feat: retain NetworkProxy, when appropriate (#11207)

As of this PR, `SessionServices` retains a `Option<StartedNetworkProxy>`, if appropriate. Now the `network` field on `Config` is `Option<NetworkProxySpec>` instead of `Option<NetworkProxy>`. Over in `Session::new()`, we invoke `NetworkProxySpec::start_proxy()` to create the `StartedNetworkProxy`, which is a new struct that retains the `NetworkProxy` as well as the `NetworkProxyHandle`. (Note that `Drop` is implemented for `NetworkProxyHandle` to ensure the proxies are shutdown when it is dropped.) The `NetworkProxy` from the `StartedNetworkProxy` is threaded through to the appropriate places. --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/openai/codex/pull/11207). * #11285 * __->__ #11207
2026-04-26 07:35:29 +00:00 · 2026-02-10 02:09:23 -08:00
parent 8e240a13be
commit 44ebf4588f
28 changed files with 583 additions and 30 deletions
--- a/codex-rs/cli/src/debug_sandbox.rs
+++ b/codex-rs/cli/src/debug_sandbox.rs
@@ -130,10 +130,7 @@ async fn run_command_under_sandbox(
    let sandbox_policy_cwd = cwd.clone();

    let stdio_policy = StdioPolicy::Inherit;
-    let mut env = create_env(&config.shell_environment_policy, None);
-    if let Some(network) = config.network.as_ref() {
-        network.apply_to_env(&mut env);
-    }
+    let env = create_env(&config.shell_environment_policy, None);

    // Special-case Windows sandbox: execute and exit the process to emulate inherited stdio.
    if let SandboxType::Windows = sandbox_type {
@@ -216,6 +213,19 @@ async fn run_command_under_sandbox(
    #[cfg(not(target_os = "macos"))]
    let _ = log_denials;

+    // This proxy should only live for the lifetime of the child process.
+    let network_proxy = match config.network.as_ref() {
+        Some(spec) => Some(
+            spec.start_proxy()
+                .await
+                .map_err(|err| anyhow::anyhow!("failed to start managed network proxy: {err}"))?,
+        ),
+        None => None,
+    };
+    let network = network_proxy
+        .as_ref()
+        .map(codex_core::config::StartedNetworkProxy::proxy);
+
    let mut child = match sandbox_type {
        #[cfg(target_os = "macos")]
        SandboxType::Seatbelt => {
@@ -225,7 +235,7 @@ async fn run_command_under_sandbox(
                config.sandbox_policy.get(),
                sandbox_policy_cwd.as_path(),
                stdio_policy,
-                None,
+                network.as_ref(),
                env,
            )
            .await?
@@ -245,7 +255,7 @@ async fn run_command_under_sandbox(
                sandbox_policy_cwd.as_path(),
                use_bwrap_sandbox,
                stdio_policy,
-                None,
+                network.as_ref(),
                env,
            )
            .await?