Plan Mode Integration

Codex doesn't ship a separate "plan mode" toggle the way Claude Code does, but it has the same shape: the agent describes a plan, you approve it, and execution proceeds. ArmorCodex hooks into both halves so the plan and the actual tool calls stay in sync.

How to Use

1. Type your prompt (e.g. "Add a summary file for /etc")
2. Codex thinks, then writes a plan, often as a fenced JSON block at the end of its message
3. Codex calls register_intent_plan (the ArmorCodex MCP tool) with the plan
4. Codex executes the steps; ArmorCodex's PreToolUse hook checks each tool against the registered plan

What the Plan Looks Like

The agent's register_intent_plan payload looks like this:

{
  "goal": "Create etc-notes.md with a one-line summary of /etc",
  "steps": [
    {
      "action": "Bash",
      "description": "Write the summary file",
      "metadata": {
        "inputs": {
          "command": "echo '/etc contains system-wide configuration files.' > /tmp/demo/etc-notes.md"
        }
      }
    },
    {
      "action": "Bash",
      "description": "Verify the file was written",
      "metadata": {
        "inputs": { "command": "cat /tmp/demo/etc-notes.md" }
      }
    }
  ]
}

If the agent's metadata.inputs keys don't match the tool's actual input shape, ArmorCodex falls back to a tool-name-only check rather than blocking on a benign mismatch (the most common case is the agent declaring cmd while the real Bash tool input is command).

Two Plan Paths, Same Enforcement

Both paths produce the same normalized plan and the same enforcement. The UserPromptSubmit hook injects a directive instructing Codex to register a plan before any tool call.

Codex Hook Coverage

Codex's hook system fires on the following events today:

• Bash tool calls (the original audited surface)
• apply_patch (file edits)
• MCP tool invocations

File reads and web search aren't directly intercepted yet, so ArmorCodex enforces what Codex emits hooks for. See CODEX_HARNESS_LIMITATIONS.md in the repo for the current scope.