feat: enable premessage-deflate for websockets (#10966)

note: unfortunately, tokio-tungstenite / tungstenite upgrade triggers some problems with linker of rama-tls-boring with openssl: ``` error: linking with `/Users/apanasenko/Library/Caches/cargo-zigbuild/0.20.1/zigcc-x86_64-unknown-linux-musl-ff6a.sh` failed: exit status: 1 | = note: "/Users/apanasenko/Library/Caches/cargo-zigbuild/0.20.1/zigcc-x86_64-unknown-linux-musl-ff6a.sh" "-m64" "<sysroot>/lib/rustlib/x86_64-unknown-linux-musl/lib/self-contained/rcrt1.o" "<sysroot>/lib/rustlib/x86_64-unknown-linux-musl/lib/self-contained/crti.o" "<sysroot>/lib/rustlib/x86_64-unknown-linux-musl/lib/self-contained/crtbeginS.o" "<1 object files omitted>" "-Wl,--as-needed" "-Wl,-Bstatic" "/var/folders/kt/52y_g75x3ng8ktvk3rfwm6400000gp/T/rustcyGQdYm/{liblzma_sys-662a82316f96ec30,libbzip2_sys-bf78a2d58d5cbce6,liblibsqlite3_sys-6c004987fd67a36a,libtree_sitter_bash-220b99a97d331ab7,libtree_sitter-858f0a1dbfea58bd,libzstd_sys-6eb237deec748c5b,libring-2a87376483bf916f,libopenssl_sys-7c189e68b37fe2bb,liblibz_sys-4344eef4345520b1,librama_boring_sys-0414e98115015ee0}.rlib" "-lc++" "-lc++abi" "-lunwind" "-lc" "<sysroot>/lib/rustlib/x86_64-unknown-linux-musl/lib/libcompiler_builtins-*.rlib" "-L" "/var/folders/kt/52y_g75x3ng8ktvk3rfwm6400000gp/T/rustcyGQdYm/raw-dylibs" "-Wl,-Bdynamic" "-Wl,--eh-frame-hdr" "-Wl,-z,noexecstack" "-nostartfiles" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/libz-sys-ff5ea50d88c28ffb/out/lib" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/ring-bdec3dddc19f5a5e/out" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/openssl-sys-96e0870de3ca22bc/out/openssl-build/install/lib" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/zstd-sys-0cc37a5da1481740/out" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/tree-sitter-72d2418073317c0f/out" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/tree-sitter-bash-bfd293a9f333ce6a/out" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/libsqlite3-sys-b78b2cfb81a330fc/out" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/bzip2-sys-69a145cc859ef275/out/lib" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/lzma-sys-07e92d0b6baa6fd4/out" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/rama-boring-sys-0bc2dfbf669addc4/out/build/crypto/" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/rama-boring-sys-0bc2dfbf669addc4/out/build/ssl/" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/rama-boring-sys-0bc2dfbf669addc4/out/build/" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/rama-boring-sys-0bc2dfbf669addc4/out/build" "-L" "<sysroot>/lib/rustlib/x86_64-unknown-linux-musl/lib/self-contained" "-L" "<sysroot>/lib/rustlib/x86_64-unknown-linux-musl/lib" "-o" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/deps/codex_network_proxy-d08268b863517761" "-Wl,--gc-sections" "-static-pie" "-Wl,-z,relro,-z,now" "-Wl,-O1" "-Wl,--strip-all" "-nodefaultlibs" "<sysroot>/lib/rustlib/x86_64-unknown-linux-musl/lib/self-contained/crtendS.o" "<sysroot>/lib/rustlib/x86_64-unknown-linux-musl/lib/self-contained/crtn.o" = note: some arguments are omitted. use `--verbose` to show all linker arguments = note: warning: ignoring deprecated linker optimization setting '1' warning: unable to open library directory '/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/rama-boring-sys-0bc2dfbf669addc4/out/build/crypto/': FileNotFound ld.lld: