mirror of
https://github.com/pchuan98/codex.git
synced 2026-07-01 00:31:56 +08:00
dev
7 Commits
-
feat: add auth-specific encrypted secret namespaces (#27535)
## Why CLI auth and MCP OAuth credentials should use separate encrypted files while sharing the existing local-secrets implementation and OS-keyring-backed encryption key mechanism. This is the second PR in the encrypted-auth stack: 1. #27504 — feature and config selection 2. This PR — auth-specific local-secrets namespaces 3. CLI auth implementation and activation 4. MCP OAuth implementation and activation ## What Changed - Added `LocalSecretsNamespace` variants for shared secrets, CLI auth, and MCP OAuth. - Selected `local.age`, `cli_auth.age`, or `mcp_oauth.age` from the namespace. - Made atomic temporary filenames derive from the selected secrets filename. - Added namespaced `SecretsManager` construction and coverage proving the auth namespaces write separate encrypted files. - Made the default keyring store clonable for downstream namespaced auth backends. This PR does not activate either auth backend or change existing credential behavior. ## Validation - `just test -p codex-secrets` — 7 passed - `just test -p codex-keyring-store` — package has no test binaries - `just fmt`
Celia Chen ·
2026-06-12 19:52:49 +00:00 -
Disable empty Cargo test targets (#21584)
## Summary `cargo test` has entails both running standard Rust tests and doctests. It turns out that the doctest discovery is fairly slow, and it's a cost you pay even for crates that don't include any doctests. This PR disables doctests with `doctest = false` for crates that lack any doctests. For the collection of crates below, this speeds up test execution by >4x. E.g., before this PR: ``` Benchmark 1: cargo test -p codex-utils-absolute-path -p codex-utils-cache -p codex-utils-cli -p codex-utils-home-dir -p codex-utils-output-truncation -p codex-utils-path -p codex-utils-string -p codex-utils-template -p codex-utils-elapsed -p codex-utils-json-to-toml Time (mean ± σ): 1.849 s ± 4.455 s [User: 0.752 s, System: 1.367 s] Range (min … max): 0.418 s … 14.529 s 10 runs ``` And after: ``` Benchmark 1: cargo test -p codex-utils-absolute-path -p codex-utils-cache -p codex-utils-cli -p codex-utils-home-dir -p codex-utils-output-truncation -p codex-utils-path -p codex-utils-string -p codex-utils-template -p codex-utils-elapsed -p codex-utils-json-to-toml Time (mean ± σ): 428.6 ms ± 6.9 ms [User: 187.7 ms, System: 219.7 ms] Range (min … max): 418.0 ms … 436.8 ms 10 runs ``` For a single crate, with >2x speedup, before: ``` Benchmark 1: cargo test -p codex-utils-string Time (mean ± σ): 491.1 ms ± 9.0 ms [User: 229.8 ms, System: 234.9 ms] Range (min … max): 480.9 ms … 512.0 ms 10 runs ``` And after: ``` Benchmark 1: cargo test -p codex-utils-string Time (mean ± σ): 213.9 ms ± 4.3 ms [User: 112.8 ms, System: 84.0 ms] Range (min … max): 206.8 ms … 221.0 ms 13 runs ``` Co-authored-by: Codex <noreply@openai.com>
Charlie Marsh ·
2026-05-07 15:44:17 -07:00 -
feat: add support for building with Bazel (#8875)
This PR configures Codex CLI so it can be built with [Bazel](https://bazel.build) in addition to Cargo. The `.bazelrc` includes configuration so that remote builds can be done using [BuildBuddy](https://www.buildbuddy.io). If you are familiar with Bazel, things should work as you expect, e.g., run `bazel test //... --keep-going` to run all the tests in the repo, but we have also added some new aliases in the `justfile` for convenience: - `just bazel-test` to run tests locally - `just bazel-remote-test` to run tests remotely (currently, the remote build is for x86_64 Linux regardless of your host platform). Note we are currently seeing the following test failures in the remote build, so we still need to figure out what is happening here: ``` failures: suite::compact::manual_compact_twice_preserves_latest_user_messages suite::compact_resume_fork::compact_resume_after_second_compaction_preserves_history suite::compact_resume_fork::compact_resume_and_fork_preserve_model_history_view ``` - `just build-for-release` to build release binaries for all platforms/architectures remotely To setup remote execution: - [Create a buildbuddy account](https://app.buildbuddy.io/) (OpenAI employees should also request org access at https://openai.buildbuddy.io/join/ with their `@openai.com` email address.) - [Copy your API key](https://app.buildbuddy.io/docs/setup/) to `~/.bazelrc` (add the line `build --remote_header=x-buildbuddy-api-key=YOUR_KEY`) - Use `--config=remote` in your `bazel` invocations (or add `common --config=remote` to your `~/.bazelrc`, or use the `just` commands) ## CI In terms of CI, this PR introduces `.github/workflows/bazel.yml`, which uses Bazel to run the tests _locally_ on Mac and Linux GitHub runners (we are working on supporting Windows, but that is not ready yet). Note that the failures we are seeing in `just bazel-remote-test` do not occur on these GitHub CI jobs, so everything in `.github/workflows/bazel.yml` is green right now. The `bazel.yml` uses extra config in `.github/workflows/ci.bazelrc` so that macOS CI jobs build _remotely_ on Linux hosts (using the `docker://docker.io/mbolin491/codex-bazel` Docker image declared in the root `BUILD.bazel`) using cross-compilation to build the macOS artifacts. Then these artifacts are downloaded locally to GitHub's macOS runner so the tests can be executed natively. This is the relevant config that enables this: ``` common:macos --config=remote common:macos --strategy=remote common:macos --strategy=TestRunner=darwin-sandbox,local ``` Because of the remote caching benefits we get from BuildBuddy, these new CI jobs can be extremely fast! For example, consider these two jobs that ran all the tests on Linux x86_64: - Bazel 1m37s https://github.com/openai/codex/actions/runs/20861063212/job/59940545209?pr=8875 - Cargo 9m20s https://github.com/openai/codex/actions/runs/20861063192/job/59940559592?pr=8875 For now, we will continue to run both the Bazel and Cargo jobs for PRs, but once we add support for Windows and running Clippy, we should be able to cutover to using Bazel exclusively for PRs, which should still speed things up considerably. We will probably continue to run the Cargo jobs post-merge for commits that land on `main` as a sanity check. Release builds will also continue to be done by Cargo for now. Earlier attempt at this PR: https://github.com/openai/codex/pull/8832 Earlier attempt to add support for Buck2, now abandoned: https://github.com/openai/codex/pull/8504 --------- Co-authored-by: David Zbarsky <dzbarsky@gmail.com> Co-authored-by: Michael Bolin <mbolin@openai.com>
zbarsky-openai ·
2026-01-09 11:09:43 -08:00 -
chore: add cargo-deny configuration (#7119)
- add GitHub workflow running cargo-deny on push/PR - document cargo-deny allowlist with workspace-dep notes and advisory ignores - align workspace crates to inherit version/edition/license for consistent checks
Josh McKinney ·
2025-11-24 12:22:18 -08:00 -
Fix FreeBSD/OpenBSD builds: target-specific keyring features and BSD hardening (#6680)
## Summary Builds on FreeBSD and OpenBSD were failing due to globally enabled Linux-specific keyring features and hardening code paths not gated by OS. This PR scopes keyring native backends to the appropriate targets, disables default features at the workspace root, and adds a BSD-specific hardening function. Linux/macOS/Windows behavior remains unchanged, while FreeBSD/OpenBSD now build and run with a supported backend. ## Key Changes - Keyring features: - Disable keyring default features at the workspace root to avoid pulling Linux backends on non-Linux. - Move native backend features into target-specific sections in the affected crates: - Linux: linux-native-async-persistent - macOS: apple-native - Windows: windows-native - FreeBSD/OpenBSD: sync-secret-service - Process hardening: - Add pre_main_hardening_bsd() for FreeBSD/OpenBSD, applying: - Set RLIMIT_CORE to 0 - Clear LD_* environment variables - Simplify process-hardening Cargo deps to unconditional libc (avoid conflicting OS fragments). - No changes to CODEX_SANDBOX_* behavior. ## Rationale - Previously, enabling keyring native backends globally pulled Linux-only features on BSD, causing build errors. - Hardening logic was tailored for Linux/macOS; BSD builds lacked a gated path with equivalent safeguards. - Target-scoped features and BSD hardening make the crates portable across these OSes without affecting existing behavior elsewhere. ## Impact by Platform - Linux: No functional change; backends now selected via target cfg. - macOS: No functional change; explicit apple-native mapping. - Windows: No functional change; explicit windows-native mapping. - FreeBSD/OpenBSD: Builds succeed using sync-secret-service; BSD hardening applied during startup. ## Testing - Verified compilation across affected crates with target-specific features. - Smoke-checked that Linux/macOS/Windows feature sets remain identical functionally after scoping. - On BSD, confirmed keyring resolves to sync-secret-service and hardening compiles. ## Risks / Compatibility - Minimal risk: only feature scoping and OS-gated additions. - No public API changes in the crates; runtime behavior on non-BSD platforms is preserved. - On BSD, the new hardening clears LD_*; this is consistent with security posture on other Unix platforms. ## Reviewer Notes - Pay attention to target-specific sections for keyring in the affected Cargo.toml files. - Confirm pre_main_hardening_bsd() mirrors the safe subset of Linux/macOS hardening without introducing Linux-only calls. - Confirm no references to CODEX_SANDBOX_ENV_VAR or CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR were added/modified. ## Checklist - Disable keyring default features at workspace root. - Target-specific keyring features mapped per OS (Linux/macOS/Windows/BSD). - Add BSD hardening (RLIMIT_CORE=0, clear LD_*). - Simplify process-hardening dependencies to unconditional libc. - No changes to sandbox env var code. - Formatting and linting: just fmt + just fix -p for changed crates. - Project tests pass for changed crates; broader suite unchanged. --------- Co-authored-by: celia-oai <celia@openai.com>Xiao-Yong Jin ·
2025-11-17 05:07:34 +00:00 -
[Auth] Choose which auth storage to use based on config (#5792)
This PR is a follow-up to #5591. It allows users to choose which auth storage mode they want by using the new `cli_auth_credentials_store_mode` config.
Celia Chen ·
2025-10-27 19:41:49 -07:00 -
[Auth] Add keyring support for Codex CLI (#5591)
Follow-up PR to #5569. Add Keyring Support for Auth Storage in Codex CLI as well as a hybrid mode (default to persisting in keychain but fall back to file when unavailable.) It also refactors out the keyringstore implementation from rmcp-client [here](https://github.com/openai/codex/blob/main/codex-rs/rmcp-client/src/oauth.rs) to a new keyring-store crate. There will be a follow-up that picks the right credential mode depending on the config, instead of hardcoding `AuthCredentialsStoreMode::File`.
Celia Chen ·
2025-10-27 12:10:11 -07:00