Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions .agents/plugins/marketplace.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
{
"name": "agentrust",
"interface": {
"displayName": "AgenTrust"
},
"plugins": [
{
"name": "agentrust-codex",
"source": {
"source": "local",
"path": "./plugins/agentrust-codex"
},
"policy": {
"installation": "AVAILABLE",
"authentication": "ON_INSTALL"
},
"category": "Security"
}
]
}
70 changes: 70 additions & 0 deletions .github/workflows/agentrust-codex-tests.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
name: agentrust-codex tests

on:
pull_request:
paths:
- ".agents/plugins/marketplace.json"
- "plugins/agentrust-codex/**"
- ".github/workflows/agentrust-codex-tests.yml"
- "README.md"
push:
branches: [main]
paths:
- ".agents/plugins/marketplace.json"
- "plugins/agentrust-codex/**"
- ".github/workflows/agentrust-codex-tests.yml"
- "README.md"

permissions:
contents: read

jobs:
stdlib:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
python-version: ["3.9", "3.11", "3.13"]
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
with:
python-version: "${{ matrix.python-version }}"
- name: Run dependency-free capture tests
run: |
pip install pytest
python -m pytest plugins/agentrust-codex/tests -q

signing:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
python-version: ["3.11", "3.12", "3.13"]
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
with:
python-version: "${{ matrix.python-version }}"
- name: Run signing and conformance tests
run: |
pip install pytest -r plugins/agentrust-codex/requirements.txt
python -m pytest plugins/agentrust-codex/tests -q

structure:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
with:
python-version: "3.12"
- name: Validate integration and plugin structure
run: |
pip install jsonschema pyyaml
python plugins/agentrust-codex/tests/validate_structure.py
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ TRACE only works as a standard if it is genuinely neutral. Integrations are list
| Integration | Vendor | Integrates with | Tier |
|---|---|---|---|
| [claude-code](claude-code/) | agentrust-io | agent-manifest, trace | community |
| [agentrust-codex](plugins/agentrust-codex/) | agentrust-io | agent-manifest, trace | community |

## Community

Expand Down
38 changes: 38 additions & 0 deletions plugins/agentrust-codex/.codex-plugin/plugin.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
{
"name": "agentrust-codex",
"version": "0.1.0",
"description": "Detect Codex agent-composition drift and emit signed Agent Manifest and TRACE session records.",
"author": {
"name": "agentrust-io",
"url": "https://github.com/agentrust-io"
},
"homepage": "https://github.com/agentrust-io/integrations/tree/main/plugins/agentrust-codex",
"repository": "https://github.com/agentrust-io/integrations",
"license": "Apache-2.0",
"keywords": [
"codex",
"agent-integrity",
"agent-manifest",
"trace",
"governance"
],
"skills": "./skills/",
"interface": {
"displayName": "AgenTrust for Codex",
"shortDescription": "Detect agent drift and create signed session records",
"longDescription": "Fingerprint Codex configuration at session start, compare it with a workspace baseline, and create signed Agent Manifest and TRACE Level 0 records on request.",
"developerName": "agentrust-io",
"category": "Developer Tools",
"capabilities": [
"Local configuration integrity",
"Signed governance records"
],
"websiteURL": "https://github.com/agentrust-io/integrations/tree/main/plugins/agentrust-codex",
"privacyPolicyURL": "https://github.com/agentrust-io/integrations/blob/main/plugins/agentrust-codex/PRIVACY.md",
"defaultPrompt": [
"Verify my Codex agent against its AgenTrust baseline.",
"Approve the current Codex agent baseline.",
"Generate signed Agent Manifest and TRACE records."
]
}
}
6 changes: 6 additions & 0 deletions plugins/agentrust-codex/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
__pycache__/
.pytest_cache/
*.py[cod]
manifest.json
trace.json
verification_key.json
45 changes: 45 additions & 0 deletions plugins/agentrust-codex/PRIVACY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
# Privacy

The AgenTrust for Codex plugin processes agent configuration on your machine.
It sends no telemetry, analytics, snapshots, baselines, signing keys, or
records to agentrust-io.

## Files it processes

The plugin reads selected Codex configuration and instruction files to compute
SHA-256 hashes:

- `AGENTS.md`, `AGENTS.override.md`, and the Codex memory summary
- skill definitions, plugin manifests, plugin hooks, and plugin scripts
- `config.toml`, `hooks.json`, `requirements.toml`, and rule files

It parses config files only to extract plugin names, MCP server names, approval
policy, sandbox mode, and enabled state. It does not store raw file contents or
other config values.

The SessionStart hook supplies the active model, permission mode, workspace,
and session ID. The plugin stores a hash of the workspace path and session ID.
It derives a pseudonymous local agent identifier from a hash of the username
and hostname.

The plugin does not open Codex `auth.json`, transcript files, tool inputs,
tool outputs, or environment secrets.

## Local data

The plugin writes baselines, latest snapshots, and its signing key below
`$CODEX_HOME/agentrust`, which defaults to `~/.codex/agentrust`. It requests
owner-only permissions for private state and signed report files. Signed
reports go to the output directory you choose.

