mirror of
https://github.com/pchuan98/codex.git
synced 2026-07-01 00:31:56 +08:00
e476fc16ce
## Why Managed network configures commands to use local HTTP and SOCKS proxies. For commands delegated to the exec server, the proxy environment and the sandbox policy were prepared separately. On macOS, that meant a command could receive `HTTPS_PROXY=http://127.0.0.1:43123` while Seatbelt still denied access to port `43123`. ## What changed `NetworkProxy` now prepares the command environment and sandbox context together from the same runtime snapshot: ```text Prepared managed network ├── command environment: HTTPS_PROXY=http://127.0.0.1:43123 └── sandbox context: allow outbound to 127.0.0.1:43123 ``` That context travels with remote exec requests. The exec server preserves the managed proxy and CA environment, and macOS Seatbelt allows only the prepared loopback proxy ports without enabling broad network access or local binding. The protocol field is optional and the existing enforcement flag remains in place, preserving compatibility with callers that do not send the new context.
78 lines
2.5 KiB
Rust
78 lines
2.5 KiB
Rust
#![deny(clippy::print_stdout, clippy::print_stderr)]
|
|
|
|
mod certs;
|
|
mod config;
|
|
mod connect_policy;
|
|
mod http_proxy;
|
|
mod mitm;
|
|
mod mitm_hook;
|
|
mod native_certs;
|
|
mod network_policy;
|
|
mod policy;
|
|
mod proxy;
|
|
mod reasons;
|
|
mod responses;
|
|
mod runtime;
|
|
mod socks5;
|
|
mod state;
|
|
mod upstream;
|
|
|
|
pub use certs::CUSTOM_CA_ENV_KEYS;
|
|
pub use certs::is_managed_mitm_ca_trust_bundle_path;
|
|
pub use config::NetworkDomainPermission;
|
|
pub use config::NetworkDomainPermissionEntry;
|
|
pub use config::NetworkDomainPermissions;
|
|
pub use config::NetworkMode;
|
|
pub use config::NetworkProxyConfig;
|
|
pub use config::NetworkUnixSocketPermission;
|
|
pub use config::NetworkUnixSocketPermissions;
|
|
pub use config::host_and_port_from_network_addr;
|
|
pub use mitm_hook::InjectedHeaderConfig;
|
|
pub use mitm_hook::MitmHookActionsConfig;
|
|
pub use mitm_hook::MitmHookBodyConfig;
|
|
pub use mitm_hook::MitmHookConfig;
|
|
pub use mitm_hook::MitmHookMatchConfig;
|
|
pub use network_policy::NetworkDecision;
|
|
pub use network_policy::NetworkDecisionSource;
|
|
pub use network_policy::NetworkPolicyDecider;
|
|
pub use network_policy::NetworkPolicyDeciderFuture;
|
|
pub use network_policy::NetworkPolicyDecision;
|
|
pub use network_policy::NetworkPolicyRequest;
|
|
pub use network_policy::NetworkPolicyRequestArgs;
|
|
pub use network_policy::NetworkProtocol;
|
|
pub use policy::normalize_host;
|
|
pub use proxy::ALL_PROXY_ENV_KEYS;
|
|
pub use proxy::ALLOW_LOCAL_BINDING_ENV_KEY;
|
|
pub use proxy::Args;
|
|
#[cfg(target_os = "macos")]
|
|
pub use proxy::CODEX_PROXY_GIT_SSH_COMMAND_MARKER;
|
|
pub use proxy::DEFAULT_NO_PROXY_VALUE;
|
|
pub use proxy::ManagedNetworkSandboxContext;
|
|
pub use proxy::NO_PROXY_ENV_KEYS;
|
|
pub use proxy::NetworkProxy;
|
|
pub use proxy::NetworkProxyBuilder;
|
|
pub use proxy::NetworkProxyHandle;
|
|
pub use proxy::PROXY_ACTIVE_ENV_KEY;
|
|
pub use proxy::PROXY_ENV_KEYS;
|
|
#[cfg(target_os = "macos")]
|
|
pub use proxy::PROXY_GIT_SSH_COMMAND_ENV_KEY;
|
|
pub use proxy::PROXY_URL_ENV_KEYS;
|
|
pub use proxy::PreparedManagedNetwork;
|
|
pub use proxy::has_proxy_url_env_vars;
|
|
pub use proxy::proxy_url_env_value;
|
|
pub use runtime::BlockedRequest;
|
|
pub use runtime::BlockedRequestArgs;
|
|
pub use runtime::BlockedRequestObserver;
|
|
pub use runtime::BlockedRequestObserverFuture;
|
|
pub use runtime::ConfigReloader;
|
|
pub use runtime::ConfigReloaderFuture;
|
|
pub use runtime::ConfigState;
|
|
pub use runtime::NetworkProxyState;
|
|
pub use state::NetworkProxyAuditMetadata;
|
|
pub use state::NetworkProxyConstraintError;
|
|
pub use state::NetworkProxyConstraints;
|
|
pub use state::PartialNetworkConfig;
|
|
pub use state::PartialNetworkProxyConfig;
|
|
pub use state::build_config_state;
|
|
pub use state::validate_policy_against_constraints;
|