Skip to content

Boundary · Local-first · Agent-time

Make every agent change prove it belongs.

Review tools ask whether code looks wrong. CodeTruss proves whether the agent stayed inside its task contract and whether the exact final Git state passed your checks. Its local Boundary records the starting point, classifies every change, runs 13 shared analyzers and your verification commands, then leaves an integrity-signed receipt on your machine.

Boundary
Local change proof
History
Explicit receipt sync
Health
Hosted codebase audit

Reproduced failure case

v0.1.1 signed PASS. v0.2.14 correctly fails.

See the exact adversarial fixture, artifact hashes, immutable-snapshot fix, and the limits of what a signed receipt can prove.

Read the evidence

§ 01Quickstart

One guided setup. Automatic after that.


1 · One-time: configure the local boundary
codetruss setup

Setup proposes conventional source roots without silently allowing the whole repository, shows every detected verification command and its exact fingerprint before trust, installs the selected automatic checks, and runs diagnostics. It uploads nothing. Codex requires one final action: open /hooks and approve the exact project hook. Then use Claude Code, Codex, or your normal commit flow without a per-change CodeTruss command.

2 · Already have a change? Review it now
codetruss review --task "Review my current agent changes"

The manual review path needs no account, policy, or sync. Without an allow policy, changed files are deliberately unexpected, so REVIEW_REQUIRED exits with code 1 while still producing valid signed evidence.

3 · Verify the signed receipt
codetruss verify latest
4 · Advanced: wrap one agent run
codetruss run \
  --task "Add password-reset rate limiting" \
  -- codex exec "Implement password-reset rate limiting"

Add task-specific --allow, --deny, or --verify only when this run intentionally differs from the committed repository policy.

Integrity receipt · latest

REVIEW_REQUIRED

!
Task
Add password-reset rate limiting
Scope
2 allowed · 1 unexpected
Analysis
13 local analyzers · hosted scores N/A
Reason
CI workflow changed outside approved scope
Verification
npm test · exit 0

The verdict is calculated from recorded facts. A model does not decide whether the run passed. The signature detects changes after signing; it does not prove the run happened in trusted infrastructure or that every recorded fact was truthful.

§ 02Method

Five steps between the prompt and the pull request.


  1. 01

    Record the boundary

    CodeTruss records the starting commit, current working-tree state, task, allow globs, and deny globs before the agent runs.

  2. 02

    Run any agent

    The command after -- can be Codex, Claude Code, another agent CLI, or an ordinary shell command. CodeTruss does not stage, commit, or clean its work.

  3. 03

    Inspect the real diff

    Added, changed, deleted, renamed, staged, unstaged, and untracked files are classified as allowed, denied, or unexpected.

  4. 04

    Analyze and verify

    All 13 shared registry analyzers run locally on the change, sensitive surfaces are called out, and your own lint, test, or build commands execute.

  5. 05

    Integrity-sign the receipt

    A Markdown and JSON receipt records the evidence, hashes, explicit reasons, and deterministic verdict. Its signature detects post-signing changes; it does not prove trusted execution or truthful analysis.

Scope policy

Deny wins. Unmatched is visible.

Allow and deny globs make the requested boundary concrete. Renames are checked at both the old and new path, so moving a protected file cannot hide it.

Sensitive surfaces

Risk is flagged even when allowed.

CI, infrastructure, migrations, secrets, deploy configuration, dependency manifests, and lockfiles always receive an explicit callout.

One registry

13 shared analyzers, on your machine.

The CLI consumes the same 13-analyzer database-free registry as the web app and filters findings to the change. Hosted full-codebase audits add graph-derived and SAST passes that are not part of the local CLI registry. Local receipts mark hosted Health scores N/A instead of scoring incomplete evidence.

§ 03Verdicts

A decision with reasons, not another wall of review prose.


PASS

The change stayed in scope and every configured gate passed.

Expected paths only · no blocking diff finding · verification green

REVIEW_REQUIRED

The work may be valid, but a person needs to accept the scope or risk.

Unexpected or denied path · sensitive surface · medium+ finding · LLM advisory

FAILED

The agent, a required check, or a high-risk security gate failed.

Agent exit · failed verify command · high/critical security or dependency finding

Exit codes are automation-ready: PASS = 0, REVIEW_REQUIRED = 1, FAILED = 2.

§ 04Privacy

Local means local. The network boundary stays explicit.


