Best practices for working with remote/local code Repo with MCP Connectors & Developer Mode

Hi OpenAI Team and Community,

With the recent rollout of MCP (Model Context Protocol) support in ChatGPT Web / Developer Mode, we’ve seen a surge in users connecting their local repositories to GPT-5.5/Pro models, so I’ve been developing an MCP runtime called coding-tools-mcp since May.

My question is regarding the official stance on “Agentic Safety” for local/remote coding tools:

In my project, I’ve implemented Linux Landlock and Docker sandboxing to ensure the model cannot perform destructive operations or leak sensitive .env files, even if prompted.

  1. Does OpenAI have specific security guidelines for third-party MCP connectors accessing local/remote filesystems?
  2. Is there a preferred “Semantic Tool” pattern (e.g., using apply_patch vs. raw bash) that OpenAI recommends for better model alignment?

I believe that for MCP to be a viable professional tool, we need to move past simple “wrappers” and move toward secure, stateful runtimes. I’d love to get feedback on the architecture I’ve built:
GitHub: xyTom/coding-tools-mcp
Docs: coding-1afcb9be.mintlify.app

Looking forward to your thoughts!

For remote/local repo work, I would separate the workflow into three trust zones rather than one broad MCP connection:

  1. Read-only inspection: list files, read selected files, search symbols, summarize diffs.
  2. Planned mutation: propose a file-level patch plan before any write-capable tool is exposed.
  3. Execution: allow writes only after the target paths, command budget, and rollback condition are explicit.

The biggest failure mode is letting a connector prove it can access the repo, then immediately treating that as permission to mutate the repo. I would also keep a small audit note per run: repo/ref, allowed paths, tools granted, commands run, and files changed.