error: duplicate symbol: SSL_export_keying_material >>> defined at ssl_lib.c:3816 (ssl/ssl_lib.c:3816) >>> libssl-lib-ssl_lib.o:(SSL_export_keying_material) in archive /var/folders/kt/52y_g75x3ng8ktvk3rfwm6400000gp/T/rustcyGQdYm/libopenssl_sys-7c189e68b37fe2bb.rlib >>> defined at t1_enc.cc:205 (/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/rama-boring-sys-0bc2dfbf669addc4/out/boringssl/ssl/t1_enc.cc:205) >>> t1_enc.cc.o:(.text.SSL_export_keying_material+0x0) in archive /var/folders/kt/52y_g75x3ng8ktvk3rfwm6400000gp/T/rustcyGQdYm/librama_boring_sys-0414e98115015ee0.rlib ld.lld: error: duplicate symbol: d2i_ASN1_TIME >>> defined at a_time.c:27 (crypto/asn1/a_time.c:27) >>> libcrypto-lib-a_time.o:(d2i_ASN1_TIME) in archive /var/folders/kt/52y_g75x3ng8ktvk3rfwm6400000gp/T/rustcyGQdYm/libopenssl_sys-7c189e68b37fe2bb.rlib >>> defined at a_time.cc:34 (/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/rama-boring-sys-0bc2dfbf669addc4/out/boringssl/crypto/asn1/a_time.cc:34) >>> a_time.cc.o:(.text.d2i_ASN1_TIME+0x0) in archive /var/folders/kt/52y_g75x3ng8ktvk3rfwm6400000gp/T/rustcyGQdYm/librama_boring_sys-0414e98115015ee0.rlib ``` that force me to migrate away from rama-tls-boring to rama-tls-rustls and pin `ring` for rustls.
2026-04-24 14:45:27 +00:00 · 2026-02-07 17:59:34 -08:00
parent 8fe5066bcc
commit a94505a92a
15 changed files with 636 additions and 176 deletions
--- a/.github/scripts/install-musl-build-tools.sh
+++ b/.github/scripts/install-musl-build-tools.sh
@@ -77,6 +77,12 @@ for arg in "\$@"; do
      fi
      continue
      ;;
+    -Wp,-U_FORTIFY_SOURCE)
+      # aws-lc-sys emits this GCC preprocessor forwarding form in debug
+      # builds, but zig cc expects the define flag directly.
+      args+=("-U_FORTIFY_SOURCE")
+      continue
+      ;;
  esac
  args+=("\${arg}")
 done
@@ -96,15 +102,23 @@ for arg in "\$@"; do
  fi
  case "\${arg}" in
    --target)
+      # Drop explicit --target and its value: we always pass zig's -target below.
      skip_next=1
      continue
      ;;
    --target=*|-target=*|-target)
+      # Zig expects -target and rejects Rust triples like *-unknown-linux-musl.
      if [[ "\${arg}" == "-target" ]]; then
        skip_next=1
      fi
      continue
      ;;
+    -Wp,-U_FORTIFY_SOURCE)
+      # aws-lc-sys emits this GCC forwarding form in debug builds; zig c++
+      # expects the define flag directly.
+      args+=("-U_FORTIFY_SOURCE")
+      continue
+      ;;
  esac
  args+=("\${arg}")
 done
--- a/MODULE.bazel
+++ b/MODULE.bazel
@@ -3,6 +3,10 @@ bazel_dep(name = "toolchains_llvm_bootstrapped", version = "0.3.1")
 archive_override(
    module_name = "toolchains_llvm_bootstrapped",
    integrity = "sha256-4/2h4tYSUSptxFVI9G50yJxWGOwHSeTeOGBlaLQBV8g=",
+    patch_strip = 1,
+    patches = [
+        "//patches:toolchains_llvm_bootstrapped_resource_dir.patch",
+    ],
    strip_prefix = "toolchains_llvm_bootstrapped-d20baf67e04d8e2887e3779022890d1dc5e6b948",
    urls = ["https://github.com/cerisier/toolchains_llvm_bootstrapped/archive/d20baf67e04d8e2887e3779022890d1dc5e6b948.tar.gz"],
 )
@@ -74,6 +78,16 @@ crate.annotation(
    strip_prefix = "matcher",
    version = "0.3.1",
 )
+crate.annotation(
+    build_script_env = {
+        "AWS_LC_SYS_NO_JITTER_ENTROPY": "1",
+    },
+    patch_args = ["-p1"],
+    patches = [
+        "//patches:aws-lc-sys_memcmp_check.patch",
+    ],
+    crate = "aws-lc-sys",
+)

