feat(network-proxy): structured policy signaling and attempt correlation to core (#11662)

## Summary When network requests were blocked, downstream code often had to infer ask vs deny from free-form response text. That was brittle and led to incorrect approval behavior. This PR fixes the proxy side so blocked decisions are structured and request metadata survives reliably. ## Description - Blocked proxy responses now carry consistent structured policy decision data. - Request attempt metadata is preserved across proxy env paths (including ALL_PROXY flows). - Header stripping was tightened so we still remove unsafe forwarding headers, but keep metadata needed for policy handling. - Block messages were clarified (for example, allowlist miss vs explicit deny). - Added unified violation log entries so policy failures can be inspected in one place. - Added/updated tests for these behaviors. --------- Co-authored-by: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
2026-04-29 00:55:38 +00:00 · 2026-02-13 01:01:11 -08:00
parent fca5629e34
commit 2bced810da
14 changed files with 581 additions and 83 deletions
--- a/codex-rs/network-proxy/src/responses.rs
+++ b/codex-rs/network-proxy/src/responses.rs
@@ -11,8 +11,6 @@ use rama_http::StatusCode;
 use serde::Serialize;
 use tracing::error;

-const NETWORK_POLICY_DECISION_PREFIX: &str = "CODEX_NETWORK_POLICY_DECISION";
-
 pub struct PolicyDecisionDetails<'a> {
    pub decision: NetworkPolicyDecision,
    pub reason: &'a str,
@@ -22,17 +20,6 @@ pub struct PolicyDecisionDetails<'a> {
    pub port: u16,
 }

-#[derive(Serialize)]
-#[serde(rename_all = "camelCase")]
-struct PolicyDecisionPayload<'a> {
-    decision: &'a str,
-    reason: &'a str,
-    source: &'a str,
-    protocol: &'a str,
-    host: &'a str,
-    port: u16,
-}
-
 pub fn text_response(status: StatusCode, body: &str) -> Response {
    Response::builder()
        .status(status)
@@ -70,7 +57,9 @@ pub fn blocked_header_value(reason: &str) -> &'static str {

 pub fn blocked_message(reason: &str) -> &'static str {
    match reason {
-        REASON_NOT_ALLOWED => "Codex blocked this request: domain not in allowlist.",
+        REASON_NOT_ALLOWED => {
+            "Codex blocked this request: domain not in allowlist (this is not a denylist block)."
+        }
        REASON_NOT_ALLOWED_LOCAL => {
            "Codex blocked this request: local/private addresses not allowed."
        }
@@ -82,31 +71,9 @@ pub fn blocked_message(reason: &str) -> &'static str {
    }
 }

-pub fn policy_decision_prefix(details: &PolicyDecisionDetails<'_>) -> String {
-    let payload = PolicyDecisionPayload {
-        decision: details.decision.as_str(),
-        reason: details.reason,
-        source: details.source.as_str(),
-        protocol: details.protocol.as_policy_protocol(),
-        host: details.host,
-        port: details.port,
-    };
-    let payload_json = match serde_json::to_string(&payload) {
-        Ok(json) => json,
-        Err(err) => {
-            error!("failed to serialize policy decision payload: {err}");
-            "{}".to_string()
-        }
-    };
-    format!("{NETWORK_POLICY_DECISION_PREFIX} {payload_json}")
-}
-
 pub fn blocked_message_with_policy(reason: &str, details: &PolicyDecisionDetails<'_>) -> String {
-    format!(
-        "{}\n{}",
-        policy_decision_prefix(details),
-        blocked_message(reason)
-    )
+    let _ = (details.reason, details.host);
+    blocked_message(reason).to_string()
 }

 pub fn blocked_text_response_with_policy(
@@ -128,7 +95,7 @@ mod tests {
    use pretty_assertions::assert_eq;

    #[test]
-    fn policy_decision_prefix_serializes_expected_payload() {
+    fn blocked_message_with_policy_returns_human_message() {
        let details = PolicyDecisionDetails {
            decision: NetworkPolicyDecision::Ask,
            reason: REASON_NOT_ALLOWED,
@@ -138,29 +105,10 @@ mod tests {
            port: 443,
        };

-        let line = policy_decision_prefix(&details);
-        assert_eq!(
-            line,
-            r#"CODEX_NETWORK_POLICY_DECISION {"decision":"ask","reason":"not_allowed","source":"decider","protocol":"https_connect","host":"api.example.com","port":443}"#
-        );
-    }
-
-    #[test]
-    fn blocked_message_with_policy_includes_prefix_and_human_message() {
-        let details = PolicyDecisionDetails {
-            decision: NetworkPolicyDecision::Deny,
-            reason: REASON_NOT_ALLOWED,
-            source: NetworkDecisionSource::BaselinePolicy,
-            protocol: NetworkProtocol::Http,
-            host: "api.example.com",
-            port: 80,
-        };
-
        let message = blocked_message_with_policy(REASON_NOT_ALLOWED, &details);
        assert_eq!(
            message,
-            r#"CODEX_NETWORK_POLICY_DECISION {"decision":"deny","reason":"not_allowed","source":"baseline_policy","protocol":"http","host":"api.example.com","port":80}
-Codex blocked this request: domain not in allowlist."#
+            "Codex blocked this request: domain not in allowlist (this is not a denylist block)."
        );
    }
 }