1 Commits

  • feat(devcontainer): add separate secure customer profile (#10431)
    ## Description
    
    Keeps the existing Codex contributor devcontainer in place and adds a
    separate secure profile for customer use.
    
    ## What changed
    
    - leaves `.devcontainer/devcontainer.json` and the contributor
    `Dockerfile` aligned with `main`
    - adds `.devcontainer/devcontainer.secure.json` and
    `.devcontainer/Dockerfile.secure`
    - adds secure-profile bootstrap scripts:
      - `post_install.py`
      - `post-start.sh`
      - `init-firewall.sh`
    - updates `.devcontainer/README.md` to explain when to use each path
    
    ## Secure profile behavior
    
    The new secure profile is opt-in and is meant for running Codex in a
    stricter project container:
    
    - preinstalls the Codex CLI plus common build tools
    - uses persistent volumes for Codex state, Cargo, Rustup, and GitHub
    auth
    - applies an allowlist-driven outbound firewall at startup
    - blocks IPv6 by default so the allowlist cannot be bypassed via AAAA
    routes
    - keeps the stricter networking isolated from the default contributor
    workflow
    
    ## Resulting behavior
    
    - `devcontainer.json` remains the low-friction Codex contributor setup
    - `devcontainer.secure.json` is the customer-facing secure option
    - the repo supports both workflows without forcing the secure profile on
    Codex contributors