 bazel_dep(name = "openssl", version = "3.5.4.bcr.0")

--- a/MODULE.bazel.lock
+++ b/MODULE.bazel.lock
--- a/codex-rs/Cargo.lock
+++ b/codex-rs/Cargo.lock
@@ -458,6 +458,45 @@ dependencies = [
 "term",
 ]

+[[package]]
+name = "asn1-rs"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "56624a96882bb8c26d61312ae18cb45868e5a9992ea73c58e45c3101e56a1e60"
+dependencies = [
+ "asn1-rs-derive",
+ "asn1-rs-impl",
+ "displaydoc",
+ "nom 7.1.3",
+ "num-traits",
+ "rusticata-macros",
+ "thiserror 2.0.18",
+ "time",
+]
+
+[[package]]
+name = "asn1-rs-derive"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3109e49b1e4909e9db6515a30c633684d68cdeaa252f215214cb4fa1a5bfee2c"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.114",
+ "synstructure",
+]
+
+[[package]]
+name = "asn1-rs-impl"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7b18050c2cd6fe86c3a76584ef5e0baf286d038cda203eb6223df2cc413565f7"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.114",
+]
+
 [[package]]
 name = "assert-json-diff"
 version = "2.0.2"
@@ -684,6 +723,29 @@ version = "1.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"

+[[package]]
+name = "aws-lc-rs"
+version = "1.15.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7b7b6141e96a8c160799cc2d5adecd5cbbe5054cb8c7c4af53da0f83bb7ad256"
+dependencies = [
+ "aws-lc-sys",
+ "untrusted 0.7.1",
+ "zeroize",
+]
+
+[[package]]
+name = "aws-lc-sys"
+version = "0.37.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5c34dda4df7017c8db52132f0f8a2e0f8161649d15723ed63fc00c82d0f2081a"
+dependencies = [
+ "cc",
+ "cmake",
+ "dunce",
+ "fs_extra",
+]
+
 [[package]]
 name = "axum"
 version = "0.8.8"
@@ -786,24 +848,6 @@ version = "0.5.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3a8241f3ebb85c056b509d4327ad0358fbbba6ffb340bf388f26350aeda225b1"

-[[package]]
-name = "bindgen"
-version = "0.72.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "993776b509cfb49c750f11b8f07a46fa23e0a1386ffc01fb1e7d343efc387895"
-dependencies = [
- "bitflags 2.10.0",
- "cexpr",
- "clang-sys",
- "itertools 0.13.0",
- "proc-macro2",
- "quote",
- "regex",
- "rustc-hash 2.1.1",
- "shlex",
- "syn 2.0.114",
-]
-
 [[package]]
 name = "bit-set"
 version = "0.5.3"
@@ -994,15 +1038,6 @@ version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6d43a04d8753f35258c91f8ec639f792891f748a1edbd759cf1dcea3382ad83c"

-[[package]]
-name = "cexpr"
-version = "0.6.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6fac387a98bb7c37292057cffc56d62ecb629900026402633ae9160df93a8766"
-dependencies = [
- "nom 7.1.3",
-]
-
 [[package]]
 name = "cfg-if"
 version = "1.0.4"
@@ -1087,17 +1122,6 @@ dependencies = [
 "zeroize",
 ]

-[[package]]
-name = "clang-sys"
-version = "1.8.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0b023947811758c97c59bf9d1c188fd619ad4718dcaa767947df1cadb14f39f4"
-dependencies = [
- "glob",
- "libc",
- "libloading",
-]
-
 [[package]]
 name = "clap"
 version = "4.5.56"
@@ -1197,6 +1221,7 @@ dependencies = [
 "pretty_assertions",
 "regex-lite",
 "reqwest",
+ "rustls",
 "serde",
 "serde_json",
 "thiserror 2.0.18",
@@ -1205,6 +1230,7 @@ dependencies = [
 "tokio-tungstenite",
 "tokio-util",
 "tracing",
+ "tungstenite",
 "url",
 "wiremock",
 ]
@@ -1886,7 +1912,7 @@ dependencies = [
 "rama-net",
 "rama-socks5",
 "rama-tcp",
- "rama-tls-boring",
+ "rama-tls-rustls",
 "rama-unix",
 "serde",
 "serde_json",
@@ -2834,6 +2860,20 @@ dependencies = [
 "zeroize",
 ]

+[[package]]
+name = "der-parser"
+version = "10.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "07da5016415d5a3c4dd39b11ed26f915f52fc4e0dc197d87908bc916e51bc1a6"
+dependencies = [
+ "asn1-rs",
+ "displaydoc",
+ "nom 7.1.3",
+ "num-bigint",
+ "num-traits",
+ "rusticata-macros",
+]
+
 [[package]]
 name = "deranged"
 version = "0.5.5"
@@ -3414,6 +3454,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b375d6465b98090a5f25b1c7703f3859783755aa9a80433b36e0379a3ec2f369"
 dependencies = [
 "crc32fast",
+ "libz-sys",
 "miniz_oxide",
 ]

