ArmorCodex

April 24, 2026 · View on GitHub

ArmorIQ intent-based security enforcement for OpenAI Codex. ArmorCodex asks Codex to declare a Bash execution plan before it runs commands, checks each Bash command against that plan and local policy, and optionally sends signed intent and audit events to ArmorIQ IAP.

Current Codex Harness

ArmorCodex is built for the current Codex hook harness documented by OpenAI:

  • Hooks are discovered from ~/.codex/hooks.json and <repo>/.codex/hooks.json.
  • Hooks require [features] codex_hooks = true in ~/.codex/config.toml.
  • PreToolUse, PermissionRequest, and PostToolUse currently emit Bash only.
  • Non-Bash tools such as MCP, file edits, web search, and write/apply-patch are not directly intercepted by Codex hooks today.

Treat ArmorCodex as a strong Bash guardrail and audit layer, not a complete boundary for every Codex capability.

See Codex harness limitations for the harness gaps that need to be addressed before ArmorCodex can claim broader tool coverage.

Sources: OpenAI Codex hooks docs and plugin build docs: https://developers.openai.com/codex/hooks https://developers.openai.com/codex/plugins/build

How It Works

User Prompt -> UserPromptSubmit -> intent-plan directive
                                  |
Codex calls register_intent_plan MCP tool
                                  |
Bash command -> PreToolUse -> policy + intent verification -> allow/deny
Approval request -> PermissionRequest -> policy approval gate
Bash result -> PostToolUse -> audit log to ArmorIQ IAP

Install

From This Checkout

npm install
chmod +x install_armorcodex.sh
./install_armorcodex.sh

The installer enables codex_hooks, installs the Codex plugin through the ArmorIQ marketplace, and can install the repo hook file globally when run from this checkout.

Manual Repo-Local Setup

npm install
mkdir -p ~/.codex
printf '\n[features]\ncodex_hooks = true\n' >> ~/.codex/config.toml

Then run Codex from this repository. The repo-local hook file is already at .codex/hooks.json.

Manual MCP Setup

ArmorCodex ships a Codex plugin manifest at .codex-plugin/plugin.json and an MCP server config at .mcp.json. The MCP server exposes:

  • register_intent_plan
  • policy_read
  • policy_update

Configuration

Core environment variables:

VariableDefaultDescription
ARMORCODEX_MODEenforceenforce blocks failures; monitor logs only
ARMORCODEX_INTENT_REQUIREDtrueRequire a registered intent plan before Bash
ARMORCODEX_DATA_DIR~/.codex/armorcodexRuntime, policy, and pending-plan storage
ARMORCODEX_DEBUGfalseDebug logs on stderr
ARMORIQ_API_KEYfrom ~/.armoriq/credentials.jsonArmorIQ backend key
ARMORCODEX_AUDIT_ENABLEDtrue when API key existsSend audit logs
ARMORCODEX_CRYPTO_POLICY_ENABLEDfalseEnable Merkle policy binding

Policy Commands

From a Codex prompt:

  • Policy list
  • Policy get <id>
  • Policy delete <id>
  • Policy reset
  • Policy new: deny Bash for payment data
  • Policy update <id>: allow Bash
  • Policy prioritize <id> <position>

Tests

npm test

Repository Structure

armorCodex/
├── .codex/hooks.json              # Repo-local Codex hook registration
├── .codex-plugin/plugin.json      # Codex plugin manifest
├── .mcp.json                      # ArmorCodex MCP server config
├── hooks/hooks.json               # Plugin-local hook reference
├── scripts/
│   ├── bootstrap.mjs              # Lazy dependency installer and dispatcher
│   ├── hook-router.mjs            # Codex hook router
│   ├── policy-mcp.mjs             # MCP server
│   └── lib/                       # Policy, intent, IAP, crypto, runtime modules
└── tests/