logs, confirming the local Rust MCP server only exposes a narrow /mcp entry point to the web model, rather than the full directory tree.
2. Two Core Operating Modes of Proxide
Proxide provides dual operational modes to match different agent capabilities, with strict security boundaries separating the two workflows.
2.1 Bridge Mode (For Browser/Web-Based Agents Only)
Bridge Mode packages the entire local project into a sanitized context packet, automatically stripping sensitive data including API secrets, private keys, internal intranet URLs, and local environment variables. Sanitized payloads are stored inside local outbox/inbox directories under the codex-web-bridge path.
Hard security boundary of Bridge Mode: Web-side LLMs cannot invoke native local tooling at all; they only receive static packaged context snapshots, with no live filesystem read/write permissions. This mode is ideal for lightweight code review without live modification rights.
2.2 MCP Connector Mode (For Full MCP-Capable Agents)
This mode enables GPT-5.5 Pro to act as an active MCP host that initiates JSON-RPC POST requests to the local Proxide /mcp endpoint. The handshake process follows standardized MCP session rules:
- Initial
initializehandshake generates a uniqueMcp-Session-Idattached to every subsequent tool call - Authorized tool invocations include
open_workspace,read,search, andgit_difffor full repository analysis - All operations remain bounded by pre-configured trust levels, write access rules, and shell execution limits
Proxide defaults to trust_level: readonly to prevent unintended destructive file edits or shell command execution out of the box.
Standard Core Configuration Schema
Two critical restrictive fields govern security:
allowed_roots: Hardcodes the exact repository directories the MCP server can access, blocking all external filesystem pathstrust_level: Sets a tiered permission ceiling that restricts read, write, and shell execution scope incrementally
The open_workspace endpoint never returns absolute local file paths, only workspace-scoped relative identifiers, and the read tool prioritizes parsing SKILL.md skill definition files before scanning supplementary directory resources to constrain context scope.
3. Three-Tier Staircase Permission Architecture
Proxide abandons a single binary permission toggle and implements a progressive tiered trust model that incrementally unlocks capabilities with explicit human handoff approval at every stage.
- Tier 1: Readonly Trust Level (Base Access)
Permitted operations:
list,search,git_diff, static file preview, workspace initialization. No file edits, shell calls, or content overwrites allowed. All tool actions are logged to the audit trail before execution. - Tier 2: Handoff Intermediate State The model generates review notes, structured edit plans, and patch previews but cannot apply changes independently. All proposed modifications are handed off to the local native agent (Claude Code / Codex) for human review and final execution. No direct write permissions are granted to the web LLM at this stage.
- Tier 3: Full Execute Scope (Explicit Intent Required)
Only after human owner approval can the model run
write,edit,apply_patch,shell, branch publishing and PR handoff workflows. Even at this highest tier, Proxide maintains granular sub-restrictions for shell command whitelisting and destructive file operations.
Additional granular control parameters fine-tune risk exposure:
tool_mode: Adjusts the breadth of available MCP tools exposed to the modelwrite_mode: Governs whether file overwrites are restricted to designated workspace directoriesshell_mode: Limits shell access to safe read-only Git and diagnostic commands, blocking destructiverm,curl, and container modification commands by default
4. Standardized Step-by-Step Onboarding Workflow
Proxide encapsulates all deployment steps into a single runbook sequential pipeline to eliminate misconfiguration for first-time users, with six mandatory ordered stages:
- Init: Define workspace root paths, skill directories, and public tunnel base URL in the core config file
- Doctor: Automated pre-flight validation checking environment dependencies, tunnel connectivity, and permission schema integrity
- Serve: Launch the local Rust MCP server on the designated port and bind local workspace resources
- Tunnel: Establish secure HTTPS tunnel forwarding to expose the MCP endpoint to remote web agents
- ChatGPT Client Setup: Enable Developer Mode, create an MCP connector, input the tunnel public URL, and complete owner approval authentication
- Smoke Test Validation: Run the minimal golden prompt test to verify two core capabilities:
open_workspaceinitialization andread README.mdfile access
Minimal Golden Validation Prompt
This lightweight smoke test confirms end-to-end connectivity without triggering complex modification workflows, serving as a reliable baseline before enabling full edit and PR automation functionality.
