mirror of
https://github.com/pchuan98/codex.git
synced 2026-07-01 00:31:56 +08:00
bca18cba40
## Stack 1. Parent PR: #18240 uses named MITM permissions config. 2. This PR wires managed MITM CA trust into spawned child processes. ## Why When Codex terminates HTTPS for limited mode or MITM hooks, child HTTPS clients need to trust Codex's managed MITM CA. Exporting proxy URLs alone is not enough, but blindly replacing user CA settings would be wrong: it can break custom enterprise/test roots, leak unreadable CA files into generated bundles, or make the child env disagree with its sandbox policy. ## Summary 1. Build immutable managed CA bundles under `$CODEX_HOME/proxy` that include native roots, the managed MITM CA, and only inherited or command-scoped CA bundles the child is allowed to read. 2. Export curated CA env vars alongside managed proxy env vars while preserving user CA override semantics, including nested Codex `SSL_CERT_FILE` precedence. 3. Thread generated CA bundle paths into child sandbox readable roots, including debug sandbox execution, so the exported env vars work inside sandboxed commands. 4. Remove only Codex-generated MITM CA bundle env when a child intentionally drops managed proxying for escalation or no-proxy retry. 5. Document the managed CA bundle behavior and cover env injection, per-child bundle generation, sandbox readable roots, and no-proxy cleanup in tests. ## Validation 1. Ran `just test -p codex-network-proxy`. 2. Ran `just test -p codex-protocol`. 3. Ran `just fix -p codex-network-proxy -p codex-protocol`. 4. Tried focused `codex-core` validation, but the crate currently fails to compile in `core/tests/suite/guardian_review.rs` because an existing `Op::UserInput` initializer is missing `additional_context`. --------- Co-authored-by: Eva Wong <evawong@openai.com>
72 lines
2.3 KiB
Rust
72 lines
2.3 KiB
Rust
#![deny(clippy::print_stdout, clippy::print_stderr)]
|
|
|
|
mod certs;
|
|
mod config;
|
|
mod connect_policy;
|
|
mod http_proxy;
|
|
mod mitm;
|
|
mod mitm_hook;
|
|
mod network_policy;
|
|
mod policy;
|
|
mod proxy;
|
|
mod reasons;
|
|
mod responses;
|
|
mod runtime;
|
|
mod socks5;
|
|
mod state;
|
|
mod upstream;
|
|
|
|
pub use certs::CUSTOM_CA_ENV_KEYS;
|
|
pub use certs::is_managed_mitm_ca_trust_bundle_path;
|
|
pub use config::NetworkDomainPermission;
|
|
pub use config::NetworkDomainPermissionEntry;
|
|
pub use config::NetworkDomainPermissions;
|
|
pub use config::NetworkMode;
|
|
pub use config::NetworkProxyConfig;
|
|
pub use config::NetworkUnixSocketPermission;
|
|
pub use config::NetworkUnixSocketPermissions;
|
|
pub use config::host_and_port_from_network_addr;
|
|
pub use mitm_hook::InjectedHeaderConfig;
|
|
pub use mitm_hook::MitmHookActionsConfig;
|
|
pub use mitm_hook::MitmHookBodyConfig;
|
|
pub use mitm_hook::MitmHookConfig;
|
|
pub use mitm_hook::MitmHookMatchConfig;
|
|
pub use network_policy::NetworkDecision;
|
|
pub use network_policy::NetworkDecisionSource;
|
|
pub use network_policy::NetworkPolicyDecider;
|
|
pub use network_policy::NetworkPolicyDecision;
|
|
pub use network_policy::NetworkPolicyRequest;
|
|
pub use network_policy::NetworkPolicyRequestArgs;
|
|
pub use network_policy::NetworkProtocol;
|
|
pub use policy::normalize_host;
|
|
pub use proxy::ALL_PROXY_ENV_KEYS;
|
|
pub use proxy::ALLOW_LOCAL_BINDING_ENV_KEY;
|
|
pub use proxy::Args;
|
|
#[cfg(target_os = "macos")]
|
|
pub use proxy::CODEX_PROXY_GIT_SSH_COMMAND_MARKER;
|
|
pub use proxy::DEFAULT_NO_PROXY_VALUE;
|
|
pub use proxy::NO_PROXY_ENV_KEYS;
|
|
pub use proxy::NetworkProxy;
|
|
pub use proxy::NetworkProxyBuilder;
|
|
pub use proxy::NetworkProxyHandle;
|
|
pub use proxy::PROXY_ACTIVE_ENV_KEY;
|
|
pub use proxy::PROXY_ENV_KEYS;
|
|
#[cfg(target_os = "macos")]
|
|
pub use proxy::PROXY_GIT_SSH_COMMAND_ENV_KEY;
|
|
pub use proxy::PROXY_URL_ENV_KEYS;
|
|
pub use proxy::has_proxy_url_env_vars;
|
|
pub use proxy::proxy_url_env_value;
|
|
pub use runtime::BlockedRequest;
|
|
pub use runtime::BlockedRequestArgs;
|
|
pub use runtime::BlockedRequestObserver;
|
|
pub use runtime::ConfigReloader;
|
|
pub use runtime::ConfigState;
|
|
pub use runtime::NetworkProxyState;
|
|
pub use state::NetworkProxyAuditMetadata;
|
|
pub use state::NetworkProxyConstraintError;
|
|
pub use state::NetworkProxyConstraints;
|
|
pub use state::PartialNetworkConfig;
|
|
pub use state::PartialNetworkProxyConfig;
|
|
pub use state::build_config_state;
|
|
pub use state::validate_policy_against_constraints;
|