@@ -3517,28 +3558,7 @@ version = "0.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
 dependencies = [
- "foreign-types-shared 0.1.1",
-]
-
-[[package]]
-name = "foreign-types"
-version = "0.5.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d737d9aa519fb7b749cbc3b962edcf310a8dd1f4b67c91c4f83975dbdd17d965"
-dependencies = [
- "foreign-types-macros",
- "foreign-types-shared 0.3.1",
-]
-
-[[package]]
-name = "foreign-types-macros"
-version = "0.2.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1a5c6c585bc94aaf2c7b51dd4c2ba22680844aba4c687be581871a6f518c5742"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn 2.0.114",
+ "foreign-types-shared",
 ]

 [[package]]
@@ -3547,12 +3567,6 @@ version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"

-[[package]]
-name = "foreign-types-shared"
-version = "0.3.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "aa9a19cbb55df58761df49b23516a86d432839add4af60fc256da840f66ed35b"
-
 [[package]]
 name = "form_urlencoded"
 version = "1.2.2"
@@ -3577,16 +3591,6 @@ dependencies = [
 "libc",
 ]

-[[package]]
-name = "fslock"
-version = "0.2.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "04412b8935272e3a9bae6f48c7bfff74c2911f60525404edfdd28e49884c3bfb"
-dependencies = [
- "libc",
- "winapi",
-]
-
 [[package]]
 name = "futures"
 version = "0.3.31"
@@ -3786,12 +3790,6 @@ version = "0.32.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e629b9b98ef3dd8afe6ca2bd0f89306cec16d43d907889945bc5d6687f2f13c7"

-[[package]]
-name = "glob"
-version = "0.3.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0cc23270f6e1808e30a928bdc84dea0b9b4136a8bc82338574f23baf47bbd280"
-
 [[package]]
 name = "globset"
 version = "0.4.18"
@@ -3882,6 +3880,30 @@ dependencies = [
 "hashbrown 0.15.5",
 ]

+[[package]]
+name = "headers"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b3314d5adb5d94bcdf56771f2e50dbbc80bb4bdf88967526706205ac9eff24eb"
+dependencies = [
+ "base64 0.22.1",
+ "bytes",
+ "headers-core",
+ "http 1.4.0",
+ "httpdate",
+ "mime",
+ "sha1",
+]
+
+[[package]]
+name = "headers-core"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "54b4a22553d4242c49fddb9ba998a99962b5cc6f22cb5a3482bec22522403ce4"
+dependencies = [
+ "http 1.4.0",
+]
+
 [[package]]
 name = "heck"
 version = "0.5.0"
@@ -4829,16 +4851,6 @@ dependencies = [
 "pkg-config",
 ]

-[[package]]
-name = "libloading"
-version = "0.8.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d7c4b02199fee7c5d21a5ae7d8cfa79a6ef5bb2fc834d6e9058e89c825efdc55"
-dependencies = [
- "cfg-if",
- "windows-link",
-]
-
 [[package]]
 name = "libm"
 version = "0.2.16"
@@ -4867,6 +4879,17 @@ dependencies = [
 "vcpkg",
 ]

+[[package]]
+name = "libz-sys"
+version = "1.1.23"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "15d118bbf3771060e7311cc7bb0545b01d08a8b4a7de949198dec1fa0ca1c0f7"
+dependencies = [
+ "cc",
+ "pkg-config",
+ "vcpkg",
+]
+
 [[package]]
 name = "linux-keyutils"
 version = "0.2.4"
@@ -5649,6 +5672,15 @@ dependencies = [
 "memchr",
 ]

+[[package]]
+name = "oid-registry"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "12f40cff3dde1b6087cc5d5f5d4d65712f34016a03ed60e9c08dcc392736b5b7"
+dependencies = [
+ "asn1-rs",
+]
+
 [[package]]
 name = "once_cell"
 version = "1.21.3"
@@ -5679,7 +5711,7 @@ checksum = "08838db121398ad17ab8531ce9de97b244589089e290a384c900cb9ff7434328"
 dependencies = [
 "bitflags 2.10.0",
 "cfg-if",
- "foreign-types 0.3.2",
+ "foreign-types",
 "libc",
 "once_cell",
 "openssl-macros",
@@ -5957,6 +5989,16 @@ dependencies = [
 "hmac",
 ]

+[[package]]
+name = "pem"
+version = "3.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1d30c53c26bc5b31a98cd02d20f25a7c8567146caf63ed593a9d87b2775291be"
+dependencies = [
+ "base64 0.22.1",
+ "serde_core",
+]
+
 [[package]]
 name = "pem-rfc7468"
 version = "0.7.0"
@@ -6458,42 +6500,6 @@ dependencies = [
 "nibble_vec",
 ]

