mirror of
https://github.com/pchuan98/codex.git
synced 2026-07-01 00:31:56 +08:00
428cd44154
## Why Rendezvous forwards traffic between the orchestrator and exec-server. The endpoints need to authenticate each other and encrypt that traffic without trusting Rendezvous with plaintext or endpoint keys. ## Changes - Adds a hybrid Noise IK channel through Clatter using X25519, ML-KEM-768, AES-256-GCM, and SHA-256. - Binds each handshake to `environment_id`, `executor_registration_id`, and `stream_id`. - Pins the registry-provided executor key and carries the harness authorization inside the encrypted handshake. - Orders relay frames before consuming Noise nonces and fragments large JSON-RPC messages into bounded records. - Bounds handshake payloads, frames, streams, and message reassembly. Runtime activation is in [openai/codex#26245](https://github.com/openai/codex/pull/26245). ## Stack 1. **[openai/codex#26242](https://github.com/openai/codex/pull/26242)**: Noise channel and relay transport 2. [openai/codex#26245](https://github.com/openai/codex/pull/26245): remote registration and runtime activation ## Verification - `just test -p codex-exec-server` - Oversized initiator payload regression coverage - `just fix -p codex-exec-server` - `just bazel-lock-check` - `cargo shear` --------- Co-authored-by: Codex <noreply@openai.com>
63 lines
1.7 KiB
TOML
63 lines
1.7 KiB
TOML
[package]
|
|
name = "codex-exec-server"
|
|
version.workspace = true
|
|
edition.workspace = true
|
|
license.workspace = true
|
|
|
|
[lib]
|
|
doctest = false
|
|
|
|
[lints]
|
|
workspace = true
|
|
|
|
[dependencies]
|
|
arc-swap = { workspace = true }
|
|
axum = { workspace = true, features = ["http1", "tokio", "ws"] }
|
|
base64 = { workspace = true }
|
|
bytes = { workspace = true }
|
|
clatter = { workspace = true }
|
|
codex-app-server-protocol = { workspace = true }
|
|
codex-api = { workspace = true }
|
|
codex-client = { workspace = true }
|
|
codex-file-system = { workspace = true }
|
|
codex-protocol = { workspace = true }
|
|
codex-sandboxing = { workspace = true }
|
|
codex-shell-command = { workspace = true }
|
|
codex-utils-absolute-path = { workspace = true }
|
|
codex-utils-path-uri = { workspace = true }
|
|
codex-utils-pty = { workspace = true }
|
|
codex-utils-rustls-provider = { workspace = true }
|
|
futures = { workspace = true }
|
|
reqwest = { workspace = true, features = ["json", "rustls-tls", "stream"] }
|
|
prost = "0.14.3"
|
|
serde = { workspace = true, features = ["derive"] }
|
|
serde_json = { workspace = true }
|
|
thiserror = { workspace = true }
|
|
toml = { workspace = true }
|
|
tokio = { workspace = true, features = [
|
|
"fs",
|
|
"io-std",
|
|
"io-util",
|
|
"macros",
|
|
"net",
|
|
"process",
|
|
"rt-multi-thread",
|
|
"sync",
|
|
"time",
|
|
] }
|
|
tokio-util = { workspace = true, features = ["rt"] }
|
|
tokio-tungstenite = { workspace = true }
|
|
tracing = { workspace = true }
|
|
uuid = { workspace = true, features = ["v4"] }
|
|
|
|
[dev-dependencies]
|
|
anyhow = { workspace = true }
|
|
codex-test-binary-support = { workspace = true }
|
|
ctor = { workspace = true }
|
|
http = { workspace = true }
|
|
pretty_assertions = { workspace = true }
|
|
serial_test = { workspace = true }
|
|
tempfile = { workspace = true }
|
|
test-case = "3.3.1"
|
|
wiremock = { workspace = true }
|