Commit Graph

5 Commits

  • build: run buildifier from just fmt (#28125)
    ## Intent
    
    Keep Bazel and Starlark files consistently formatted without requiring
    contributors to install or version buildifier themselves.
    
    ## Implementation
    
    - Add a SHA-256-pinned, cross-platform DotSlash manifest for buildifier
    v8.5.1.
    - Run buildifier from the shared `just fmt` and `just fmt-check` driver,
    with Windows-safe explicit DotSlash invocation.
    - Provision DotSlash in formatting CI and contributor devcontainers, and
    document the source-build prerequisite.
    - Apply the initial mechanical buildifier formatting baseline.
  • Uprev Rust toolchain pins to 1.95.0 (#24684)
    ## Summary
    - Bump the workspace Rust toolchain from `1.93.0` to `1.95.0` across
    Cargo, Bazel, CI, release workflows, devcontainers, and the Codex
    environment config.
    - Refresh `MODULE.bazel.lock` so the Bazel Rust toolchain artifacts
    match the new version.
    - Leave purpose-specific toolchains unchanged, including the
    `argument-comment-lint` nightly and the upstream `rusty_v8` `1.91.0`
    build pin.
    - Includes fixes for new lints from `just fix` and a few codex-authored
    fixes for lints without a suggestion.
  • Harden package-manager install policy (#19163)
    ## Summary
    
    This PR hardens package-manager usage across the repo to reduce
    dependency supply-chain risk. It also removes the stale `codex-cli`
    Docker path, which was already broken on `main`, instead of keeping a
    bitrotted container workflow alive.
    
    ## What changed
    
    - Updated pnpm package manager pins and workspace install settings.
    - Removed stale `codex-cli` Docker assets instead of trying to keep a
    broken local container path alive.
    - Added uv settings and lockfiles for the Python SDK packages.
    - Updated Python SDK setup docs to use `uv sync`.
    
    ## Why
    
    This is primarily a security hardening change. It reduces
    package-install and supply-chain risk by ensuring dependency installs go
    through pinned package managers, committed lockfiles, release-age
    settings, and reviewed build-script controls.
    
    For `codex-cli`, the right follow-up was to remove the local Docker path
    rather than keep patching it:
    
    - `codex-cli/Dockerfile` installed `codex.tgz` with `npm install -g`,
    which bypassed the repo lockfile and age-gated pnpm settings.
    - The local `codex-cli/scripts/build_container.sh` helper was already
    broken on `main`: it called `pnpm run build`, but
    `codex-cli/package.json` does not define a `build` script.
    - The container path itself had bitrotted enough that keeping it would
    require extra packaging-specific behavior that was not otherwise needed
    by the repo.
    
    ## Gaps addressed
    
    - Global npm installs bypassed the repo lockfile in Docker and CLI
    reinstall paths, including `codex-cli/Dockerfile` and
    `codex-cli/bin/codex.js`.
    - CI and Docker pnpm installs used `--frozen-lockfile`, but the repo was
    missing stricter pnpm workspace settings for dependency build scripts.
    - Python SDK projects had `pyproject.toml` metadata but no committed
    `uv.lock` coverage or uv age/index settings in `sdk/python` and
    `sdk/python-runtime`.
    - The secure devcontainer install path used npm/global install behavior
    without a local locked package-manager boundary.
    - The local `codex-cli` Docker helper was already broken on `main`, so
    this PR removes that stale Docker path instead of preserving a broken
    surface.
    - pnpm was already pinned, but not to the current repo-wide pnpm version
    target.
    
    ## Verification
    
    - `pnpm install --frozen-lockfile`
    - `.devcontainer/codex-install`: `pnpm install --prod --frozen-lockfile`
    - `.devcontainer/codex-install`: `./node_modules/.bin/codex --version`
    - `sdk/python`: `uv lock --check`, `uv sync --locked --all-extras
    --dry-run`, `uv build`
    - `sdk/python-runtime`: `uv lock --check`, `uv sync --locked --dry-run`,
    `uv build --wheel`
    - `pnpm -r --filter ./sdk/typescript run build`
    - `pnpm -r --filter ./sdk/typescript run lint`
    - `pnpm -r --filter ./sdk/typescript run test`
    - `node --check codex-cli/bin/codex.js`
    - `docker build -f .devcontainer/Dockerfile.secure -t codex-secure-test
    .`
    - `cargo build -p codex-cli`
    - repo-wide package-manager audit
  • [codex] Support bubblewrap in secure Docker devcontainer (#17547)
    ## Summary
    