-[[package]]
-name = "rama-boring"
-version = "0.5.10"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "84f7f862c81618f9aef40bd32e73986321109a24272c79e040377c5ac29491e8"
-dependencies = [
- "bitflags 2.10.0",
- "foreign-types 0.5.0",
- "libc",
- "openssl-macros",
- "rama-boring-sys",
-]
-
-[[package]]
-name = "rama-boring-sys"
-version = "0.5.10"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d5bfe3e86d71e9b91dae7561d5ceeaceb37a7d4fc078ab241afd7aab777f606f"
-dependencies = [
- "bindgen",
- "cmake",
- "fs_extra",
- "fslock",
-]
-
-[[package]]
-name = "rama-boring-tokio"
-version = "0.5.10"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9c7d71fab2ce4408cc40f819865501dbc63272ddab0e77dd3500ff77f1a0f883"
-dependencies = [
- "rama-boring",
- "rama-boring-sys",
- "tokio",
-]
-
 [[package]]
 name = "rama-core"
 version = "0.3.0-alpha.4"
@@ -6742,25 +6748,24 @@ dependencies = [
 ]

 [[package]]
-name = "rama-tls-boring"
+name = "rama-tls-rustls"
 version = "0.3.0-alpha.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "def3d5d06d3ca3a2d2e4376cf93de0555cd9c7960f085bf77be9562f5c9ace8f"
+checksum = "536d47f6b269fb20dffd45e4c04aa8b340698b3509326e3c36e444b4f33ce0d6"
 dependencies = [
- "ahash",
- "flume 0.12.0",
- "itertools 0.14.0",
- "moka",
- "parking_lot",
 "pin-project-lite",
- "rama-boring",
- "rama-boring-tokio",
 "rama-core",
 "rama-http-types",
 "rama-net",
 "rama-utils",
- "schannel",
+ "rcgen",
+ "rustls",
+ "rustls-native-certs",
+ "rustls-pki-types",
 "tokio",
+ "tokio-rustls",
+ "webpki-roots 1.0.5",
+ "x509-parser",
 ]

 [[package]]
@@ -6922,6 +6927,20 @@ dependencies = [
 "crossbeam-utils",
 ]

+[[package]]
+name = "rcgen"
+version = "0.14.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "10b99e0098aa4082912d4c649628623db6aba77335e4f4569ff5083a6448b32e"
+dependencies = [
+ "aws-lc-rs",
+ "pem",
+ "rustls-pki-types",
+ "time",
+ "x509-parser",
+ "yasna",
+]
+
 [[package]]
 name = "redox_syscall"
 version = "0.5.18"
@@ -7088,7 +7107,7 @@ dependencies = [
 "cfg-if",
 "getrandom 0.2.17",
 "libc",
- "untrusted",
+ "untrusted 0.9.0",
 "windows-sys 0.52.0",
 ]

@@ -7226,6 +7245,15 @@ dependencies = [
 "semver",
 ]

+[[package]]
+name = "rusticata-macros"
+version = "4.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "faf0c4a6ece9950b9abdb62b1cfcf2a68b3b67a10ba445b3bb85be2a293d0632"
+dependencies = [
+ "nom 7.1.3",
+]
+
 [[package]]
 name = "rustix"
 version = "0.38.44"
@@ -7258,6 +7286,7 @@ version = "0.23.36"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c665f33d38cea657d9614f766881e4d510e0eda4239891eea56b4cadcf01801b"
 dependencies = [
+ "aws-lc-rs",
 "log",
 "once_cell",
 "ring",
@@ -7295,9 +7324,10 @@ version = "0.103.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d7df23109aa6c1567d1c575b9952556388da57401e4ace1d15f79eedad0d8f53"
 dependencies = [
+ "aws-lc-rs",
 "ring",
 "rustls-pki-types",
- "untrusted",
+ "untrusted 0.9.0",
 ]

 [[package]]
@@ -8959,7 +8989,7 @@ dependencies = [
 [[package]]
 name = "tokio-tungstenite"
 version = "0.28.0"
-source = "git+https://github.com/JakkuSakura/tokio-tungstenite?rev=2ae536b0de793f3ddf31fc2f22d445bf1ef2023d#2ae536b0de793f3ddf31fc2f22d445bf1ef2023d"
+source = "git+https://github.com/openai-oss-forks/tokio-tungstenite?rev=132f5b39c862e3a970f731d709608b3e6276d5f6#132f5b39c862e3a970f731d709608b3e6276d5f6"
 dependencies = [
 "futures-util",
 "log",
@@ -9353,11 +9383,13 @@ dependencies = [

