Policy Rules
Control what tools Codex can use with allow/deny rules from the chat prompt
Policy Rules
Control what tools Codex can use, right from the chat prompt. Policy rules are evaluated before intent plans. A denied tool stays denied even if it is in the plan.
Commands
| Command | Example |
|---|---|
| Create a rule | Block any Bash command containing curl. |
| List all rules | Show me the current ArmorCodex security policies. |
| Delete a rule | Remove rule policy1. |
| Clear all rules | Clear all ArmorCodex policy rules. |
| Modify a rule | Update rule policy1 to allow curl. |
| Show help | Policy help |
ArmorCodex's MCP server exposes three tools: register_intent_plan, policy_read, and policy_update. Codex's natural-language layer translates the prompts above into the right policy_update payload, but you can also speak the explicit form (Policy new: deny Bash containing curl).
How Rules are Evaluated
- Rules evaluate top-to-bottom in the order they appear
- First matching rule wins (allow, deny, or require_approval)
- No match means allow (default-open for local policies)
New rules are added at the top, giving them the highest priority.
Matcher Operators
Rules can match parameters with operator-based predicates:
| Operator | Meaning |
|---|---|
$equals | Exact string match |
$contains | Substring match |
$startsWith / $endsWith | Prefix/suffix match |
$matches | Regex match |
$pathContains | Path match (canonicalizes ~ and absolute forms) |
anyParam | Apply the operator across every string field on the tool input |
Plain string sugar is supported: anyParam: "curl" is the same as anyParam: { "$contains": "curl" }.
Data Classification
ArmorCodex auto-detects sensitive data in tool arguments:
| Class | What it detects |
|---|---|
| PCI | Credit card numbers (Luhn validation), card-related keywords |
| PAYMENT | Payment tool names, banking keywords (IBAN, SWIFT, routing) |
| PHI | Health/medical data (manual policy) |
| PII | Personal data, SSN (manual policy) |
Example: Block Payment Data
Block any tool call that handles payment data.If Codex tries to write a credit card number to a file, ArmorCodex will detect PCI data, match against the payment policy, and block the tool call.
Agent-Managed Policies
When ArmorCodex blocks a tool, Codex sees the denial and may ask:
"The Bash call was blocked by deny-bash-curl. Would you like me to update the policy to allow it?"
If you say yes, Codex calls the policy_update MCP tool to modify or delete the rule, then retries. This is safe because policy_update is whitelisted (never blocked by intent enforcement) and the policy change is logged.
Where Policies are Stored
Policies persist across sessions in the plugin data directory:
cat ~/.armoriq/armorCodex/plugins/armorcodex/data/policy.jsonThey survive restarts, plugin updates, and re-installs.