    - leave the default contributor devcontainer on its lightweight
    platform-only Docker runtime
    - install bubblewrap in setuid mode only in the secure devcontainer
    image for running Codex inside Docker
    - add Docker run args to the secure profile for bubblewrap's required
    capabilities
    - use explicit `seccomp=unconfined` and `apparmor=unconfined` in the
    secure profile instead of shipping a custom seccomp profile
    - document that the relaxed Docker security options are scoped to the
    secure profile
    
    ## Why
    
    Docker's default seccomp profile blocks bubblewrap with `pivot_root:
    Operation not permitted`, even when the container has `CAP_SYS_ADMIN`.
    Docker's default AppArmor profile also blocks bubblewrap with `Failed to
    make / slave: Permission denied`.
    
    A custom seccomp profile works, but it is hard for customers to audit
    and understand. Using Docker's standard `seccomp=unconfined` option is
    clearer: the secure profile intentionally relaxes Docker's outer sandbox
    just enough for Codex to construct its own bubblewrap/seccomp sandbox
    inside the container. The default contributor profile does not get these
    expanded runtime settings.
    
    ## Validation
    
    - `sed '/\\/\\*/,/\\*\\//d' .devcontainer/devcontainer.json | jq empty`
    - `jq empty .devcontainer/devcontainer.secure.json`
    - `git diff --check`
    - `docker build --platform=linux/arm64 -t
    codex-devcontainer-bwrap-test-arm64 ./.devcontainer`
    - `docker build --platform=linux/arm64 -f
    .devcontainer/Dockerfile.secure -t
    codex-devcontainer-secure-bwrap-test-arm64 .`
    - interactive `docker run -it` smoke tests:
      - verified non-root users `ubuntu` and `vscode`
      - verified secure image `/usr/bin/bwrap` is setuid
    - verified user/pid namespace, user/network namespace, and preserved-fd
    `--ro-bind-data` bwrap commands
    - reran secure-image smoke test with simplified `seccomp=unconfined`
    setup:
      - `bwrap-basic-ok`
      - `bwrap-netns-ok`
      - `codex-ok`
    - ran Codex inside the secure image:
      - `codex --version` -> `codex-cli 0.120.0`
    - `codex sandbox linux --full-auto -- /bin/sh -lc '...'` -> exited 0 and
    printed `codex-inner-ok`
    
    Note: direct `bwrap --proc /proc` is still denied by this Docker
    runtime, and Codex's existing proc-mount preflight fallback handles that
    by retrying without `--proc`.
    
    ---------
    
    Co-authored-by: Codex <noreply@openai.com>
  • feat(devcontainer): add separate secure customer profile (#10431)
    ## Description
    
    Keeps the existing Codex contributor devcontainer in place and adds a
    separate secure profile for customer use.
    
    ## What changed
    
    - leaves `.devcontainer/devcontainer.json` and the contributor
    `Dockerfile` aligned with `main`
    - adds `.devcontainer/devcontainer.secure.json` and
    `.devcontainer/Dockerfile.secure`
    - adds secure-profile bootstrap scripts:
      - `post_install.py`
      - `post-start.sh`
      - `init-firewall.sh`
    - updates `.devcontainer/README.md` to explain when to use each path
    
    ## Secure profile behavior
    
    The new secure profile is opt-in and is meant for running Codex in a
    stricter project container:
    
    - preinstalls the Codex CLI plus common build tools
    - uses persistent volumes for Codex state, Cargo, Rustup, and GitHub
    auth
    - applies an allowlist-driven outbound firewall at startup
    - blocks IPv6 by default so the allowlist cannot be bypassed via AAAA
    routes
    - keeps the stricter networking isolated from the default contributor
    workflow
    
    ## Resulting behavior
    
    - `devcontainer.json` remains the low-friction Codex contributor setup
    - `devcontainer.secure.json` is the customer-facing secure option
    - the repo supports both workflows without forcing the secure profile on
    Codex contributors