 [[package]]
 name = "tungstenite"
-version = "0.28.0"
-source = "git+https://github.com/JakkuSakura/tungstenite-rs?rev=f514de8644821113e5d18a027d6d28a5c8cc0a6e#f514de8644821113e5d18a027d6d28a5c8cc0a6e"
+version = "0.27.0"
+source = "git+https://github.com/openai-oss-forks/tungstenite-rs?rev=9200079d3b54a1ff51072e24d81fd354f085156f#9200079d3b54a1ff51072e24d81fd354f085156f"
 dependencies = [
 "bytes",
 "data-encoding",
+ "flate2",
+ "headers",
 "http 1.4.0",
 "httparse",
 "log",
@@ -9519,6 +9551,12 @@ version = "0.2.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "673aac59facbab8a9007c7f6108d11f63b603f7cabff99fabf650fea5c32b861"

+[[package]]
+name = "untrusted"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a"
+
 [[package]]
 name = "untrusted"
 version = "0.9.0"
@@ -10589,6 +10627,25 @@ dependencies = [
 "zeroize",
 ]

+[[package]]
+name = "x509-parser"
+version = "0.18.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d43b0f71ce057da06bc0851b23ee24f3f86190b07203dd8f567d0b706a185202"
+dependencies = [
+ "asn1-rs",
+ "aws-lc-rs",
+ "data-encoding",
+ "der-parser",
+ "lazy_static",
+ "nom 7.1.3",
+ "oid-registry",
+ "ring",
+ "rusticata-macros",
+ "thiserror 2.0.18",
+ "time",
+]
+
 [[package]]
 name = "xdg-home"
 version = "1.3.0"
@@ -10614,6 +10671,15 @@ version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cfe53a6657fd280eaa890a3bc59152892ffa3e30101319d168b781ed6529b049"

+[[package]]
+name = "yasna"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e17bb3549cc1321ae1296b9cdc2698e2b6cb1992adfa19a8c72e5b7a738f44cd"
+dependencies = [
+ "time",
+]
+
 [[package]]
 name = "yoke"
 version = "0.8.1"
--- a/codex-rs/Cargo.toml
+++ b/codex-rs/Cargo.toml
@@ -195,6 +195,7 @@ regex = "1.12.2"
 regex-lite = "0.1.8"
 reqwest = "0.12"
 rmcp = { version = "0.12.0", default-features = false }
+rustls = { version = "0.23", default-features = false, features = ["ring", "std"] }
 runfiles = { git = "https://github.com/dzbarsky/rules_rust", rev = "b56cbaa8465e74127f1ea216f813cd377295ad81" }
 schemars = "0.8.22"
 seccompiler = "0.5.0"
@@ -227,6 +228,7 @@ tokio = "1"
 tokio-stream = "0.1.18"
 tokio-test = "0.4"
 tokio-tungstenite = { version = "0.28.0", features = ["proxy", "rustls-tls-native-roots"] }
+tungstenite = { version = "0.27.0", features = ["deflate", "proxy"] }
 tokio-util = "0.7.18"
 toml = "0.9.5"
 toml_edit = "0.24.0"
@@ -317,10 +319,11 @@ opt-level = 0
 # ratatui = { path = "../../ratatui" }
 crossterm = { git = "https://github.com/nornagon/crossterm", branch = "nornagon/color-query" }
 ratatui = { git = "https://github.com/nornagon/ratatui", branch = "nornagon-v0.29.0-patch" }
-tokio-tungstenite = { git = "https://github.com/JakkuSakura/tokio-tungstenite", rev = "2ae536b0de793f3ddf31fc2f22d445bf1ef2023d" }
+tokio-tungstenite = { git = "https://github.com/openai-oss-forks/tokio-tungstenite", rev = "132f5b39c862e3a970f731d709608b3e6276d5f6" }
+tungstenite = { git = "https://github.com/openai-oss-forks/tungstenite-rs", rev = "9200079d3b54a1ff51072e24d81fd354f085156f" }

 # Uncomment to debug local changes.
 # rmcp = { path = "../../rust-sdk/crates/rmcp" }

-[patch."ssh://git@github.com/JakkuSakura/tungstenite-rs.git"]
-tungstenite = { git = "https://github.com/JakkuSakura/tungstenite-rs", rev = "f514de8644821113e5d18a027d6d28a5c8cc0a6e" }
+[patch."ssh://git@github.com/openai-oss-forks/tungstenite-rs.git"]
+tungstenite = { git = "https://github.com/openai-oss-forks/tungstenite-rs", rev = "9200079d3b54a1ff51072e24d81fd354f085156f" }
--- a/codex-rs/codex-api/Cargo.toml
+++ b/codex-rs/codex-api/Cargo.toml
@@ -16,9 +16,11 @@ serde_json = { workspace = true }
 thiserror = { workspace = true }
 tokio = { workspace = true, features = ["macros", "net", "rt", "sync", "time"] }
 tokio-tungstenite = { workspace = true }
+tungstenite = { workspace = true }
 tracing = { workspace = true }
 eventsource-stream = { workspace = true }
 regex-lite = { workspace = true }
+rustls = { workspace = true }
 tokio-util = { workspace = true, features = ["codec"] }
 url = { workspace = true }

