mirror of
https://github.com/pchuan98/codex.git
synced 2026-07-01 00:31:56 +08:00
989f55defa
## Why Codex child processes can inherit injectable local credentials directly, which lets commands read and exfiltrate the real values. This experimental slice keeps supported workflows working while moving those credentials behind the managed network proxy. This PR contains only the proxy-owned broker implementation. The Codex config and runtime integration is stacked separately in #29752. ## What changed - discover supported credentials during child setup, retain real values only in the in-memory proxy broker, and replace them with shaped dummy values - require a presented dummy to select a stored credential and preserve unrelated explicit authorization headers - bind GitHub cloud, GitHub Enterprise, and OpenAI credentials to their intended hosts - inject credentials only into TLS traffic by default; plaintext injection requires the explicit dangerous opt-in - use TLS ClientHello routing for CONNECT so non-TLS protocols remain opaque tunnels - expose a pure API that identifies environment keys still holding broker-generated dummies without mutating the caller's environment ## Scope - supported credentials: `GH_TOKEN`, `GITHUB_TOKEN`, `GH_ENTERPRISE_TOKEN`, `GITHUB_ENTERPRISE_TOKEN`, and `OPENAI_API_KEY` - GitHub cloud credentials match `github.com`, `api.github.com`, and `*.ghe.com` - GitHub Enterprise credentials match only the normalized non-cloud `GH_HOST` - OpenAI API keys match only `api.openai.com` - this does not cover SSH agents, kube client certificates, filesystem secret discovery, or context-injected secret scrubbing ## Validation - `just test -p codex-network-proxy` (191 passed) - focused opaque CONNECT, plaintext opt-in, dummy-selection, and child-isolation regressions passed - scoped Clippy check for `codex-network-proxy` passed --------- Co-authored-by: viyatb-oai <viyatb@openai.com> Co-authored-by: Codex <noreply@openai.com>
54 lines
1.6 KiB
TOML
54 lines
1.6 KiB
TOML
[package]
|
|
name = "codex-network-proxy"
|
|
edition.workspace = true
|
|
version.workspace = true
|
|
license.workspace = true
|
|
|
|
[lib]
|
|
name = "codex_network_proxy"
|
|
path = "src/lib.rs"
|
|
doctest = false
|
|
|
|
[lints]
|
|
workspace = true
|
|
|
|
[dependencies]
|
|
anyhow = { workspace = true }
|
|
base64 = { workspace = true }
|
|
clap = { workspace = true, features = ["derive"] }
|
|
chrono = { workspace = true }
|
|
codex-utils-absolute-path = { workspace = true }
|
|
codex-utils-home-dir = { workspace = true }
|
|
codex-utils-rustls-provider = { workspace = true }
|
|
globset = { workspace = true }
|
|
rand = { workspace = true }
|
|
serde = { workspace = true, features = ["derive"] }
|
|
serde_json = { workspace = true }
|
|
thiserror = { workspace = true }
|
|
time = { workspace = true }
|
|
tokio = { workspace = true, features = ["full"] }
|
|
tracing = { workspace = true }
|
|
url = { workspace = true }
|
|
rama-core = { version = "=0.3.0-alpha.4" }
|
|
rama-http = { version = "=0.3.0-alpha.4" }
|
|
rama-http-backend = { version = "=0.3.0-alpha.4", features = ["tls"] }
|
|
rama-net = { version = "=0.3.0-alpha.4", features = ["http", "tls"] }
|
|
rama-socks5 = { version = "=0.3.0-alpha.4" }
|
|
rama-tcp = { version = "=0.3.0-alpha.4", features = ["http"] }
|
|
rama-tls-rustls = { version = "=0.3.0-alpha.4", features = ["http"] }
|
|
rustls-native-certs = { workspace = true }
|
|
sha2 = { workspace = true }
|
|
|
|
[dev-dependencies]
|
|
pretty_assertions = { workspace = true }
|
|
tempfile = { workspace = true }
|
|
|
|
[target.'cfg(target_family = "unix")'.dependencies]
|
|
rama-unix = { version = "=0.3.0-alpha.4" }
|
|
|
|
[target.'cfg(target_os = "macos")'.dependencies]
|
|
security-framework = "3"
|
|
|
|
[target.'cfg(windows)'.dependencies]
|
|
schannel = "0.1"
|