Skip to content

feat(codex): add AgenTrust agent integrity plugin#45

Merged
imran-siddique merged 2 commits into
agentrust-io:mainfrom
carloshvp:add-agentrust-codex
Jul 17, 2026
Merged

feat(codex): add AgenTrust agent integrity plugin#45
imran-siddique merged 2 commits into
agentrust-io:mainfrom
carloshvp:add-agentrust-codex

Conversation

@carloshvp

@carloshvp carloshvp commented Jul 17, 2026

Copy link
Copy Markdown
Member

What changed

  • add an installable agentrust-codex plugin with a repository marketplace entry
  • fingerprint workspace-scoped Codex instructions, skills, policy files, enabled plugins, configured MCP servers, model, and permission mode
  • establish a local SessionStart baseline and warn on named composition changes
  • add an agent-integrity skill for verification, explicit baseline approval, and signed report generation
  • emit signed Agent Manifest and TRACE Level 0 records with pinned released AgenTrust packages
  • write local state and signed record files with owner-only permissions
  • add privacy and operating-limit documentation plus dedicated test matrices

Why

Codex can compose an agent from layered instructions, skills, plugins, policy, and MCP configuration. This integration gives that composition a local, reviewable integrity baseline and lets users create portable signed governance records without collecting prompts, transcripts, auth data, tool I/O, or raw config values.

The SessionStart path uses only the Python standard library and makes no network request. Signing dependencies are installed into a dedicated environment only after a signed-report request.

Validation

  • dependency-free suite on Python 3.11: 10 passed, 3 signing tests skipped
  • full signing suite on Python 3.11: 13 passed
  • full signing suite on Python 3.12: 13 passed
  • Ruff lint and formatting checks passed
  • Codex plugin manifest and repository marketplace validation passed
  • integration schema and plugin structure validation passed
  • existing Claude Code integration suite: 13 passed, 2 skipped
  • CodeQL passed with no open alert on the final commit

I also tested the published layout end to end with Codex 0.144.2 in a fresh disposable CODEX_HOME:

  1. added this repository as a marketplace
  2. installed agentrust-codex@agentrust
  3. started a real Codex session and exercised the SessionStart baseline hook
  4. invoked $agentrust-codex:agent-integrity
  5. bootstrapped the pinned signing environment and generated all three records
  6. independently verified the Agent Manifest as VALID with signature_verified: true and no mismatches
  7. verified TRACE Level 0 with 8 passing checks and 0 skipped
  8. confirmed all three generated record files had mode 0600 and the repository stayed clean

Limits

  • TRACE Level 0 makes a software-integrity claim, not a TEE or hardware-attestation claim.
  • The Agent Manifest signature is independently verifiable. Artifact-binding verification still needs runtime hashes measured outside the signed manifest, which the README states explicitly.
  • The Windows launcher is included, but the live end-to-end run was performed on macOS.

Comment thread plugins/agentrust-codex/engine/capture.py Fixed
@carloshvp
carloshvp marked this pull request as ready for review July 17, 2026 16:13

@imran-siddique imran-siddique left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed the full diff against the PR claims. Approving.

Verified:

  • All 11 CI checks green. The one CodeQL alert (py/overly-permissive-file at capture.py:758, world-readable chmod) was real on an earlier commit and is fixed on the final one (now os.chmod(temporary, 0o600)); the open-alerts query on the head returns empty.
  • Privacy holds in the code, not just the docs: instructions, policy, skills, and plugins are all stored as sha256 fingerprints, host/user are pseudonymized, session id is hashed. The MCP capture is an allowlist parse of server/plugin names plus approval_policy and sandbox_mode only, so no config values or secrets are recorded. The privacy tests confirm it.
  • SessionStart path is stdlib-only with no network (socket is only gethostname).
  • All three signed records go through the 0600 atomic write (temp file, fsync, chmod, os.replace). The signing bootstrap uses a fixed subprocess arg list with no shell, from pinned requirements.
  • The Limits section is honest: Level 0 is a software claim, artifact-binding caveat is stated, Windows launcher was not part of the live e2e run.

Optional, non-blocking: the agentrust state dir and the report outdir are created with the default umask. The files are 0600, but the dirs are world-traversable. Consider mkdir mode 0o700 for defense in depth. Not a blocker.

Nice work.

@imran-siddique
imran-siddique merged commit 92aa173 into agentrust-io:main Jul 17, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants