10 Commits

  • PAC 4 - Add macOS system proxy resolver (#26709)
    ## Summary
    
    Stacked on #26708.
    
    Adds the macOS implementation of the shared system-proxy contract. This
    allows Codex-owned auth clients to use the route macOS selects for each
    auth URL through SystemConfiguration and CFNetwork, including PAC and
    WPAD results.
    
    The `respect_system_proxy` feature is disabled by default, so existing
    client behavior remains unchanged unless explicitly enabled.
    
    ## Implementation
    
    - Adds the macOS-only `system-configuration` dependency to
    `codex-client`.
    - Dispatches system-proxy resolution to `outbound_proxy/macos.rs` on
    macOS.
    - Reads system proxy settings from `SCDynamicStore` and resolves the
    target URL with `CFNetworkCopyProxiesForURL`.
    - Executes PAC URLs and inline PAC JavaScript through a bounded run loop
    with a five-second timeout.
    - Handles `DIRECT`, HTTP proxies, and CFNetwork HTTPS entries using HTTP
    CONNECT; unsupported SOCKS entries map to `UnsupportedProxyScheme`.
    - Builds concrete proxy URLs from host and port entries, including IPv6
    host bracketing.
    - Maps results into the shared `SystemProxyDecision::{Direct, Proxy,
    Unavailable}` contract.
    - Hashes URL-specific cache keys so PAC decisions remain distinct
    without retaining raw request URLs or query strings.
    
    ## End-user behavior
    
    - Disabled/default: existing client behavior is unchanged.
    - Enabled with `[features.respect_system_proxy]`:
      - macOS auth clients honor system proxy configuration, PAC, and WPAD;
      - valid OS/PAC `DIRECT` decisions use a direct connection;
    - unavailable system resolution falls back to explicit environment proxy
    variables, then `DIRECT`, through the shared contract from #26707.
    - Unsupported proxy schemes are not silently translated into another
    route.
    - Custom CA handling remains separate from proxy selection.
    - Known limitation: only the first supported system/PAC candidate is
    used. Subsequent proxy or `DIRECT` candidates are not attempted after a
    connection failure. This matches the current Windows behavior and leaves
    room for future ordered-fallback support.
    
    ## Tests
    
    - `just test -p codex-client` — 34 tests passed.
    - `just clippy -p codex-client`
    - `just fmt`
    - `just bazel-lock-check`
  • PAC 3 - Add Windows system proxy resolver (#26708)
    ## Summary
    
    Stacked on #26707.
    
    Adds the Windows implementation of the shared system-proxy contract.
    This allows Codex-owned auth clients to use the route Windows selects
    for each auth URL, including explicit PAC configuration, WPAD
    auto-detection, static proxies, and bypass rules.
    
    The `respect_system_proxy` feature is disabled by default, so existing
    client behavior remains unchanged unless explicitly enabled.
    
    ## Implementation
    
    - Adds Windows-only `codex-client` dependencies:
    - `windows-sys` with `Win32_Foundation` and `Win32_Networking_WinHttp`;
      - `sha2` for redacted cache keys.
    - Dispatches system-proxy resolution to `outbound_proxy/windows.rs` on
    Windows.
    - Reads the current-user WinHTTP/IE proxy configuration via
    `WinHttpGetIEProxyConfigForCurrentUser`.
    - Resolves explicit PAC URLs first, then OS-enabled WPAD auto-detection,
    then static proxy and bypass settings.
    - Uses `WinHttpGetProxyForUrl` for PAC/WPAD and maps results into the
    shared `SystemProxyDecision::{Direct, Proxy, Unavailable}` contract.
    - Parses `DIRECT`, `PROXY`, `HTTPS`, and keyed static proxy entries.
    - Treats unsupported schemes such as SOCKS as unavailable so the shared
    resolver can apply its environment-proxy fallback.
    - Handles Windows bypass entries, including `<local>` and host, suffix,
    wildcard, and port matching.
    - Releases WinHTTP-owned strings with `GlobalFree` and closes sessions
    with `WinHttpCloseHandle`.
    - Hashes URL-specific cache keys with SHA-256 so PAC decisions remain
    URL-specific without retaining raw request URLs or query strings.
    
    ## End-user behavior
    
    - Disabled/default: existing client behavior is unchanged.
    - Enabled with `[features.respect_system_proxy]`:
    - Windows auth clients honor explicit PAC configuration, OS-enabled
    WPAD, static proxies, and bypass rules;
      - valid OS/PAC `DIRECT` decisions use a direct connection;
    - unavailable system resolution falls back to explicit environment proxy
    variables, then `DIRECT`, through the shared contract from #26707.
    - Unsupported proxy schemes are not silently translated into a different
    route.
    - Custom CA handling remains separate from proxy selection.
    
    ## Tests
    
    Adds coverage for:
    
    - PAC-style proxy tokens such as `PROXY proxy.internal:8080` and `HTTPS
    proxy.internal:8443`;
    - static WinHTTP proxy entries keyed by target scheme;
    - `DIRECT` and unsupported proxy-token behavior;
    - Windows bypass matching, including `<local>`, wildcard, suffix, and
    port-qualified entries;
    - preserving URL-specific PAC cache decisions without retaining the raw
    URL on Windows.
  • [codex] Remove async_trait from first-party code (#27475)
    ## Why
    
    First-party async traits should expose their `Send` contracts explicitly
    without requiring `async_trait`. This completes the migration pattern
    established in #27303 and #27304.
    
    ## What changed
    
    - Replaced the remaining first-party `async_trait` traits with native
    return-position `impl Future + Send` where statically dispatched and
    explicit boxed `Send` futures where object safety is required.
    - Kept implementations behavior-preserving, outlining existing async
    bodies into inherent methods where that keeps the diff reviewable.
    - Removed all direct first-party `async-trait` dependencies and the
    workspace dependency declaration.
    - Added a cargo-deny policy that permits `async-trait` only through the
    remaining transitive wrapper crates.
    - Updated `rand` from 0.8.5 to 0.8.6 to resolve RUSTSEC-2026-0097 and
    keep the full cargo-deny check passing.
    
    ## Validation
    
    - `just test -p codex-exec-server`: 216 passed, 2 skipped.
    - `just test -p codex-model-provider`: 39 passed.
    - `just test -p codex-core` and `just test`: changed tests passed;
    remaining failures are environment-sensitive suites unrelated to this
    migration.
    - `cargo deny check`
    - `just fix`
    - `just fmt`
    - `cargo shear`
    - `just bazel-lock-check`
  • Disable empty Cargo test targets (#21584)
    ## Summary
    
    `cargo test` has entails both running standard Rust tests and doctests.
    It turns out that the doctest discovery is fairly slow, and it's a cost
    you pay even for crates that don't include any doctests.
    
    This PR disables doctests with `doctest = false` for crates that lack
    any doctests.
    
    For the collection of crates below, this speeds up test execution by
    >4x.
    
    E.g., before this PR:
    
    ```
    Benchmark 1: cargo test     -p codex-utils-absolute-path     -p codex-utils-cache     -p codex-utils-cli     -p codex-utils-home-dir     -p codex-utils-output-truncation     -p codex-utils-path     -p codex-utils-string     -p codex-utils-template     -p codex-utils-elapsed     -p codex-utils-json-to-toml
      Time (mean ± σ):      1.849 s ±  4.455 s    [User: 0.752 s, System: 1.367 s]
      Range (min … max):    0.418 s … 14.529 s    10 runs
    ```
    
    And after:
    
    ```
    Benchmark 1: cargo test     -p codex-utils-absolute-path     -p codex-utils-cache     -p codex-utils-cli     -p codex-utils-home-dir     -p codex-utils-output-truncation     -p codex-utils-path     -p codex-utils-string     -p codex-utils-template     -p codex-utils-elapsed     -p codex-utils-json-to-toml
      Time (mean ± σ):     428.6 ms ±   6.9 ms    [User: 187.7 ms, System: 219.7 ms]
      Range (min … max):   418.0 ms … 436.8 ms    10 runs
    ```
    
    For a single crate, with >2x speedup, before:
    
    ```
    Benchmark 1: cargo test -p codex-utils-string
      Time (mean ± σ):     491.1 ms ±   9.0 ms    [User: 229.8 ms, System: 234.9 ms]
      Range (min … max):   480.9 ms … 512.0 ms    10 runs
    ```
    
    And after:
    
    ```
    Benchmark 1: cargo test -p codex-utils-string
      Time (mean ± σ):     213.9 ms ±   4.3 ms    [User: 112.8 ms, System: 84.0 ms]
      Range (min … max):   206.8 ms … 221.0 ms    13 runs
    ```
    
