mirror of
https://github.com/pchuan98/codex.git
synced 2026-07-01 00:31:56 +08:00
527ccb4a5d
## Why When Codex starts with a custom CA override such as `SSL_CERT_FILE=/path/to/corp-ca.pem codex`, `rustls-native-certs` treats that override as a replacement for the platform trust store. The managed proxy then rewrites child CA variables to its generated bundle, so the custom root or the ordinary platform roots can be lost. The proxy's upstream TLS connector must trust the same roots or private and corporate upstream certificates still fail after interception. ## What - load platform-native roots without consulting inherited CA override variables - append certificates from the existing curated startup CA file variables and `SSL_CERT_DIR` - share those platform and startup roots with the MITM upstream rustls connector - exclude the Codex managed MITM CA from upstream trust - normalize OpenSSL `TRUSTED CERTIFICATE` blocks while dropping trailing trust metadata - skip an inherited current Codex-managed bundle so nested launches do not duplicate it - append the Codex managed MITM CA to the child-facing bundle - copy certificate material only, so a private key or unrelated text colocated in a startup file is never exposed through the public bundle This is intentionally limited to CA paths present when Codex starts. It does not parse inline shell assignments or add per-command bundle materialization. This changes only `codex-network-proxy` and dependency metadata; it does not touch `codex-core` or sandbox orchestration. ## Validation - `just test -p codex-network-proxy` - includes an end-to-end upstream TLS test using a server trusted only by the startup custom CA - `just fix -p codex-network-proxy` - `just bazel-lock-check`
53 lines
1.6 KiB
TOML
53 lines
1.6 KiB
TOML
[package]
|
|
name = "codex-network-proxy"
|
|
edition.workspace = true
|
|
version.workspace = true
|
|
license.workspace = true
|
|
|
|
[lib]
|
|
name = "codex_network_proxy"
|
|
path = "src/lib.rs"
|
|
doctest = false
|
|
|
|
[lints]
|
|
workspace = true
|
|
|
|
[dependencies]
|
|
anyhow = { workspace = true }
|
|
base64 = { workspace = true }
|
|
clap = { workspace = true, features = ["derive"] }
|
|
chrono = { workspace = true }
|
|
codex-utils-absolute-path = { workspace = true }
|
|
codex-utils-home-dir = { workspace = true }
|
|
codex-utils-rustls-provider = { workspace = true }
|
|
globset = { workspace = true }
|
|
serde = { workspace = true, features = ["derive"] }
|
|
serde_json = { workspace = true }
|
|
thiserror = { workspace = true }
|
|
time = { workspace = true }
|
|
tokio = { workspace = true, features = ["full"] }
|
|
tracing = { workspace = true }
|
|
url = { workspace = true }
|
|
rama-core = { version = "=0.3.0-alpha.4" }
|
|
rama-http = { version = "=0.3.0-alpha.4" }
|
|
rama-http-backend = { version = "=0.3.0-alpha.4", features = ["tls"] }
|
|
rama-net = { version = "=0.3.0-alpha.4", features = ["http", "tls"] }
|
|
rama-socks5 = { version = "=0.3.0-alpha.4" }
|
|
rama-tcp = { version = "=0.3.0-alpha.4", features = ["http"] }
|
|
rama-tls-rustls = { version = "=0.3.0-alpha.4", features = ["http"] }
|
|
rustls-native-certs = { workspace = true }
|
|
sha2 = { workspace = true }
|
|
|
|
[dev-dependencies]
|
|
pretty_assertions = { workspace = true }
|
|
tempfile = { workspace = true }
|
|
|
|
[target.'cfg(target_family = "unix")'.dependencies]
|
|
rama-unix = { version = "=0.3.0-alpha.4" }
|
|
|
|
[target.'cfg(target_os = "macos")'.dependencies]
|
|
security-framework = "3"
|
|
|
|
[target.'cfg(windows)'.dependencies]
|
|
schannel = "0.1"
|