feat(codex): add AgenTrust agent integrity plugin#45
Merged
Conversation
carloshvp
marked this pull request as ready for review
July 17, 2026 16:13
imran-siddique
approved these changes
Jul 17, 2026
imran-siddique
left a comment
Contributor
There was a problem hiding this comment.
Reviewed the full diff against the PR claims. Approving.
Verified:
- All 11 CI checks green. The one CodeQL alert (py/overly-permissive-file at capture.py:758, world-readable chmod) was real on an earlier commit and is fixed on the final one (now os.chmod(temporary, 0o600)); the open-alerts query on the head returns empty.
- Privacy holds in the code, not just the docs: instructions, policy, skills, and plugins are all stored as sha256 fingerprints, host/user are pseudonymized, session id is hashed. The MCP capture is an allowlist parse of server/plugin names plus approval_policy and sandbox_mode only, so no config values or secrets are recorded. The privacy tests confirm it.
- SessionStart path is stdlib-only with no network (socket is only gethostname).
- All three signed records go through the 0600 atomic write (temp file, fsync, chmod, os.replace). The signing bootstrap uses a fixed subprocess arg list with no shell, from pinned requirements.
- The Limits section is honest: Level 0 is a software claim, artifact-binding caveat is stated, Windows launcher was not part of the live e2e run.
Optional, non-blocking: the agentrust state dir and the report outdir are created with the default umask. The files are 0600, but the dirs are world-traversable. Consider mkdir mode 0o700 for defense in depth. Not a blocker.
Nice work.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changed
agentrust-codexplugin with a repository marketplace entryagent-integrityskill for verification, explicit baseline approval, and signed report generationWhy
Codex can compose an agent from layered instructions, skills, plugins, policy, and MCP configuration. This integration gives that composition a local, reviewable integrity baseline and lets users create portable signed governance records without collecting prompts, transcripts, auth data, tool I/O, or raw config values.
The SessionStart path uses only the Python standard library and makes no network request. Signing dependencies are installed into a dedicated environment only after a signed-report request.
Validation
I also tested the published layout end to end with Codex 0.144.2 in a fresh disposable
CODEX_HOME:agentrust-codex@agentrust$agentrust-codex:agent-integrityVALIDwithsignature_verified: trueand no mismatches0600and the repository stayed cleanLimits