tracking: prepare for OpenAI Apps SDK submission (in-product Codex marketplace listing)

[Harihara04sudhan]

Type: info / coordination — outreach + distribution work

Goal

Get ArmorCodex listed in the in-product Codex plugins marketplace ("Make Codex work your way" surface inside Codex / ChatGPT). Full prerequisites + gap analysis written up at `APPS_SDK_PREREQUISITES.md` in this repo.

Key finding

Today there are 3 paths and only one is live:

• ChatGPT App via Apps SDK (LIVE): requires remote HTTPS MCP server. Our MCP is local stdio. Architectural mismatch.
• Direct Codex plugin self-serve ("coming soon" per OpenAI docs, no ETA): would fit our current architecture.
• OpenAI partnerships sponsorship: how Figma/Slack/Linear/Vercel got listed.

Recommendation: pursue the partnerships outreach path + finish all the submission-ready prep work, so we're ready the moment self-serve opens (or a partnerships sponsor unblocks us).

Tier 1 blockers (must fix before any submission)

• Add MCP tool annotations (`readOnlyHint`, `destructiveHint`, `openWorldHint`) to all 3 tools (`register_intent_plan`, `policy_update`, `policy_read`) in `plugins/armorcodex/scripts/policy-mcp.mjs`. Without these, submission auto-rejects.
• Bump `plugin.json` version 0.2.0 → 0.3.0 + git tag v0.3.0
• Verify `armoriq.ai/privacy` covers all OpenAI-required clauses (data categories, purposes, recipients, retention, user controls)
• Verify `armoriq.ai/terms` content is current
• Publish a `DATA_RETENTION.md` (linked from privacy policy)
• Code audit: confirm audit pipeline never captures credentials, PII secrets, or restricted data types (PCI/PHI/government IDs/auth secrets)

Tier 2 submission materials

• Create `support@armoriq.ai` mailbox + monitoring
• Create reviewer test account at `platform.armoriq.ai` with sample data
• Capture 3–5 screenshots at OpenAI's required dimensions
• Write `CHANGELOG.md` + release notes for v0.3.0
• Add `SECURITY.md` to repo
• Apply for developer verification at `platform.openai.com`

Tier 3 nice-to-have

• Audit tool descriptions for accuracy + non-promotional language
• Audit `defaultPrompt` for "manipulating model selection" red flags
• Consider OAuth 2.1 implementation in backend (if cloud-MCP path opens)

Outreach (parallel)

• Draft OpenAI partnerships email — angle: ArmorClaude marketplace listing + ArmorCodex traction (PR #140 community list + ArmorCopilot in pipeline)
• Identify warm intro at OpenAI if possible

Source docs (verified 2026-05-21)

• https://developers.openai.com/apps-sdk
• https://developers.openai.com/apps-sdk/app-submission-guidelines
• https://developers.openai.com/apps-sdk/deploy/submission
• https://developers.openai.com/codex/plugins/build
• https://developers.openai.com/apps-sdk/build/mcp-server
• https://developers.openai.com/apps-sdk/guides/security-privacy

See `APPS_SDK_PREREQUISITES.md` in this repo for the full breakdown.