--- a/codex-rs/codex-api/src/endpoint/responses_websocket.rs
+++ b/codex-rs/codex-api/src/endpoint/responses_websocket.rs
@@ -30,12 +30,16 @@ use tracing::debug;
 use tracing::error;
 use tracing::info;
 use tracing::trace;
+use tungstenite::extensions::ExtensionsConfig;
+use tungstenite::extensions::compression::deflate::DeflateConfig;
+use tungstenite::protocol::WebSocketConfig;
 use url::Url;

 type WsStream = WebSocketStream<MaybeTlsStream<TcpStream>>;
 const X_CODEX_TURN_STATE_HEADER: &str = "x-codex-turn-state";
 const X_MODELS_ETAG_HEADER: &str = "x-models-etag";
 const X_REASONING_INCLUDED_HEADER: &str = "x-reasoning-included";
+static RUSTLS_PROVIDER_INSTALLED: OnceLock<()> = OnceLock::new();

 pub struct ResponsesWebsocketConnection {
    stream: Arc<Mutex<Option<WsStream>>>,
@@ -162,6 +166,7 @@ async fn connect_websocket(
    headers: HeaderMap,
    turn_state: Option<Arc<OnceLock<String>>>,
 ) -> Result<(WsStream, bool, Option<String>), ApiError> {
+    ensure_rustls_crypto_provider();
    info!("connecting to websocket: {url}");

    let mut request = url
@@ -170,7 +175,12 @@ async fn connect_websocket(
        .map_err(|err| ApiError::Stream(format!("failed to build websocket request: {err}")))?;
    request.headers_mut().extend(headers);

-    let response = tokio_tungstenite::connect_async(request).await;
+    let response = tokio_tungstenite::connect_async_with_config(
+        request,
+        Some(websocket_config()),
+        false, // `false` means "do not disable Nagle", which is tungstenite's recommended default.
+    )
+    .await;

    let (stream, response) = match response {
        Ok((stream, response)) => {
@@ -203,6 +213,21 @@ async fn connect_websocket(
    Ok((stream, reasoning_included, models_etag))
 }

+fn ensure_rustls_crypto_provider() {
+    let _ = RUSTLS_PROVIDER_INSTALLED.get_or_init(|| {
+        let _ = rustls::crypto::ring::default_provider().install_default();
+    });
+}
+
+fn websocket_config() -> WebSocketConfig {
+    let mut extensions = ExtensionsConfig::default();
+    extensions.permessage_deflate = Some(DeflateConfig::default());
+
+    let mut config = WebSocketConfig::default();
+    config.extensions = extensions;
+    config
+}
+
 fn map_ws_error(err: WsError, url: &Url) -> ApiError {
    match err {
        WsError::Http(response) => {
@@ -328,3 +353,14 @@ async fn run_websocket_response_stream(

    Ok(())
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn websocket_config_enables_permessage_deflate() {
+        let config = websocket_config();
+        assert!(config.extensions.permessage_deflate.is_some());
+    }
+}
--- a/codex-rs/core/tests/common/responses.rs
+++ b/codex-rs/core/tests/common/responses.rs
@@ -11,9 +11,13 @@ use futures::StreamExt;
 use serde_json::Value;
 use tokio::net::TcpListener;
 use tokio::sync::oneshot;
+use tokio_tungstenite::accept_hdr_async_with_config;
 use tokio_tungstenite::tungstenite::Message;
+use tokio_tungstenite::tungstenite::extensions::ExtensionsConfig;
+use tokio_tungstenite::tungstenite::extensions::compression::deflate::DeflateConfig;
 use tokio_tungstenite::tungstenite::handshake::server::Request;
 use tokio_tungstenite::tungstenite::handshake::server::Response;
+use tokio_tungstenite::tungstenite::protocol::WebSocketConfig;
 use wiremock::BodyPrintLimit;
 use wiremock::Match;
 use wiremock::Mock;
@@ -964,7 +968,13 @@ pub async fn start_websocket_server_with_headers(
                Ok(response)
            };

