Consolidate 5 plugins into AgentKit + SaaSKit

.agents/plugins/marketplace.json

@@ -5,22 +5,10 @@
   },
   "plugins": [
     {
-      "name": "mcp-auth",
+      "name": "agentkit",
       "source": {
         "source": "local",
-        "path": "./plugins/mcp-auth"
-      },
-      "policy": {
-        "installation": "AVAILABLE",
-        "authentication": "ON_INSTALL"
-      },
-      "category": "MCP Security"
-    },
-    {
-      "name": "agent-auth",
-      "source": {
-        "source": "local",
-        "path": "./plugins/agent-auth"
+        "path": "./plugins/agentkit"
       },
       "policy": {
         "installation": "AVAILABLE",
@@ -29,34 +17,10 @@
       "category": "Agent Auth"
     },
     {
-      "name": "modular-sso",
-      "source": {
-        "source": "local",
-        "path": "./plugins/modular-sso"
-      },
-      "policy": {
-        "installation": "AVAILABLE",
-        "authentication": "ON_INSTALL"
-      },
-      "category": "Enterprise SSO"
-    },
-    {
-      "name": "modular-scim",
-      "source": {
-        "source": "local",
-        "path": "./plugins/modular-scim"
-      },
-      "policy": {
-        "installation": "AVAILABLE",
-        "authentication": "ON_INSTALL"
-      },
-      "category": "Provisioning"
-    },
-    {
-      "name": "full-stack-auth",
+      "name": "saaskit",
       "source": {
         "source": "local",
-        "path": "./plugins/full-stack-auth"
+        "path": "./plugins/saaskit"
       },
       "policy": {
         "installation": "AVAILABLE",

AGENTS.md

@@ -0,0 +1,122 @@
+# AGENTS.md
+
+This repository is a monorepo of Codex plugins intended for marketplace distribution.
+Any agent changing this repo must follow this document.
+
+## What this repo contains
+
+Everything under `plugins/` is a Codex plugin. A plugin includes skills and reference files that teach the agent how to integrate Scalekit authentication.
+
+Codex does not have a public plugin marketplace. This repo ships with a bootstrap installer (`install.sh`) and a local install script (`scripts/install.sh`) that copy plugins into `~/.codex/marketplaces/scalekit-auth-stack`.
+
+## Monorepo layout
+
+```
+codex-authstack/
+├── plugins/
+│   ├── agentkit/                 # AI agent authentication
+│   │   ├── README.md
+│   │   ├── skills/              # Skill entrypoints
+│   │   └── references/          # Deep docs and connector notes
+│   └── saaskit/                 # B2B SaaS authentication
+│       ├── README.md
+│       ├── skills/
+│       └── references/
+├── scripts/
+│   ├── install.sh
+│   └── validate_marketplace.py
+├── install.sh                    # One-command bootstrap installer
+├── AGENTS.md                     # This file
+└── README.md
+```
+
+## Plugins
+
+### agentkit
+
+Authentication for AI agents. OAuth flows, token vault, 40+ connectors, tool discovery.
+
+Skills:
+- `integrating-agentkit` — core integration: SDK setup, connected accounts, OAuth flows, token fetching, agent frameworks
+- `discovering-connector-tools` — live tool metadata discovery, schema inspection, tool set narrowing
+- `exposing-agentkit-via-mcp` — expose AgentKit tools through MCP for compatible runtimes
+- `production-readiness-agentkit` — production readiness checklist for AgentKit integrations
+
+References: `connected-accounts.md`, `code-samples.md`, `connectors.md`, `connections.md`, `byoc.md`, `redirects.md`, `tool-discovery.md`
+
+### saaskit
+
+Production-ready auth for B2B SaaS apps. Login, sessions, SSO, SCIM, MCP server auth.
+
+Skills:
+- `implementing-saaskit` — core auth flow (+ Go, Spring Boot, Laravel reference files)
+- `implementing-saaskit-nextjs` — Next.js App Router auth
+- `implementing-saaskit-python` — Django, FastAPI, Flask (+ framework reference files)
+- `implementing-modular-sso` — enterprise SSO (SAML/OIDC) with 20+ IdPs, admin portal
+- `implementing-scim-provisioning` — SCIM 2.0 webhooks, user/group lifecycle
+- `implementing-access-control` — server-side RBAC
+- `managing-saaskit-sessions` — token storage, validation, refresh, revocation
+- `adding-mcp-oauth` — OAuth 2.1 for MCP servers (+ Express, FastAPI, FastMCP reference files)
+- `adding-api-auth` — API keys and client credentials for M2M auth
+- `migrating-to-saaskit` — incremental migration from existing auth systems
+- `production-readiness-saaskit` — unified production checklist
+- `testing-auth-setup` — validates auth integration via dryrun CLI
+
+References: `bring-your-own-auth.md`, `redirects.md`, `scalekit-logs.md`, `scalekit-mcp-server.md`, `scalekit-user-profiles.md`, `session-management-patterns.md`, `setup-scalekit.md`, `mcp-auth-troubleshooting.md`
+
+## Non-negotiable rules
+
+- Work on one plugin at a time unless the user explicitly asks for cross-plugin changes.
+- Never add secrets, tokens, credentials, or private endpoints to any file.
+- Prefer minimal changes that improve correctness, security, and user clarity.
+- Keep instructions stable, avoid time-dependent guidance.
+- Use forward slashes in all paths.
+
+## Codex-specific conventions
+
+Codex plugins differ from Claude Code and Cursor plugins:
+
+- **No `.claude-plugin/` or `.cursor-plugin/` directory.** Codex uses `~/.agents/plugins/marketplace.json` to discover marketplaces.
+- **No rules (`.mdc` files).** Codex does not support Cursor-style rules. Use skill content and references instead.
+- **No agents.** Codex does not support sub-agent definitions. Guidance that would be an agent in other auth stacks should be a skill or reference doc here.
+- **Hooks.** Codex supports `hooks.json` for lifecycle hooks. Both plugins include a usage beacon hook.
+- **No commands.** Codex does not support slash commands. Skills are the only entrypoint.
+
+## Skill authoring rules
+
+Each skill is a folder with `SKILL.md` as its entrypoint.
+
+Frontmatter requirements:
+- `name` must be lowercase, hyphenated, max 64 chars.
+- `description` must be third person and include both what it does and when to use it.
+
+Context budget:
+- Keep `SKILL.md` short and practical.
+- Put deep docs in reference files linked from `SKILL.md`.
+- Do not create multi-hop reference chains.
+
+## Validation
+
+Run the validation script before committing:
+
+```bash
+python3 scripts/validate_marketplace.py
+```
+
+This checks marketplace manifest structure, plugin manifests, skill files, frontmatter, and reference file depth.
+
+## Local testing
+
+1. Run `./scripts/install.sh` to copy plugins to `~/.codex/marketplaces/scalekit-auth-stack`
+2. Restart Codex
+3. Open Plugin Directory and select `Scalekit Auth Stack`
+4. Install `agentkit` or `saaskit`
+5. Invoke at least one skill to verify it triggers correctly
+
+## Documentation rules
+
+Each plugin README must include:
+- Purpose
+- Skills list with descriptions
+- Configuration (required env vars)
+- Links to Scalekit docs

