Three ingredients, one bowl.
Poke controls Codex — but Codex stays local, secure, and under your policy. Here's how the pieces fit together.
1 · Poke
Where you send requests, from any Poke surface.
- "In workspace
pokedex, analyze the project and tell me what it does." - "Review the code and flag bugs or risks."
2 · Relay MCP
The public endpoint that exposes MCP over HTTPS.
- Receives requests from Poke
- Validates auth & user
- Forwards to your connected agent
- Never works on your files directly
3 · Local Agent
Runs on your computer and talks to Codex.
- Connects outbound via WebSocket — no open ports
- Receives typed requests from the relay
- Checks workspaces & permissions
- Starts Codex in the authorized project
Poke gets a remote, not the keys
Pokedex exists so Poke never has direct access to your machine. Every request goes through typed tools and local policy.
Logical names in, real paths never out
Local projects are exposed through safe aliases. Poke works with clean logical names while real paths stay on your machine.
workspaces:
pokedex:
path: /home/user/projects/pokedex
sandbox: read_only
side-project:
path: /home/user/dev/side-project
sandbox: workspace_write
──────────────────
pokedex · read_only
side-project · workspace_write
real paths: not included
Read-only by default. Always.
Out of the box, Codex can read but not modify files. Riskier modes must be enabled both in the agent and in the individual workspace.
read_only
The safe default. Codex can analyze, plan and review — but never writes a byte.
workspace_write
Allows modifications, but only inside the authorized workspace. Nothing outside it.
danger_full_access
Disabled unless explicitly permitted — in the agent and in the workspace. The name is the warning.