mirror of
https://github.com/pchuan98/codex.git
synced 2026-07-01 00:31:56 +08:00
428cd44154
## Why Rendezvous forwards traffic between the orchestrator and exec-server. The endpoints need to authenticate each other and encrypt that traffic without trusting Rendezvous with plaintext or endpoint keys. ## Changes - Adds a hybrid Noise IK channel through Clatter using X25519, ML-KEM-768, AES-256-GCM, and SHA-256. - Binds each handshake to `environment_id`, `executor_registration_id`, and `stream_id`. - Pins the registry-provided executor key and carries the harness authorization inside the encrypted handshake. - Orders relay frames before consuming Noise nonces and fragments large JSON-RPC messages into bounded records. - Bounds handshake payloads, frames, streams, and message reassembly. Runtime activation is in [openai/codex#26245](https://github.com/openai/codex/pull/26245). ## Stack 1. **[openai/codex#26242](https://github.com/openai/codex/pull/26242)**: Noise channel and relay transport 2. [openai/codex#26245](https://github.com/openai/codex/pull/26245): remote registration and runtime activation ## Verification - `just test -p codex-exec-server` - Oversized initiator payload regression coverage - `just fix -p codex-exec-server` - `just bazel-lock-check` - `cargo shear` --------- Co-authored-by: Codex <noreply@openai.com>
119 lines
4.0 KiB
Rust
119 lines
4.0 KiB
Rust
mod client;
|
|
mod client_api;
|
|
mod client_transport;
|
|
mod connection;
|
|
mod environment;
|
|
mod environment_provider;
|
|
mod environment_toml;
|
|
mod fs_helper;
|
|
mod fs_helper_main;
|
|
mod fs_sandbox;
|
|
mod local_file_system;
|
|
mod local_process;
|
|
mod noise_channel;
|
|
mod noise_relay;
|
|
mod process;
|
|
mod process_id;
|
|
mod protocol;
|
|
mod relay;
|
|
mod relay_proto;
|
|
mod remote;
|
|
mod remote_file_system;
|
|
mod remote_process;
|
|
mod rpc;
|
|
mod runtime_paths;
|
|
mod sandboxed_file_system;
|
|
mod server;
|
|
|
|
pub use client::ExecServerClient;
|
|
pub use client::ExecServerError;
|
|
pub use client::http_client::HttpResponseBodyStream;
|
|
pub use client::http_client::ReqwestHttpClient;
|
|
pub use client_api::ExecServerClientConnectOptions;
|
|
pub use client_api::HttpClient;
|
|
pub use client_api::NoiseRendezvousConnectArgs;
|
|
pub use client_api::NoiseRendezvousConnectBundle;
|
|
pub use client_api::NoiseRendezvousConnectProvider;
|
|
pub use client_api::RemoteExecServerConnectArgs;
|
|
pub use codex_file_system::CopyOptions;
|
|
pub use codex_file_system::CreateDirectoryOptions;
|
|
pub use codex_file_system::ExecutorFileSystem;
|
|
pub use codex_file_system::ExecutorFileSystemFuture;
|
|
pub use codex_file_system::FileMetadata;
|
|
pub use codex_file_system::FileSystemResult;
|
|
pub use codex_file_system::FileSystemSandboxContext;
|
|
pub use codex_file_system::ReadDirectoryEntry;
|
|
pub use codex_file_system::RemoveOptions;
|
|
pub use environment::CODEX_EXEC_SERVER_URL_ENV_VAR;
|
|
pub use environment::Environment;
|
|
pub use environment::EnvironmentManager;
|
|
pub use environment::LOCAL_ENVIRONMENT_ID;
|
|
pub use environment::REMOTE_ENVIRONMENT_ID;
|
|
pub use environment_provider::DefaultEnvironmentProvider;
|
|
pub use environment_provider::EnvironmentProvider;
|
|
pub use environment_provider::EnvironmentProviderFuture;
|
|
pub use fs_helper::CODEX_FS_HELPER_ARG1;
|
|
pub use fs_helper_main::main as run_fs_helper_main;
|
|
pub use local_file_system::LOCAL_FS;
|
|
pub use local_file_system::LocalFileSystem;
|
|
pub use noise_channel::NoiseChannelError;
|
|
pub use noise_channel::NoiseChannelIdentity;
|
|
pub use noise_channel::NoiseChannelPublicKey;
|
|
pub use process::ExecBackend;
|
|
pub use process::ExecBackendFuture;
|
|
pub use process::ExecProcess;
|
|
pub use process::ExecProcessEvent;
|
|
pub use process::ExecProcessEventReceiver;
|
|
pub use process::ExecProcessFuture;
|
|
pub use process::StartedExecProcess;
|
|
pub use process_id::ProcessId;
|
|
pub use protocol::EnvironmentInfo;
|
|
pub use protocol::ExecClosedNotification;
|
|
pub use protocol::ExecEnvPolicy;
|
|
pub use protocol::ExecExitedNotification;
|
|
pub use protocol::ExecOutputDeltaNotification;
|
|
pub use protocol::ExecOutputStream;
|
|
pub use protocol::ExecParams;
|
|
pub use protocol::ExecResponse;
|
|
pub use protocol::FsCanonicalizeParams;
|
|
pub use protocol::FsCanonicalizeResponse;
|
|
pub use protocol::FsCopyParams;
|
|
pub use protocol::FsCopyResponse;
|
|
pub use protocol::FsCreateDirectoryParams;
|
|
pub use protocol::FsCreateDirectoryResponse;
|
|
pub use protocol::FsGetMetadataParams;
|
|
pub use protocol::FsGetMetadataResponse;
|
|
pub use protocol::FsReadDirectoryEntry;
|
|
pub use protocol::FsReadDirectoryParams;
|
|
pub use protocol::FsReadDirectoryResponse;
|
|
pub use protocol::FsReadFileParams;
|
|
pub use protocol::FsReadFileResponse;
|
|
pub use protocol::FsRemoveParams;
|
|
pub use protocol::FsRemoveResponse;
|
|
pub use protocol::FsWriteFileParams;
|
|
pub use protocol::FsWriteFileResponse;
|
|
pub use protocol::HttpHeader;
|
|
pub use protocol::HttpRequestBodyDeltaNotification;
|
|
pub use protocol::HttpRequestParams;
|
|
pub use protocol::HttpRequestResponse;
|
|
pub use protocol::InitializeParams;
|
|
pub use protocol::InitializeResponse;
|
|
pub use protocol::ProcessOutputChunk;
|
|
pub use protocol::ProcessSignal;
|
|
pub use protocol::ReadParams;
|
|
pub use protocol::ReadResponse;
|
|
pub use protocol::ShellInfo;
|
|
pub use protocol::SignalParams;
|
|
pub use protocol::SignalResponse;
|
|
pub use protocol::TerminateParams;
|
|
pub use protocol::TerminateResponse;
|
|
pub use protocol::WriteParams;
|
|
pub use protocol::WriteResponse;
|
|
pub use protocol::WriteStatus;
|
|
pub use remote::RemoteEnvironmentConfig;
|
|
pub use remote::run_remote_environment;
|
|
pub use runtime_paths::ExecServerRuntimePaths;
|
|
pub use server::DEFAULT_LISTEN_URL;
|
|
pub use server::ExecServerListenUrlParseError;
|
|
pub use server::run_main;
|