CHANGELOG.md

@@ -2,11 +2,14 @@
 
 ## Unreleased
 
-- Expand Codex auth plugin depth and coverage:
-  - Add the missing portable skills across `mcp-auth`, `agent-auth`, `full-stack-auth`, `modular-sso`, and `modular-scim`.
-  - Add plugin-local reference docs, including the full Agent Auth connector corpus.
-  - Add `.mcp.json` support across all five plugins.
-  - Add a richer repo README for public-facing marketplace storytelling.
+- Consolidate 5 plugins into 2:
+  - `agentkit` — AI agent authentication (replaces `agent-auth`)
+  - `saaskit` — B2B SaaS authentication (replaces `full-stack-auth`, `mcp-auth`, `modular-sso`, `modular-scim`)
+- Add `.mcp.json` to both plugins pointing to `https://mcp.scalekit.com`.
+- Add plugin-local reference docs, including the full AgentKit connector corpus.
+- Add a richer repo README for public-facing marketplace storytelling.
+- Update install script to handle migration from old plugin names.
+- Add `AGENTS.md` with Codex-specific plugin conventions.
 - Improve installation UX:
   - Add a one-command GitHub bootstrap installer.
   - Add a safe local installer that avoids overwriting an unrelated personal marketplace by default.

README.md

@@ -2,8 +2,8 @@
 
 <img src="./images/scalekit.jpg" alt="Scalekit" height="64">
 
-<p><strong>Scalekit Auth Plugins for OpenAI Codex — the auth stack for agents.</strong><br>
-Add SSO, SCIM, MCP Auth, agent auth, and tool-calling to your Codex projects.</p>
+<p><strong>Scalekit Auth Stack for OpenAI Codex — AgentKit and SaaSKit plugins.</strong><br>
+Add agent auth, tool calling, SSO, SCIM, MCP auth, and session management to your Codex projects.</p>
 
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](./LICENSE)
 [![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)](https://github.com/scalekit-inc/codex-authstack/pulls)
@@ -14,19 +14,16 @@ Add SSO, SCIM, MCP Auth, agent auth, and tool-calling to your Codex projects.</p
 
 ---
 
-This repository publishes a Codex-native marketplace of Scalekit auth plugins — focused auth packages that add SSO, SCIM, MCP auth, agent auth, and tool-calling to your projects.
+Setting up auth for B2B and AI apps is complex. This marketplace adds the complete Scalekit auth stack to your projects — whether that's an AI agent, a B2B SaaS app, or an MCP server — directly from Codex.
 
