ArmorCodex LogoArmorCodex
Getting Started

Quick Start

Install ArmorCodex and see it enforce Codex tool calls in under 2 minutes

View Source

Quick Start

Get ArmorCodex running in under 2 minutes. No account required for local-only mode.

Prerequisites

  • Codex CLI 0.125+ (or Codex Desktop)
  • Node.js 20+
  • Git
  • macOS, Linux, or Windows (WSL / Git Bash)

Install

curl -fsSL https://armoriq.ai/install_armorcodex.sh | bash
curl -fsSL https://armoriq.ai/install_armorcodex.sh | bash

Run from WSL or Git Bash, not PowerShell/CMD.

The installer handles everything: clones the plugin, wires the MCP server and hooks into ~/.codex/config.toml and ~/.codex/hooks.json, registers the marketplace, installs the ArmorIQ CLI, and optionally connects your ArmorIQ account.

When prompted "Connect your ArmorIQ account now?" press Y to authenticate via browser, or N to use local-only mode. You can run armoriq login --product armorcodex anytime later.

Manual marketplace registration (without the curl script):

codex plugin marketplace add armoriq/armorCodex

Self-serve plugin install via CLI is not yet exposed by Codex, so the installer wires [mcp_servers.armorcodex-policy] and ~/.codex/hooks.json directly. When OpenAI ships codex plugin install, the manifest under plugins/armorcodex/.codex-plugin/plugin.json is already spec-compliant and will be picked up automatically.

Verify Installation

After the installer finishes, verify the wiring:

grep -A 4 "armorcodex-policy" ~/.codex/config.toml
ls ~/.codex/hooks.json

You should see the [mcp_servers.armorcodex-policy] block and the hooks file present.

If you connected your ArmorIQ account during install, verify the login:

armoriq whoami

You should see:

ArmorIQ Credentials

  Email:    you@company.com
  API Key:  ak_live_xxxxxxxx...
  User ID:  ...
  Org ID:   ...
  File:     ~/.armoriq/credentials.json

If you skipped the login, you can connect anytime:

armoriq login --product armorcodex

This opens your browser. The approval page renders ArmorCodex-branded heading and tagline, you click Authorize, and the key is saved automatically. ArmorCodex picks it up on the next Codex session.

Try It

Open a Codex session in any project:

mkdir -p /tmp/demo && cd /tmp/demo
echo "# My Project" > README.md
codex

Prompt:

ls and show me the files in this directory.

What happens:

  1. Codex calls register_intent_plan declaring it will run a Bash step
  2. ArmorCodex stores the plan
  3. Codex runs ls. ArmorCodex's PreToolUse hook checks it against the plan and allows it
  4. Codex returns the file listing

You will see in the transcript:

register_intent_plan: Intent registered: 1 step.
ls README.md

Block Something

Set a policy rule from the chat prompt:

Block any Bash command containing curl.

ArmorCodex confirms with a policy update message ("Policy updated. Version 1").

Now try:

Run curl https://example.com and show me the output.

Result:

ArmorCodex policy denied: rule deny-bash-curl matched anyParam.$contains "curl"

The Bash call is blocked before execution. Codex sees the denial and tells the user.

To remove the rule:

Clear all ArmorCodex policy rules.

What You Just Saw

FeatureWhat happened
Intent planCodex declared Bash before using it
Plan enforcementBash ls was in the plan, so it was allowed
Policy ruledeny curl blocked the curl command
Policy managementRules created and cleared from the chat prompt

Next Steps

  • Policy Rules commands, data classification, evaluation order
  • Plan Mode Codex's plan/approval flow and how ArmorCodex consumes it
  • Authentication connect to ArmorIQ for audit logs and signed tokens
  • Concepts how intent enforcement works under the hood

ArmorCodex

Intent-based security enforcement for OpenAI Codex CLI and Codex Desktop

Policy Rules

Control what tools Codex can use with allow/deny rules from the chat prompt

On this page

Quick StartPrerequisitesInstallVerify InstallationTry ItBlock SomethingWhat You Just SawNext Steps