5. Built-In Audit Trail & Security Safeguards
A core design priority of Proxide is immutable audit logging, solving the critical gap of untraceable model filesystem operations present in generic bridge tools.
- Every tool invocation, file read, patch preview, and shell command is persisted to structured JSON audit records
- Logs capture full context snapshots, request timestamps, session MCP IDs, and owner approval records for all write/execute actions
- All audit artifacts are stored locally within the project workspace, not remote third-party servers, retaining full data ownership for enterprise teams
Additional hard security guardrails enforced at the proxy layer:
- Mandatory HTTPS-only tunnel endpoints; plain HTTP connections are blocked entirely
- DNS rebinding protection to prevent unauthorized network endpoint hijacking
- Scope isolation for shell, Git, and PR workflow tools; each capability set operates under independent permission limits
- Immutable session binding: MCP session IDs cannot be reused across separate tunnel connections to prevent replay attacks
6. Differentiation From Generic Simple LLM Bridges
Most conventional cross-agent bridge tools suffer three critical flaws that Proxide mitigates with its Rust MCP-first architecture:
| Generic Simple Bridge | Proxide MCP Proxy |
|---|---|
| Single-agent locked design, incompatible with multi-type agents | Universal compatibility with any MCP-supporting agent (Claude Code, Codex, web GPT Pro, Cursor CLI) |
| Browser-only operation, no native local MCP server integration | Dual-mode support: Browser fallback Bridge Mode + native Rust MCP Connector Mode |
| Weak static authentication with no progressive permission tiers | Three-tier staircase trust system with explicit human handoff approval |
| No persistent audit trail for model filesystem activity | Complete immutable audit logging for every tool call and file modification |
Proxide’s core design principle prioritizes boundary definition before automation: all workspace access rules are locked in configuration first, and automated agent workflows are only enabled after security constraints are fully validated.
7. Applicable Scenarios & Limitations
Ideal Use Cases
- Developers restricted from native Claude Fable access, requiring GPT-5.5 Pro reasoning inside Claude Code’s local IDE workflow
- Teams needing web-side flagship model code review without granting full local filesystem write access to remote LLMs
- Multi-agent hybrid stacks combining local desktop agents (Codex / Cursor) and web-based GPT Pro for split responsibility code workflows
- Enterprise teams requiring full audit traceability of all LLM repository read/write operations for compliance requirements
Not Recommended Scenarios
- Simple one-off snippet queries: Basic Bridge Mode manual copy-paste is sufficient, no need for full MCP server deployment
- Long-term public exposed MCP tunnels without strict IP whitelisting: Unrestricted public endpoints expand attack surface
- Teams lacking standardized Git/PR workflow rules: Proxide only enforces access boundaries, it cannot replace internal code review governance processes
8. Conclusion
Proxide delivers a secure, universal cross-agent MCP proxy solution that resolves the core conflict between leveraging powerful web-side models like GPT-5.5 Pro and protecting private local code repository security within Claude Code and other desktop IDE agents. Its dual-mode operation caters to lightweight read-only review and full interactive MCP automation respectively, while the tiered staircase permission architecture eliminates the all-or-nothing access risk of generic bridge tools.
The standardized sequential onboarding runbook lowers entry barriers for new developers, and the built-in immutable audit trail addresses enterprise compliance demands for traceable LLM filesystem activity. For engineering teams operating mixed fleets of local desktop agents and web flagship models, unified traffic orchestration via platforms such as 4sapi can centralize cross-model endpoint management alongside Proxide’s local MCP proxy deployments.
Built on Rust’s high-performance secure runtime and fully aligned with official MCP protocol specifications, Proxide establishes a production-grade secure workflow to integrate alternate flagship LLMs into restricted native agent environments without sacrificing local repository data security.




