mirror of
https://github.com/pchuan98/codex.git
synced 2026-07-01 00:31:56 +08:00
c274a83f8b
## Why
Codex can run a remote exec server through the Noise relay, but the
normal
environment-manager path could not establish an
environment-registry-backed
harness connection. Signed rendezvous URLs and harness authorizations
are
short-lived, so reconnects must fetch a fresh bundle instead of
retaining
stale connection credentials. A stalled registry request must also fail
within
the regular remote connection deadline, without exposing these
credentials in
debug logs.
Issue: N/A (internal environment-service integration).
## What Changed
- Add environment-manager configuration for a registry-backed Noise
rendezvous
environment.
- Request a fresh bundle from
`/cloud/environment/{environment_id}/connect` for every physical harness
connection, using the existing 10-second remote connection timeout.
- Share the Environment Registry register, connect, and validate wire
payloads
through `codex-exec-server` and `codex-core-api`.
- Redact the signed rendezvous URL and harness authorization from the
public
connect response's `Debug` output.
- Add focused coverage for registry bundle retrieval, stalled requests,
and
credential redaction.
23 lines
869 B
Rust
23 lines
869 B
Rust
use crate::EnvironmentRegistryConnectResponse;
|
|
use crate::NoiseChannelIdentity;
|
|
|
|
#[test]
|
|
fn connect_response_debug_redacts_authorizations() {
|
|
let response = EnvironmentRegistryConnectResponse {
|
|
environment_id: "environment-1".to_string(),
|
|
url: "wss://rendezvous.test?sig=secret-url-authorization".to_string(),
|
|
security_profile: "noise_hybrid_ik_v1".to_string(),
|
|
executor_registration_id: "registration-1".to_string(),
|
|
executor_public_key: NoiseChannelIdentity::generate()
|
|
.expect("identity")
|
|
.public_key(),
|
|
harness_key_authorization: "secret-harness-authorization".to_string(),
|
|
};
|
|
|
|
let debug = format!("{response:?}");
|
|
|
|
assert!(debug.contains("<redacted>"));
|
|
assert!(!debug.contains("secret-url-authorization"));
|
|
assert!(!debug.contains("secret-harness-authorization"));
|
|
}
|