    Co-authored-by: Codex <noreply@openai.com>
  • Fix custom CA login behind TLS-inspecting proxies (#20676)
    Refs:
    https://linear.app/openai/issue/SE-6311/login-fails-for-experian-users-behind-tls-inspecting-proxy
    
    ## Summary
    - When a custom CA bundle is configured, force the shared `codex-client`
    reqwest builder onto rustls before registering custom roots.
    - Add the `rustls-tls-native-roots` reqwest feature so the rustls client
    preserves native roots plus the enterprise CA bundle.
    - Add subprocess TLS coverage for both a direct local TLS 1.3 server and
    a hermetic local CONNECT TLS-intercepting proxy that forwards a
    token-exchange-shaped POST to a local origin.
    
    ## Plain-language explanation
    Experian users are behind a TLS-inspecting proxy, so the login token
    exchange needs to trust the enterprise CA bundle from
    `CODEX_CA_CERTIFICATE` or `SSL_CERT_FILE`. Before this change, that
    custom-CA branch still used reqwest default TLS selection, which could
    fail in the proxy environment. Now, only when a custom CA is configured,
    Codex selects rustls first and then adds the custom CA roots, matching
    the validated behavior from the Experian test build while leaving normal
    system-root clients unchanged.
    
    The new regression test recreates the enterprise-proxy shape locally:
    the probe client sends an HTTPS `POST /oauth/token` through an explicit
    HTTP CONNECT proxy, the proxy presents a leaf certificate signed by a
    runtime-generated test CA, decrypts the request, forwards it to a local
    origin, and relays the `ok` response back.
    
    ## Scope note
    - The actual production fix is the first commit: `8368119282 Fix custom
    CA reqwest clients to use rustls`.
    - The second commit is integration-test coverage only. It generates all
    test CA and localhost certificate material at runtime.
    
    ## Validation
    - `cd codex-rs && cargo test -p codex-client --test ca_env
    posts_to_token_origin_through_tls_intercepting_proxy_with_custom_ca_bundle
    -- --nocapture`
    - `cd codex-rs && cargo test -p codex-client`
    - `cd codex-rs && cargo test -p codex-login`
    - `cd codex-rs && just fmt`
    - `cd codex-rs && just bazel-lock-update`
    - `cd codex-rs && just bazel-lock-check`
    - `cd codex-rs && just fix -p codex-client`
  • client: extend custom CA handling across HTTPS and websocket clients (#14239)
    ## Stacked PRs
    
    This work is now effectively split across two steps:
    
    - #14178: add custom CA support for browser and device-code login flows,
    docs, and hermetic subprocess tests
    - #14239: extend that shared custom CA handling across Codex HTTPS
    clients and secure websocket TLS
    
    Note: #14240 was merged into this branch while it was stacked on top of
    this PR. This PR now subsumes that websocket follow-up and should be
    treated as the combined change.
    
    Builds on top of #14178.
    
    ## Problem
    
    Custom CA support landed first in the login path, but the real
    requirement is broader. Codex constructs outbound TLS clients in
    multiple places, and both HTTPS and secure websocket paths can fail
    behind enterprise TLS interception if they do not honor
    `CODEX_CA_CERTIFICATE` or `SSL_CERT_FILE` consistently.
    
    This PR broadens the shared custom-CA logic beyond login and applies the
    same policy to websocket TLS, so the enterprise-proxy story is no longer
    split between “HTTPS works” and “websockets still fail”.
    
    ## What This Delivers
    
    Custom CA support is no longer limited to login. Codex outbound HTTPS
    clients and secure websocket connections can now honor the same
    `CODEX_CA_CERTIFICATE` / `SSL_CERT_FILE` configuration, so enterprise
    proxy/intercept setups work more consistently end-to-end.
    
    For users and operators, nothing new needs to be configured beyond the
    same CA env vars introduced in #14178. The change is that more of Codex
    now respects them, including websocket-backed flows that were previously
    still using default trust roots.
    
    I also manually validated the proxy path locally with mitmproxy using:
    `CODEX_CA_CERTIFICATE=~/.mitmproxy/mitmproxy-ca-cert.pem
    HTTPS_PROXY=http://127.0.0.1:8080 just codex`
    with mitmproxy installed via `brew install mitmproxy` and configured as
    the macOS system proxy.
    
