mirror of
https://github.com/pchuan98/codex.git
synced 2026-07-01 00:31:56 +08:00
b5866eebd6
[Codex Thread 019ef1f9-36e2-7e91-9337-504f097b9dc1](https://codex-thread-link.openai.chatgpt-team.site/thread/019ef1f9-36e2-7e91-9337-504f097b9dc1) ## Why Hosted plugin-service Streamable HTTP MCP traffic uses `https://chatgpt.com/backend-api/ps/mcp` and depends on Cloudflare's `__cflb` cookie for load-balancer affinity. The local and exec-server `http/request` path built a fresh reqwest client for each request without installing Codex's existing shared ChatGPT Cloudflare cookie store, so affinity could be lost between calls. This is an affinity-hardening change motivated by an incident investigation. It does not establish the broader connector-cache incident RCA or claim to fix that incident in full. ## What changed - Install the existing process-local, strictly allowlisted ChatGPT Cloudflare cookie store on the reqwest client used by `ReqwestHttpClient`. - Fresh clients now share allowed Cloudflare infrastructure cookies within the process that originates the local or exec-server network request. - Keep the existing HTTPS ChatGPT-host and Cloudflare-cookie-name restrictions. This does not introduce a general cookie jar or send ChatGPT Cloudflare cookies to unrelated hosts. ## Test coverage - `codex-client` unit coverage verifies that the existing strict store accepts and returns `__cflb` for HTTPS ChatGPT URLs. - The exec-server HTTPS integration test sends four independent `http/request` calls through a local TLS-intercepting proxy and verifies that: - `Set-Cookie: __cflb=west` is sent on the next plugin-service request; - a later `Set-Cookie: __cflb=central` replaces the stored value; - non-Cloudflare session cookies are discarded; - no stored ChatGPT Cloudflare cookie is sent to a non-ChatGPT host. - `just test -p codex-client` — 38 passed. - `just test -p codex-exec-server --test chatgpt_cloudflare_affinity` — 1 passed. - `just bazel-lock-check` — passed. ## Non-goals - No persistence of ChatGPT auth, account, session, residency, or arbitrary cookies. - No cookie persistence for third-party MCP servers. - No special composition of caller-provided `Cookie` headers. - No plugin-service, connector-cache, Habitat/habicache, routing, redirect, or API-contract changes. - No broader incident RCA conclusions.
80 lines
2.2 KiB
TOML
80 lines
2.2 KiB
TOML
[package]
|
|
name = "codex-exec-server"
|
|
version.workspace = true
|
|
edition.workspace = true
|
|
license.workspace = true
|
|
|
|
[lib]
|
|
doctest = false
|
|
|
|
[lints]
|
|
workspace = true
|
|
|
|
[dependencies]
|
|
arc-swap = { workspace = true }
|
|
axum = { workspace = true, features = ["http1", "tokio", "ws"] }
|
|
base64 = { workspace = true }
|
|
bytes = { workspace = true }
|
|
clatter = { workspace = true }
|
|
codex-api = { workspace = true }
|
|
codex-client = { workspace = true }
|
|
codex-exec-server-protocol = { workspace = true }
|
|
codex-file-system = { workspace = true }
|
|
codex-network-proxy = { workspace = true }
|
|
codex-otel = { workspace = true }
|
|
codex-protocol = { workspace = true }
|
|
codex-sandboxing = { workspace = true }
|
|
codex-utils-absolute-path = { workspace = true }
|
|
codex-utils-path-uri = { workspace = true }
|
|
codex-utils-pty = { workspace = true }
|
|
codex-utils-rustls-provider = { workspace = true }
|
|
futures = { workspace = true }
|
|
http = { workspace = true }
|
|
reqwest = { workspace = true, features = ["json", "rustls-tls", "stream"] }
|
|
prost = "0.14.3"
|
|
serde = { workspace = true, features = ["derive"] }
|
|
serde_json = { workspace = true }
|
|
thiserror = { workspace = true }
|
|
toml = { workspace = true }
|
|
tokio = { workspace = true, features = [
|
|
"fs",
|
|
"io-std",
|
|
"io-util",
|
|
"macros",
|
|
"net",
|
|
"process",
|
|
"rt-multi-thread",
|
|
"sync",
|
|
"time",
|
|
] }
|
|
tokio-util = { workspace = true, features = ["io", "rt"] }
|
|
tokio-tungstenite = { workspace = true }
|
|
tracing = { workspace = true }
|
|
uuid = { workspace = true, features = ["v4"] }
|
|
|
|
[target.'cfg(unix)'.dependencies]
|
|
libc = { workspace = true }
|
|
|
|
[target.'cfg(windows)'.dependencies]
|
|
windows-sys = { version = "0.52", features = [
|
|
"Win32_Foundation",
|
|
"Win32_Storage_FileSystem",
|
|
] }
|
|
|
|
[dev-dependencies]
|
|
anyhow = { workspace = true }
|
|
codex-test-binary-support = { workspace = true }
|
|
ctor = { workspace = true }
|
|
http = { workspace = true }
|
|
opentelemetry = { workspace = true }
|
|
opentelemetry_sdk = { workspace = true }
|
|
pretty_assertions = { workspace = true }
|
|
rcgen = { workspace = true }
|
|
rustls = { workspace = true }
|
|
serial_test = { workspace = true }
|
|
tempfile = { workspace = true }
|
|
test-case = "3.3.1"
|
|
tracing-opentelemetry = { workspace = true }
|
|
tracing-subscriber = { workspace = true }
|
|
wiremock = { workspace = true }
|