Commit Graph

2 Commits

  • Move sanitizer into codex-secrets (#12306)
    ## Summary
    - move the sanitizer implementation into `codex-secrets`
    (`secrets/src/sanitizer.rs`) and re-export `redact_secrets`
    - switch `codex-core` to depend on/import `codex-secrets` for sanitizer
    usage
    - remove the old `utils/sanitizer` crate wiring and refresh lockfiles
    
    ## Testing
    - `just fmt`
    - `cargo test -p codex-secrets`
    - `cargo test -p codex-core --no-run`
    - `cargo clippy -p codex-secrets -p codex-core --all-targets
    --all-features -- -D warnings`
    - `just bazel-lock-update`
    - `just bazel-lock-check`
    
    ## Notes
    - not run: `cargo test --all-features` (full workspace suite)
  • feat(secrets): add codex-secrets crate (#10142)
    ## Summary
    This introduces the first working foundation for Codex managed secrets:
    a small Rust crate that can securely store and retrieve secrets locally.
    
    Concretely, it adds a `codex-secrets` crate that:
    - encrypts a local secrets file using `age`
    - generates a high-entropy encryption key
    - stores that key in the OS keyring
    
    ## What this enables
    - A secure local persistence model for secrets
    - A clean, isolated place for future provider backends
    - A clear boundary: Codex can become a credential broker without putting
    plaintext secrets in config files
    
    ## Implementation details
    - New crate: `codex-rs/secrets/`
    - Encryption: `age` with scrypt recipient/identity
    - Key generation: `OsRng` (32 random bytes)
    - Key storage: OS keyring via `codex-keyring-store`
    
    ## Testing
    - `cd codex-rs && just fmt`
    - `cd codex-rs && cargo test -p codex-secrets`