 ---
 
-### Included Plugins
+### Available Plugins
 
 | Plugin | Description |
 |--------|-------------|
-| `mcp-auth` | OAuth 2.1 authorization for MCP servers — discovery endpoint, token validation, scope enforcement |
-| `agent-auth` | Scalekit Agent Auth so AI agents can act in third-party apps (Gmail, Slack, Calendar, Notion) on behalf of users |
-| `full-stack-auth` | Full-stack web authentication — login pages, sessions, protected routes, RBAC, and more |
-| `modular-sso` | Enterprise SSO with 20+ identity providers (Okta, Entra ID, JumpCloud) via SAML/OIDC |
-| `modular-scim` | SCIM 2.0 user provisioning, group sync, and directory lifecycle management |
+| **AgentKit** | Authentication for AI agents. OAuth flows, token vault, 40+ connectors (Gmail, Slack, Salesforce, etc.), tool discovery, and live testing — so agents can act on behalf of users. |
+| **SaaSKit** | Production-ready auth for B2B SaaS apps. Login, sessions, SSO (Okta, Azure AD, Google), SCIM provisioning, RBAC, MCP server auth, and API key management. |
 
 ---
 
@@ -50,7 +47,7 @@ This installer:
 If you are developing locally from a clone:
 
 ```bash
-./scripts/install_codex_marketplace.sh
+./scripts/install.sh
 ```
 
 This script:
@@ -68,42 +65,25 @@ After the script runs:
 1. Restart Codex
 2. Open the Plugin Directory in Codex
 3. In the marketplace picker, choose `Scalekit Auth Stack`
-4. Install one of the plugins:
-   - `mcp-auth`
-   - `agent-auth`
-   - `modular-sso`
-   - `modular-scim`
-   - `full-stack-auth`
+4. Install a plugin:
+   - `agentkit` — for AI agent authentication
+   - `saaskit` — for B2B SaaS authentication
 5. Try one of the sample prompts from the installed plugin README
 
 ---
 
-### Plugin Details
+### Repository Structure
 
-#### mcp-auth
-
-The `mcp-auth` plugin adds production-ready OAuth 2.1 authorization to any MCP server. Once installed, Codex will:
-
-- Serve a `/.well-known/oauth-protected-resource` discovery endpoint
-- Add Bearer token validation middleware that checks audience, issuer, expiry, and scopes
-- Wire up per-tool scope enforcement
-- Support both **Node.js** (Express / FastMCP) and **Python** (FastAPI / FastMCP)
-
-#### agent-auth
-
-The `agent-auth` plugin implements Scalekit Agent Auth — so your AI agents can act on behalf of users in Gmail, Slack, Notion, Google Calendar, and 40+ other connected services.
-
-#### full-stack-auth
-
-The `full-stack-auth` plugin adds end-to-end authentication to B2B and AI apps using Scalekit. One integration enables: social sign-in, magic links, enterprise SSO, workspaces, MCP authentication, SCIM provisioning, and user management.
-
-#### modular-sso
-
-The `modular-sso` plugin integrates enterprise SSO with existing user management systems. It handles IdP-initiated and SP-initiated login, attribute mapping, JIT provisioning, and enterprise customer onboarding via the admin portal.
-
-#### modular-scim
-
-The `modular-scim` plugin adds SCIM 2.0 directory sync to applications. It handles real-time user provisioning, deprovisioning, and group membership changes from enterprise identity providers.
+```
+.
+├── plugins/
+│   ├── agentkit/         # AI agent authentication (AgentKit)
+│   └── saaskit/          # B2B SaaS authentication (SaaSKit)
+├── images/               # Documentation images
+├── scripts/              # Install scripts
+├── AGENTS.md             # Contribution guidelines
+└── LICENSE               # MIT License
+```
 
 ---
 

install.sh

@@ -7,7 +7,7 @@ REPO_REF="${CODEX_AUTHSTACK_REF:-main}"
 SOURCE_DIR="${CODEX_AUTHSTACK_SOURCE_DIR:-}"
 
 if [[ -n "$SOURCE_DIR" ]]; then
-  exec "${SOURCE_DIR%/}/scripts/install_codex_marketplace.sh"
+  exec "${SOURCE_DIR%/}/scripts/install.sh"
 fi
 
 TMP_DIR="$(mktemp -d)"
@@ -27,9 +27,10 @@ tar -xzf "$ARCHIVE_PATH" -C "$TMP_DIR"
 
 EXTRACTED_DIR="$(find "$TMP_DIR" -mindepth 1 -maxdepth 1 -type d | head -n 1)"
 
-if [[ -z "$EXTRACTED_DIR" ]] || [[ ! -x "$EXTRACTED_DIR/scripts/install_codex_marketplace.sh" ]]; then
+if [[ -z "$EXTRACTED_DIR" ]] || [[ ! -f "$EXTRACTED_DIR/scripts/install.sh" ]]; then
   echo "Failed to find installer in downloaded archive." >&2
   exit 1
 fi
 
-exec "$EXTRACTED_DIR/scripts/install_codex_marketplace.sh"
+chmod +x "$EXTRACTED_DIR/scripts/install.sh"
+exec "$EXTRACTED_DIR/scripts/install.sh"