    ## Mental model
    
    `codex-client` is now the owner of shared custom-CA policy for outbound
    TLS client construction. Reqwest callers start from the builder
    configuration they already need, then pass that builder through
    `build_reqwest_client_with_custom_ca(...)`. Websocket callers ask the
    same module for a rustls client config when a custom CA bundle is
    configured.
    
    The env precedence is the same everywhere:
    - `CODEX_CA_CERTIFICATE` wins
    - otherwise fall back to `SSL_CERT_FILE`
    - otherwise use system roots
    
    The helper is intentionally narrow. It loads every usable certificate
    from the configured PEM bundle into the appropriate root store and
    returns either a configured transport or a typed error that explains
    what went wrong.
    
    ## Non-goals
    
    This does not add handshake-level integration tests against a live TLS
    endpoint. It does not validate that the configured bundle forms a
    meaningful certificate chain. It also does not try to force every
    transport in the repo through one abstraction; it extends the shared CA
    policy across the reqwest and websocket paths that actually needed it.
    
    ## Tradeoffs
    
    The main tradeoff is centralizing CA behavior in `codex-client` while
    still leaving adoption up to call sites. That keeps the implementation
    additive and reviewable, but it means the rule "outbound Codex TLS that
    should honor enterprise roots must use the shared helper" is still
    partly enforced socially rather than by types.
    
    For websockets, the shared helper only builds an explicit rustls config
    when a custom CA bundle is configured. When no override env var is set,
    websocket callers still use their ordinary default connector path.
    
    ## Architecture
    
    `codex-client::custom_ca` now owns CA bundle selection, PEM
    normalization, mixed-section parsing, certificate extraction, typed
    CA-loading errors, and optional rustls client-config construction for
    websocket TLS.
    
    The affected consumers now call into that shared helper directly rather
    than carrying login-local CA behavior:
    - backend-client
    - cloud-tasks
    - RMCP client paths that use `reqwest`
    - TUI voice HTTP paths
    - `codex-core` default reqwest client construction
    - `codex-api` websocket clients for both responses and realtime
    websocket connections
    
    The subprocess CA probe, env-sensitive integration tests, and shared PEM
    fixtures also live in `codex-client`, which is now the actual owner of
    the behavior they exercise.
    
    ## Observability
    
    The shared CA path logs:
    - which environment variable selected the bundle
    - which path was loaded
    - how many certificates were accepted
    - when `TRUSTED CERTIFICATE` labels were normalized
    - when CRLs were ignored
    - where client construction failed
    
    Returned errors remain user-facing and include the relevant env var,
    path, and remediation hint. That same error model now applies whether
    the failure surfaced while building a reqwest client or websocket TLS
    configuration.
    
    ## Tests
    
    Pure unit tests in `codex-client` cover env precedence and PEM
    normalization behavior. Real client construction remains in subprocess
    tests so the suite can control process env and avoid the macOS seatbelt
    panic path that motivated the hermetic test split.
    
    The subprocess coverage verifies:
    - `CODEX_CA_CERTIFICATE` precedence over `SSL_CERT_FILE`
    - fallback to `SSL_CERT_FILE`
    - single-cert and multi-cert bundles
    - malformed and empty-file errors
    - OpenSSL `TRUSTED CERTIFICATE` handling
    - CRL tolerance for well-formed CRL sections
    
    The websocket side is covered by the existing `codex-api` / `codex-core`
    websocket test suites plus the manual mitmproxy validation above.
    
    ---------
    
    Co-authored-by: Ivan Zakharchanka <3axap4eHko@gmail.com>
    Co-authored-by: Codex <noreply@openai.com>
  • Add feature for optional request compression (#8767)
    Adds a new feature
    `enable_request_compression` that will compress using zstd requests to
    the codex-backend. Currently only enabled for codex-backend so only enabled for openai providers when using chatgpt::auth even when the feature is enabled
    
    Added a new info log line too for evaluating the compression ratio and
    overhead off compressing before requesting. You can enable with
    `RUST_LOG=$RUST_LOG,codex_client::transport=info`
    
    ```
    2026-01-06T00:09:48.272113Z  INFO codex_client::transport: Compressed request body with zstd pre_compression_bytes=28914 post_compression_bytes=11485 compression_duration_ms=0
    ```
  • Add request logging back (#7471)
    Having full requests helps debugging