The plugin makes no network request during SessionStart, snapshot, verify, or
approve. A signed-report request can run the included bootstrap, which installs
the exact released packages in `requirements.txt` from PyPI into a dedicated
local virtual environment.

Removing the plugin does not delete `$CODEX_HOME/agentrust`. This preserves
your baseline and signing identity if you reinstall it. You control removal of
that local state.

Questions and corrections:
https://github.com/agentrust-io/integrations/issues
141 changes: 141 additions & 0 deletions plugins/agentrust-codex/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,141 @@
# AgenTrust for Codex

A Codex plugin that fingerprints the agent configuration in each workspace,
warns when that composition changes, and creates signed Agent Manifest and
TRACE Level 0 records on request.

## Install

You need a Codex release with plugin and hook support. Drift detection supports
Python 3.9 or newer. Signed-record generation requires Python 3.11 or newer.

```bash
codex plugin marketplace add agentrust-io/integrations
codex plugin add agentrust-codex@agentrust
```

Start a new Codex session after installation. Open `/hooks`, review the
AgenTrust SessionStart hook, and trust it. Codex skips plugin hooks until you
trust their current definition.

The first trusted session records a baseline for the current Git workspace.
Later sessions stay quiet when the fingerprints match. Drift produces a
warning that names each changed category.

## Use it

The plugin packages the `agentrust-codex:agent-integrity` skill. Ask Codex:

```text
Use $agentrust-codex:agent-integrity to verify this Codex agent.
```

```text
Use $agentrust-codex:agent-integrity to approve the current baseline.
```

```text
Use $agentrust-codex:agent-integrity to generate signed records in ./agentrust-records.
```

Approval replaces the workspace baseline. The skill requires an explicit
approval request and leaves unexpected drift unapproved.

Signed-record generation, invoked with Python 3.11 or newer, creates a pinned
Python environment under
`$CODEX_HOME/agentrust/signing-venv` when needed. The plugin installs released
versions of `agent-manifest`, `agentrust-trace`, and
`agentrust-trace-tests` in that environment.

## Fingerprinted composition

The engine hashes these local inputs:

- the active user and workspace `AGENTS.md` or `AGENTS.override.md` files,
plus the Codex memory summary when present
- user, workspace, and enabled-plugin skill definitions
- Codex config, hooks, requirements, and rule files
- installed enabled plugins and configured MCP server names
- the active model and permission mode supplied by the SessionStart hook

Snapshots store logical names and SHA-256 hashes. They do not store raw prompt
text, config values, tool inputs, tool outputs, transcripts, auth data, or
environment secrets.

Each Git root gets its own baseline:

```text
$CODEX_HOME/agentrust/workspaces/<workspace-path-hash>/baseline.json
```

The plugin hashes the absolute Git-root path to select that directory but does
not store the path. It hashes the Codex session ID before storing it. It also
uses a pseudonymous hash for the local agent identity.

## Signed records

The report command writes:

- `manifest.json`, an Ed25519-signed Agent Manifest
- `trace.json`, a signed TRACE Level 0 session-context record
- `verification_key.json`, the public key for independent signature checks

The plugin keeps one manifest signing key at
`$CODEX_HOME/agentrust/signing_key.json`. It writes the key with owner-only
permissions where the operating system supports them. A corrupt key stops
signing so the plugin cannot replace an existing identity without notice.

Check TRACE conformance from a source checkout:

```bash
python3 -m venv .venv-agentrust-codex
.venv-agentrust-codex/bin/pip install -r plugins/agentrust-codex/requirements.txt
.venv-agentrust-codex/bin/python plugins/agentrust-codex/engine/capture.py \
report --model gpt-test --out ./agentrust-records
.venv-agentrust-codex/bin/trace-tests verify \
--record ./agentrust-records/trace.json --level 0
```

Use the real active model slug for a real record. The `gpt-test` value above
exists only to make a local smoke-test command reproducible.

## Limits

- TRACE Level 0 represents software integrity. It provides no TEE or
hardware-attestation claim.
- The instruction fingerprint covers visible `AGENTS.md` layers and the
local memory summary, not Codex's internal system prompt.
- A third party can verify the manifest signature with
`verification_key.json`. Verifying each artifact binding requires runtime
hashes measured outside the signed manifest.
- SessionStart exposes the model and permission mode but no complete built-in
tool roster. The tool catalog covers configured MCP servers, installed
enabled plugins, and any tools supplied through the engine's explicit CLI
option.
- The engine fingerprints workspace `.codex` files it can see on disk. It
cannot prove that Codex trusted and loaded each project layer.
- Codex may update the memory summary as you work. Such an update changes the
instruction fingerprint and requires review or approval.

## Test

```bash
python3 -m pytest plugins/agentrust-codex/tests -q
python3 /path/to/plugin-creator/scripts/validate_plugin.py \
plugins/agentrust-codex
```

The full test suite verifies workspace isolation, drift detection, hook failure
safety, corrupt-state handling, persistent signing identity, independent
manifest signature verification, tamper detection, and TRACE Level 0
conformance.

## Privacy

Read [PRIVACY.md](PRIVACY.md). The plugin processes configuration on the local
machine and sends no telemetry. The signing-environment bootstrap accesses PyPI
only after a signed-report request.

## License

Apache-2.0.
Loading