CDX-CFG-028: Unsupported Inline MCP bearer_token Field

Summary

• Rule ID: CDX-CFG-028
• Severity: HIGH
• Category: Codex CLI
• Normative Level: MUST
• Auto-Fix: No
• Verified On: 2026-04-25

Applicability

• Tool: codex
• Version Range: unspecified
• Spec Revision: unspecified

Evidence Sources

• https://github.com/openai/codex/pull/19294
• https://github.com/openai/codex/issues/19275

Test Coverage Metadata

• Unit tests: true
• Fixture tests: false
• E2E tests: false

Examples

The following examples demonstrate what triggers this rule and how to fix it.

Invalid

[mcp_servers.myserver]
url = "https://api.example.com"
bearer_token = "sk-live-..."

Valid

[mcp_servers.myserver]
url = "https://api.example.com"
bearer_token_env_var = "MY_API_TOKEN"