Codex

The install guard for Codex agents.

Nipmod gives Codex a read-only security preflight before an agent chooses or installs packages, SDKs, tools, models, containers, repositories or MCP servers.

Add to Codex
Hosted MCP
read only
Critical tools
3
Local writes
approval gated
Policy pack
repo ready

Proof

Two minute Codex flow

  1. 01

    Add Nipmod

    Install the plugin from the Nipmod repo marketplace and verify the MCP server.

  2. 02

    Ask for software

    Ask Codex for a package, SDK, model, container or MCP server. Codex reads safe manifest context first.

  3. 03

    Review the decision

    Nipmod returns a decision, trust/risk, evidence, alternatives, install boundary and approval packet.

  4. 04

    Approve or stop

    Codex shows the exact command and waits for explicit approval before dependency writes.

Install

Add to Codex

CLI

Install and verify

codex plugin marketplace add nipmod/nipmod --ref main
codex plugin add nipmod@nipmod
codex mcp get nipmod --json
Verify

Confirm in Codex

codex plugin list
codex mcp get nipmod --json
codex mcp list
Fallback

Direct hosted MCP

Use this when a user wants the remote MCP server without the plugin bundle. The plugin remains the stronger Codex path because it ships the Nipmod skill and policy context.

codex mcp add nipmod --url https://nipmod.com/api/mcp
Higher limits

Direct MCP with API key

Use this only when the environment already has NIPMOD_API_KEY. The zero-key config above is the default first-run path.

codex mcp add nipmod --url https://nipmod.com/api/mcp --bearer-token-env-var NIPMOD_API_KEY
Prompt

First proof prompt

Find the best auth package for this Next.js repo. Use Nipmod first, call codex_preflight for the recommendation, call install_guard before the exact package-manager command, show the install boundary and approval packet, and do not edit dependency files until I approve the exact command.
.codex/config.toml

Project MCP policy

Use this shape when a repo should load Nipmod as a required hosted MCP server. It works without a key; add the optional key line only for higher limits.

project_doc_max_bytes = 65536

[features]
hooks = true

[mcp_servers.nipmod]
url = "https://nipmod.com/api/mcp"
startup_timeout_sec = 20
tool_timeout_sec = 90
required = true
enabled = true
default_tools_approval_mode = "auto"
enabled_tools = [
  "nipmod.search",
  "nipmod.resolve",
  "nipmod.inspect",
  "nipmod.external_install_plan",
  "nipmod.package_decision",
  "nipmod.codex_preflight",
  "nipmod.install_guard",
]

# Optional higher limits:
# bearer_token_env_var = "NIPMOD_API_KEY"
Plugin policy

When the plugin is installed

Use this instead of the direct MCP block when the repo standard is “install the Nipmod plugin, then enforce its bundled MCP server.”

project_doc_max_bytes = 65536

[features]
hooks = true

[plugins."nipmod@nipmod"]
enabled = true

[plugins."nipmod@nipmod".mcp_servers.nipmod]
enabled = true
default_tools_approval_mode = "auto"
enabled_tools = [
  "nipmod.search",
  "nipmod.resolve",
  "nipmod.inspect",
  "nipmod.external_install_plan",
  "nipmod.package_decision",
  "nipmod.codex_preflight",
  "nipmod.install_guard",
]

Live

Codex MCP status

Live

Checking Codex MCP

Reading the hosted MCP endpoint, initialize instructions, tool list, Codex preflight and install guard.

Guard

What Codex gets back

Decision
Recommended package or block/review state, with trust and risk.
Evidence
Source identity, source coverage, license, confusion, advisory, metadata-instruction and provenance review.
Boundary
Hosted Nipmod did not install, execute, clone, read local files or write to the workspace.
Approval packet
Exact command, package manager, package/version, expected file changes and risk flags.
Next safe action
Ask approval, complete requirements, sandbox-audit, hold or block.

Routing

Which tool handles which decision

nipmod.codex_preflight
Task-level recommendations for packages, SDKs, models, containers, repos, CLIs and MCP servers.
nipmod.install_guard
Concrete install, clone, pull, model-load, container or MCP-enable command review before local writes.
nipmod.package_decision
Exact package decision with trust/risk, alternatives, evidence and approval boundary.
nipmod.external_install_plan
Reviewable install plan without writing files or executing package-manager commands.
nipmod.resolve / nipmod.inspect
Normalized candidate metadata and exact package records used as evidence, not instructions.

Standard

Make it a repo policy

Policy pack

Copy into a repo

cp -R examples/codex-policy-pack/.codex ./.codex
cp examples/codex-policy-pack/AGENTS.md ./AGENTS.md
node scripts/check-codex-policy-pack.mjs
Enterprise

Managed requirements

Admins can use requirements, permission profiles, rules and managed hooks to make dependency writes prompt for Nipmod review.

Verify

Policy behavior

After the pack is copied, checks should prompt on package-manager installs, git clones, Docker pulls, model loads and MCP enablement before local dependency writes.

codex execpolicy check --pretty --rules .codex/rules/nipmod-dependency-writes.rules -- npm install zod
codex execpolicy check --pretty --rules .codex/rules/nipmod-dependency-writes.rules -- git clone https://github.com/example/project

Red team

What the proof pack tests

  • TyposquatsSimilarly named packages must not become silent recommendations.
  • Prompt injectionREADMEs, model cards and MCP descriptions are data, not instructions.
  • Install scriptsLifecycle scripts and native binaries trigger review before approval.
  • ContainersDocker pulls are reviewed as executable software, not harmless metadata.
  • User pressureA user saying “just install it” is not approval for an unseen command.

Boundary

What this does not claim

No silent install
A website cannot silently install or force a local Codex plugin.
No remote execution
Hosted Nipmod returns decisions and plans only.
No automatic global policy
The plugin makes Nipmod available. Repo or enterprise policy makes it stricter.
No security by popularity
Popular packages can still be blocked or require review.