# Endor Labs Agent Kit Codex Plugin Version: `2.1.0` This generated Codex plugin package includes Endor Labs setup support, Codex skills, and bundled Codex custom-agent TOML files. The plugin is generated from source recipes in the Endor Labs Agent Kit repository. ## Start Here | Reader | First move | | --- | --- | | Human installer | Install `endor-labs-agent-kit@endor-labs-agent-kit` from the local or public Codex marketplace metadata. Then run setup: ask Codex to use the `endor-agent-kit-setup` skill. | | Agent installer | Preserve generated package files exactly. Do not broaden permissions, change the logo, add plugin-wide MCP, or rewrite generated agents and skills. | | Maintainer | Change source recipes or publication code in `endor-labs-agent-kit`, regenerate with `--include-plugins`, then sync generated artifacts to `ai-plugins`. | Content releases require a package version bump. If a host still shows old prompt content after reinstalling the same version, remove or reinstall the plugin, clear the host cache when supported, and start a fresh host session. This package is host-specific for Codex. Use the root README when choosing between hosts. ## Host Metadata - Manifest: `.codex-plugin/plugin.json`. - Skills: `skills//SKILL.md`, including `endor-agent-kit-setup`. - Custom agents: `agents/endor-*-agent.toml`, including `endor-agent-kit-setup-agent.toml`, installed by the setup skill only after approval. - Hooks: `hooks/hooks.json` plus fail-open advisory scripts for prompt routing, dependency installs, and manifest edits. - Model/runtime: custom agents inherit Codex defaults unless the user or host overrides them; read-only custom agents set `sandbox_mode = "read-only"`. - MCP: no plugin-wide MCP server is declared by default. ## Install Locally From the Agent Kit repository root: ```bash codex plugin marketplace add ./plugins/codex codex plugin add endor-labs-agent-kit@endor-labs-agent-kit ``` After the repository is public and tagged, install from the repository marketplace metadata at `.agents/plugins/marketplace.json`: ```bash codex plugin marketplace add endorlabs/ai-plugins --ref --sparse .agents --sparse plugins/codex/endor-labs-agent-kit codex plugin add endor-labs-agent-kit@endor-labs-agent-kit ``` Start a new Codex thread after installing or reinstalling the plugin. If Codex still shows stale same-version content, remove and reinstall the plugin, rerun `python plugins/codex/endor-labs-agent-kit/scripts/install_codex_agents.py --install --yes` from the checkout root, and start another fresh thread so host caches reload both skills and agents. ## Set Up This Machine Ask Codex: ```text Use the endor-agent-kit-setup skill, or the endor-agent-kit-setup-agent custom agent, to check readiness and install the bundled Codex custom agents and skills. ``` The setup skill can install or update managed Endor Codex custom agents under `${CODEX_HOME:-~/.codex}/agents` and bundled user skills under `$HOME/.agents/skills` after explicit approval. It does not run scans, run `endorctl host-check`, edit shell profiles, install `gh`, or install language runtimes and package managers. ## Capabilities And Skills | Job | Codex skill | Codex custom agent | Safety | | --- | --- | --- | --- | | Set up this machine | `endor-agent-kit-setup` | `endor-agent-kit-setup-agent` | read-only setup | | Triage AI SAST findings | `ai-sast-triage` | `endor-ai-sast-triage-agent` | mutating, approval-gated | | Assess CI/CD and supply chain posture | `cicd-posture` | `endor-cicd-posture-agent` | read-only | | Dependency Decision Helper | `dependency-decision-helper` | `endor-dependency-decision-helper-agent` | read-only | | Diagnose Endor setup and scan issues | `endor-troubleshooter` | `endor-troubleshooter-agent` | read-only | | Browse existing Endor findings | `findings-browser` | `endor-findings-browser-agent` | read-only | | Malware Response | `malware-response` | `endor-malware-response-agent` | read-only | | Package Risk Summary | `package-risk-summary` | `endor-package-risk-summary-agent` | read-only | | Assess GitHub onboarding gaps | `probe-droid` | `endor-probe-droid-agent` | read-only | | Remediation Planner | `remediation-planner` | `endor-remediation-planner-agent` | read-only | | Repository Dependency Reviewer | `repository-dependency-reviewer` | `endor-repository-dependency-reviewer-agent` | read-only | | Find safe SCA remediation paths | `sca-remediation` | `endor-sca-remediation-agent` | mutating, approval-gated | | Upgrade Impact Analysis | `upgrade-impact-analysis` | `endor-upgrade-impact-analysis-agent` | read-only | | Vulnerability Explainer | `vulnerability-explainer` | `endor-vulnerability-explainer-agent` | read-only | Mutating workflows keep file edits, branch pushes, PR/MR creation, comments, approval verification, and Endor policy writes behind separate approval gates. Setup never performs those workflow actions. ## Boundaries And Rules - Always run readiness and namespace checks before live Endor lookups. - Always keep setup, file edits, branch pushes, PR/MR creation, comments, tickets, and policy writes as separate evidence-backed steps. - Never run setup scans or `endorctl host-check`. - Never auto-install `gh`, language runtimes, or package managers. - Never print, persist, or copy Endor API key, secret, token, or full config values. ## Manual Fallback If plugin installation is unavailable, install individual generated Codex skills from the repository-level `codex//` directories into `$HOME/.agents/skills/`. ## Provider Docs Before release, verify the current Codex plugin and custom-agent docs: - https://developers.openai.com/codex/plugins/build - https://developers.openai.com/codex/subagents