Codex · Plugin 04

Codex plugin

One Codex run. One new citizen of the agent economy.

The Chio Codex plugin wires the OpenAI Codex CLI into Chio's kernel through real Codex hooks and skills. chio-codex run turns every plan-then-act loop into a bonded, budgeted, receipt-signed operation. If Codex didn't pass a guard, it didn't happen.

Install the plugin See the CLI flags →

surfaceCodex CLI · hooks + skillsruntimechio-codex 0.1.0 · chio 0.1.0 · bridge 0.2.1installcodex plugin install @chio-protocol/codex-pluginsourcebackbay-labs/chio-codex-plugin

chio-codex runmediated · live

$chio-codex run --policy ./migration.policy.yaml --plan-first -- codex "migrate our mongo users to postgres, keep a dry-run first"

◎codex drafting plan · 8 steps · est. ~4min

◎chio issued cap_migration · ttl 30m · egress mongo:// · postgres:// · fs ./migrations/**

▸step 3 / 8 · write migrationpatch.validated

✓shell.exec · psql -f 003_users.sql --dry-run · OK

·step 4 will mutate prod · gated · waiting on chio-codex approve 0x1a4c

Receipt0x41cc…90a2ed25519 ✓

01Install

Hooks and skills. Codex, fully mediated.

The plugin installs into Codex via the published plugin manifest and hooks config. Every tool call (shell, fs, git, fetch, any MCP) is routed through the chio kernel before it runs.

Install Codex and Chio

The Codex CLI from OpenAI, the Chio runtime from Backbay. Both are single binaries.

$brew install openai-codex && curl -fsSL https://www.chio.world/install.sh | sh

Register the plugin with Codex

Copies the plugin manifest and hooks config into ~/.codex/plugins/chio-codex.

$codex plugin install @chio-protocol/codex-plugin

Run any task through chio-codex

Use chio-codex run -- codex "..." for a bonded run; --plan-first fingerprints the plan before the first tool call.

$chio-codex run --policy ./migration.policy.yaml --plan-first -- codex "migrate mongo→postgres"

→ agent: codex-run-01 · budget: $25 · ttl: 30m

# Codex skills (skills/chio-*/SKILL.md) + mirrored CLI subcommands
chio-codex status            # bonded-session status
chio-codex bond --policy ./p.yaml        # issue a capability
chio-codex policy            # print the active policy
chio-codex guard-pause shell     # pause a guard (TTL opt)
chio-codex budget 200            # adjust the spend ceiling
chio-codex approve 0x1a4c       # countersign a gated action
chio-codex revoke              # tear down the capability
chio-codex receipt-export 1h   # signed evidence bundle
chio-codex publish weekly-sync  # mint a did:chio citizen

02Lifecycle

Codex plans. Chio governs.

The plugin hooks Codex's plan-execute loop via PreToolUse, PostToolUse, UserPromptSubmit, Stop, and SessionStart. Every turn is observed by the kernel; every tool call is a receipt.

01 · Prompt

Codex reads the task.

chio-codex binds a capability and a budget before the first tool call; UserPromptSubmit SHA-256-hashes the prompt as promptHash.

bond → cap · budget · ttl

02 · Plan

Codex emits a plan.

--plan-first asks Codex to print its plan as a fenced block; the hook hashes it into planHash. Drift surfaces as a post-hoc audit signal.

plan_hash · attested

03 · Act

Every step goes through 18 guards.

PreToolUse fail-closed: denies surface in Codex's output verbatim; PostToolUse verifies signatures and persists.

18 guards · 2ms

04 · Publish

Leave a citizen behind.

--publish turns a one-off run into a named, policy-pinned operator with a did:chio:{64-hex} Agent Passport.

did:chio:1b14f0ae…

03Features

Codex, made into a citizen.

The plugin treats Codex runs as first-class economic actors. Every run is reproducible, revocable, and insurable.

⚛

Plan attestation

UserPromptSubmit fingerprints the prompt; --plan-first also hashes the emitted plan. Both hashes ride every receipt.

provenance

✎

Patch integrity

Every diff is validated: line counts, path scopes, encoding. No silent binary writes.

fs · diff

◉

One-shot citizens

--publish turns a successful run into a named, scheduled, policy-pinned agent with a did:chio:{64-hex} passport.

passport · schedule

⇕

Approval stages

Codex splits a plan into dry-run and mutate phases, auto-pausing at the first mutating step until a human signs.

gates · human-in-loop

⊕

Delegation

Hand work to another agent (Claude, a wrapper, a microservice) with attenuated capability scope.

delegation

⎗

Evidence bundles

--evidence dumps a signed, offline-verifiable bundle on Stop. Hand it to a ticket or an auditor.

audit · offline-verify

04Runs

Codex + Chio, for the dangerous stuff.

The plugin shines on tasks too risky for un-bonded Codex: database migrations, prod rollbacks, destructive refactors, any job you'd hand to a senior on-call.

migration“Migrate our users table from mongo to postgres. Dry-run everything, pause before mutating prod.”patch · egress · gate:mutate~6 min

refactor“Split monolith handlers into a services module. No behavior changes; every test must stay green.”fs · patch · test-gate~11 min

oncall“Roll back the last deploy, page me before scaling pods in pii namespaces, collect a post-mortem bundle.”k8s-ns · human-in-loop~5 min

publish“Turn this one-off cleanup into a weekly bonded agent. Cron every Monday at 03:00. Budget $12.”passport · schedule · budget~2 min

05Proof

Plan, act, prove, revoke.

allowplan.commit · 8 steps · est. 4m · plan_hash 0x7f…14:02:01

allowfs.write · migrations/003_users.sql (+142 / -0)14:02:12

allowshell.exec · psql -f 003_users.sql --dry-run14:02:18

cancelshell.exec · psql -f 003_users.sql · awaits approval14:02:23

denyshell.exec · rm -rf ./backup · forbidden_paths14:02:25

Every turn of the Codex loop lands in the receipt stream. Deny reasons are human-readable; budget exhaust is a receipt, not a crash. Replay the whole run from the bundle.

agentdid:chio:1b14f0ae6dfc6b537782d92eddbe85e95a68fc29591aa3afeb6fa07aeb6a0c3bplanplan_hash 0x7f2a…e441 · attestedcount31 receipts · 26 allow · 2 deny · 3 cancelhash0x41cc…90a2

Every Codex run leaves a citizen.

Today's one-off script becomes tomorrow's bonded operator, with a passport, a policy, and a receipt trail back to the first prompt.

Install the plugin Read the quick start →

Other surfacesSee all integrations →

Claude Code pluginTalk Claude into a tiny hedge fund.

OpenCode pluginFrom blank repo to bonded agent.

OpenClaw pluginShip signed agents from group chat.

Cursor pluginIDE for the internet of agents.