ActionLeaves your machine?Destination
Installers and direct package installYES · INSTALL ONLYCodeTruss release metadata and package artifact
Deterministic commands: run, review, report, list, metrics, setup, init, verify, verify-policy, hooksNO CODETRUSS CONTACTLocal process only
Your verify commandsOnly if that command uses the networkWhatever your command contacts
--llm slop reviewYES · OPT-INYour selected provider, using your key or local login
codetruss auth loginYES · EXPLICITCodeTruss device/session endpoints · no source, patch, or receipt upload
codetruss auth status/logoutYES · EXPLICITVerify or revoke the saved credential at CodeTruss · no source, patch, or receipt
codetruss syncYES · EXPLICITThe only command that uploads a receipt · redacted receipt, never the patch

Sync keeps the task, relative file paths, commit hashes, scope, analysis profile, analyzer findings, verdict, reasons, invocation kind and provenance, optional Claude/Codex hook surface, issuing CLI version, and any LLM summary. It removes the absolute repository path, agent command arguments/start errors, and verification commands/output; the patch is never uploaded. The CLI has no background usage telemetry, receipt upload, or synchronization..codetruss.yml is the reviewable policy that may be committed. Private evidence under.codetruss/ is added to the repository-local Git exclude; CodeTruss verifies it remains ignored and refuses to continue if evidence becomes tracked or is routed through unsafe paths. Website analytics may record a non-PII install-command copy or design-partner-link click as a distribution or interest proxy; neither proves installation, activation, consent, or enrollment.

Optional BYO-key slop review

Add --llm for a focused review of unnecessary abstractions, duplicated logic, placeholders, verbose comments, and work that does not serve the task. Choose Anthropic, OpenAI, or authenticated Claude Code with credentials you control—never a CodeTruss key. CodeTruss supplies a bounded task, reviewed diff prefix, and fixed schema; the receipt discloses coverage, and a truncated review cannot pass.

Bring your own provider
OPENAI_API_KEY=... codetruss review --llm \
  --provider openai \
  --task "Review the staged implementation" \
  --staged

§ 05Automation

Put the guardrail where agents already work.


Install a staged pre-commit review, an exact-turn Claude Code hook, an exact-turn Codex hook, or all three. Agent hooks capture the prompt-time baseline, return fast scope feedback after native edits, then run the analyzers and trusted verification commands once at the stop boundary. The wrapper additionally records the launched agent command and its exit status.

  • 01Pre-commit checks exactly what is staged.
  • 02Per-edit callbacks stay fast: path scope, sensitive surface, dependency.
  • 03One final receipt covers every tool path and returns repair feedback.
  • 04Codex requires a one-time, hash-specific trust review in /hooks; rerun it after the runner changes.
One-time automatic setup
codetruss setup

§ 06Agent Skill

Teach the agent to enforce the boundary, not route around it.


The official CodeTruss integration wrappers are MIT-licensed and published in the open integration repository. One canonical Agent Skill teaches Claude Code and Codex to propose a narrow policy, invoke the local acceptance gate, diagnose hooks, and explain receipt evidence without weakening a failed check.

Separate CLI · same privacy boundary

Install the CodeTruss CLI first. The plugin contains instructions and manifests; it wraps the separately installed local binary. It adds no MCP server, background service, hosted analyzer, or automatic upload path. Deterministic checks remain on-machine, while provider-backed --llm review and codetruss sync remain separate, explicit opt-ins.

Distribution status · owned marketplace live · Agent Skills listing live with all three listed security scans passing · clean-profile Claude Code and Codex installs verified · OpenAI and Anthropic directory submissions prepared, not approved or listed

Claude Code · owned marketplace
claude plugin marketplace add DeliriumPulse/codetruss-plugins
claude plugin install codetruss@codetruss

Installs from the live CodeTruss-owned marketplace; this does not imply Anthropic marketplace approval.

Codex · owned marketplace
codex plugin marketplace add DeliriumPulse/codetruss-plugins
codex plugin add codetruss@codetruss

Installs from the live CodeTruss-owned marketplace; this does not imply OpenAI Plugin Directory approval.

Agent Skills · public directory
npx --yes skills add DeliriumPulse/codetruss-plugins --skill codetruss --agent claude-code codex -y

The live listing shows all three directory security scans passing. Listing status does not imply independent installs or adoption.

§ 07Reference

The core local commands.


setup

Guide scoped policy, exact verification-command trust, hook installation, and diagnostics locally.

run

Wrap an agent command and review the changes it produces.

review

Review an existing working-tree or staged diff.

report

Print a receipt as Markdown or structured JSON.

list

List local receipts, newest first.

metrics

Aggregate verified local receipts into privacy-safe activity, verdict, invocation, D7 receipt-pattern, and hook-health counts without a network request.

init --allow <glob>

Manually create a documented .codetruss.yml policy; repeat allow and deny flags as needed.

verify

Validate post-signing integrity and the receipt’s referenced evidence.

verify-policy trust

After inspection, trust the exact repository verification-command fingerprint for automatic execution.

auth login

Authorize explicit receipt sync with a scoped, revocable organization credential.

hooks install

Install pre-commit, Claude Code, and/or Codex hooks.

hooks status

Show which supported repository hooks are installed.

hooks doctor

Validate hook wiring, runner integrity, policy, and CLI resolution.

sync

Explicitly upload one redacted receipt to a CodeTruss organization; never the patch.