feat(network-proxy): add a SOCKS5 proxy with policy enforcement (#9803)

### Summary - Adds an optional SOCKS5 listener via `rama-socks5` - SOCKS5 is disabled by default and gated by config - Reuses existing policy enforcement and blocked-request recording - Blocks SOCKS5 in limited mode to prevent method-policy bypass - Applies bind clamping to the SOCKS5 listener ### Config New/used fields under `network_proxy`: - `enable_socks5` - `socks_url` - `enable_socks5_udp` ### Scope - Changes limited to `codex-rs/network-proxy` (+ `codex-rs/Cargo.lock`) ### Testing ```bash cd codex-rs just fmt cargo test -p codex-network-proxy --offline
2026-04-25 15:15:15 +00:00 · 2026-01-27 10:09:39 -08:00
parent 538e1059a3
commit 877b76bb9d
7 changed files with 452 additions and 19 deletions
--- a/codex-rs/network-proxy/src/proxy.rs
+++ b/codex-rs/network-proxy/src/proxy.rs
@@ -3,6 +3,7 @@ use crate::config;
 use crate::http_proxy;
 use crate::network_policy::NetworkPolicyDecider;
 use crate::runtime::unix_socket_permissions_supported;
+use crate::socks5;
 use crate::state::NetworkProxyState;
 use anyhow::Context;
 use anyhow::Result;
@@ -61,8 +62,9 @@ impl NetworkProxyBuilder {
        let current_cfg = state.current_cfg().await?;
        let runtime = config::resolve_runtime(&current_cfg)?;
        // Reapply bind clamping for caller overrides so unix-socket proxying stays loopback-only.
-        let (http_addr, admin_addr) = config::clamp_bind_addrs(
+        let (http_addr, socks_addr, admin_addr) = config::clamp_bind_addrs(
            self.http_addr.unwrap_or(runtime.http_addr),
+            runtime.socks_addr,
            self.admin_addr.unwrap_or(runtime.admin_addr),
            &current_cfg.network_proxy,
        );
@@ -70,6 +72,7 @@ impl NetworkProxyBuilder {
        Ok(NetworkProxy {
            state,
            http_addr,
+            socks_addr,
            admin_addr,
            policy_decider: self.policy_decider,
        })
@@ -80,6 +83,7 @@ impl NetworkProxyBuilder {
 pub struct NetworkProxy {
    state: Arc<NetworkProxyState>,
    http_addr: SocketAddr,
+    socks_addr: SocketAddr,
    admin_addr: SocketAddr,
    policy_decider: Option<Arc<dyn NetworkPolicyDecider>>,
 }
@@ -105,10 +109,21 @@ impl NetworkProxy {
            self.http_addr,
            self.policy_decider.clone(),
        ));
+        let socks_task = if current_cfg.network_proxy.enable_socks5 {
+            Some(tokio::spawn(socks5::run_socks5(
+                self.state.clone(),
+                self.socks_addr,
+                self.policy_decider.clone(),
+                current_cfg.network_proxy.enable_socks5_udp,
+            )))
+        } else {
+            None
+        };
        let admin_task = tokio::spawn(admin::run_admin_api(self.state.clone(), self.admin_addr));

        Ok(NetworkProxyHandle {
            http_task: Some(http_task),
+            socks_task,
            admin_task: Some(admin_task),
            completed: false,
        })
@@ -117,6 +132,7 @@ impl NetworkProxy {

 pub struct NetworkProxyHandle {
    http_task: Option<JoinHandle<Result<()>>>,
+    socks_task: Option<JoinHandle<Result<()>>>,
    admin_task: Option<JoinHandle<Result<()>>>,
    completed: bool,
 }
@@ -125,6 +141,7 @@ impl NetworkProxyHandle {
    fn noop() -> Self {
        Self {
            http_task: Some(tokio::spawn(async { Ok(()) })),
+            socks_task: None,
            admin_task: Some(tokio::spawn(async { Ok(()) })),
            completed: true,
        }
@@ -133,33 +150,49 @@ impl NetworkProxyHandle {
    pub async fn wait(mut self) -> Result<()> {
        let http_task = self.http_task.take().context("missing http proxy task")?;
        let admin_task = self.admin_task.take().context("missing admin proxy task")?;
+        let socks_task = self.socks_task.take();
        let http_result = http_task.await;
        let admin_result = admin_task.await;
+        let socks_result = match socks_task {
+            Some(task) => Some(task.await),
+            None => None,
+        };
        self.completed = true;
        http_result??;
        admin_result??;
+        if let Some(socks_result) = socks_result {
+            socks_result??;
+        }
        Ok(())
    }

    pub async fn shutdown(mut self) -> Result<()> {
-        abort_tasks(self.http_task.take(), self.admin_task.take()).await;
+        abort_tasks(
+            self.http_task.take(),
+            self.socks_task.take(),
+            self.admin_task.take(),
+        )
+        .await;
        self.completed = true;
        Ok(())
    }
 }

+async fn abort_task(task: Option<JoinHandle<Result<()>>>) {
+    if let Some(task) = task {
+        task.abort();
+        let _ = task.await;
+    }
+}
+
 async fn abort_tasks(
    http_task: Option<JoinHandle<Result<()>>>,
+    socks_task: Option<JoinHandle<Result<()>>>,
    admin_task: Option<JoinHandle<Result<()>>>,
 ) {
-    if let Some(http_task) = http_task {
-        http_task.abort();
-        let _ = http_task.await;
-    }
-    if let Some(admin_task) = admin_task {
-        admin_task.abort();
-        let _ = admin_task.await;
-    }
+    abort_task(http_task).await;
+    abort_task(socks_task).await;
+    abort_task(admin_task).await;
 }

 impl Drop for NetworkProxyHandle {
@@ -168,9 +201,10 @@ impl Drop for NetworkProxyHandle {
            return;
        }
        let http_task = self.http_task.take();
+        let socks_task = self.socks_task.take();
        let admin_task = self.admin_task.take();
        tokio::spawn(async move {
-            abort_tasks(http_task, admin_task).await;
+            abort_tasks(http_task, socks_task, admin_task).await;
        });
    }
 }