3 Commits

  • fix(process-hardening): preserve macos malloc diagnostics (#24479)
    ## Summary
    
    Follow-up to #24459 and partial behavioral revert of `a71fc47` / #16699.
    
    - Stop removing `MallocStackLogging*` and `MallocLogFile*` from macOS
    pre-main hardening.
    - Remove documentation that claims Codex suppresses those allocator
    diagnostic controls.
    - Retain the shared `remove_env_vars_with_prefix` refactor and existing
    `LD_` / `DYLD_` hardening.
    
    ## Why
    
    #24459 fixes the composer-corruption problem at the terminal stderr
    boundary while preserving redirected stderr. With that guard in place,
    stripping macOS malloc diagnostic settings is unnecessary and can hide
    diagnostics intentionally enabled by callers.
    
    ## Validation
    
    - `just fmt`
    - `just test -p codex-process-hardening`
    - `just argument-comment-lint-from-source -p codex-process-hardening`
    - `git diff --check`
  • Fix macOS malloc diagnostics leaking into TUI composer (#16699)
    Addresses #11555
    
    Problem: macOS malloc stack-logging diagnostics could leak into the TUI
    composer and get misclassified as pasted user input.
    
    Solution: Strip `MallocStackLogging*` and `MallocLogFile*` during macOS
    pre-main hardening and document the additional env cleanup.
  • feat: introduce npm module for codex-responses-api-proxy (#4417)
    This PR expands `.github/workflows/rust-release.yml` so that it also
    builds and publishes the `npm` module for
    `@openai/codex-responses-api-proxy` in addition to `@openai/codex`. Note
    both `npm` modules are similar, in that they each contain a single `.js`
    file that is a thin launcher around the appropriate native executable.
    (Since we have a minimal dependency on Node.js, I also lowered the
    minimum version from 20 to 16 and verified that works on my machine.)
    
    As part of this change, we tighten up some of the docs around
    `codex-responses-api-proxy` and ensure the details regarding protecting
    the `OPENAI_API_KEY` in memory match the implementation.
    
    To test the `npm` build process, I ran:
    
    ```
    ./codex-cli/scripts/build_npm_package.py --package codex-responses-api-proxy --version 0.43.0-alpha.3
    ```
    
    which stages the `npm` module for `@openai/codex-responses-api-proxy` in
    a temp directory, using the binary artifacts from
    https://github.com/openai/codex/releases/tag/rust-v0.43.0-alpha.3.