Case study
codex-action-guard
Codex in GitHub Actions is powerful. Unsafe workflow composition puts prompts, secrets, write tokens, and untrusted PR text in the same trust boundary.
Problem
Maintainers paste agent workflows together until a comment, issue body, or fork PR can influence a privileged Codex run. The failure mode is not “model said something wrong” — it is privilege and provenance collapse.
Trust boundary
Treat workflow text, Codex prompts, and repository secrets as separate trust domains. Anything that can write to the repo or exfiltrate tokens must not ingest untrusted natural language in the same step without an explicit, audited profile.
Mechanism
codex-action-guard generates safe-by-default Codex Action profiles and audits existing workflows. Findings are evidence-bound (Markdown, JSON, SARIF) so humans or agents can remediate without guessing.
What still breaks
Rule packs lag novel workflow shapes. False positives happen. The tool cannot invent organizational policy — it can only make unsafe composition visible and harder to ship by accident.