-            let mut ws_stream = match tokio_tungstenite::accept_hdr_async(stream, callback).await {
+            let mut ws_stream = match accept_hdr_async_with_config(
+                stream,
+                callback,
+                Some(websocket_accept_config()),
+            )
+            .await
+            {
                Ok(ws) => ws,
                Err(_) => continue,
            };
@@ -1020,6 +1030,15 @@ fn parse_ws_request_body(message: Message) -> Option<Value> {
    }
 }

+fn websocket_accept_config() -> WebSocketConfig {
+    let mut extensions = ExtensionsConfig::default();
+    extensions.permessage_deflate = Some(DeflateConfig::default());
+
+    let mut config = WebSocketConfig::default();
+    config.extensions = extensions;
+    config
+}
+
 #[derive(Clone)]
 pub struct FunctionCallResponseMocks {
    pub function_call: ResponseMock,
--- a/codex-rs/deny.toml
+++ b/codex-rs/deny.toml
@@ -120,6 +120,9 @@ allow = [
    # MPL-2.0 - https://www.mozilla.org/MPL/2.0/
    # Used by: nucleo-matcher
    "MPL-2.0",
+    # OpenSSL - https://spdx.org/licenses/OpenSSL.html
+    # Used by: aws-lc-sys
+    "OpenSSL",
    # Unicode-3.0 - https://opensource.org/license/unicode
    # Used by: icu_decimal, icu_locale_core, icu_provider
    "Unicode-3.0",
--- a/codex-rs/network-proxy/Cargo.toml
+++ b/codex-rs/network-proxy/Cargo.toml
@@ -36,7 +36,7 @@ rama-http-backend = { version = "=0.3.0-alpha.4", features = ["tls"] }
 rama-net = { version = "=0.3.0-alpha.4", features = ["http", "tls"] }
 rama-socks5 = { version = "=0.3.0-alpha.4" }
 rama-tcp = { version = "=0.3.0-alpha.4", features = ["http"] }
-rama-tls-boring = { version = "=0.3.0-alpha.4", features = ["http"] }
+rama-tls-rustls = { version = "=0.3.0-alpha.4", features = ["http"] }

 [dev-dependencies]
 pretty_assertions = { workspace = true }
--- a/codex-rs/network-proxy/README.md
+++ b/codex-rs/network-proxy/README.md
@@ -147,8 +147,8 @@ curl -sS -X POST http://127.0.0.1:8080/reload

 - Unix socket proxying via the `x-unix-socket` header is **macOS-only**; other platforms will
  reject unix socket requests.
- HTTPS tunneling uses BoringSSL via Rama's `rama-tls-boring`; building the proxy requires a
-  native toolchain and CMake on macOS/Linux/Windows.
+- HTTPS tunneling uses rustls via Rama's `rama-tls-rustls`; this avoids BoringSSL/OpenSSL symbol
+  collisions in mixed TLS dependency graphs.

 ## Security notes (important)

--- a/codex-rs/network-proxy/src/http_proxy.rs
+++ b/codex-rs/network-proxy/src/http_proxy.rs
@@ -59,8 +59,8 @@ use rama_net::stream::SocketInfo;
 use rama_tcp::client::Request as TcpRequest;
 use rama_tcp::client::service::TcpConnector;
 use rama_tcp::server::TcpListener;
-use rama_tls_boring::client::TlsConnectorDataBuilder;
-use rama_tls_boring::client::TlsConnectorLayer;
+use rama_tls_rustls::client::TlsConnectorDataBuilder;
+use rama_tls_rustls::client::TlsConnectorLayer;
 use serde::Serialize;
 use std::convert::Infallible;
 use std::net::SocketAddr;
@@ -301,7 +301,9 @@ async fn forward_connect_tunnel(
    let req = TcpRequest::new_with_extensions(authority.clone(), extensions)
        .with_protocol(Protocol::HTTPS);
    let proxy_connector = HttpProxyConnector::optional(TcpConnector::new());
-    let tls_config = TlsConnectorDataBuilder::new_http_auto().into_shared_builder();
+    let tls_config = TlsConnectorDataBuilder::new()
+        .with_alpn_protocols_http_auto()
+        .build();
    let connector = TlsConnectorLayer::tunnel(None)
        .with_connector_data(tls_config)
        .into_layer(proxy_connector);
--- a/codex-rs/network-proxy/src/upstream.rs
+++ b/codex-rs/network-proxy/src/upstream.rs
@@ -17,8 +17,8 @@ use rama_net::address::ProxyAddress;
 use rama_net::client::EstablishedClientConnection;
 use rama_net::http::RequestContext;
 use rama_tcp::client::service::TcpConnector;
-use rama_tls_boring::client::TlsConnectorDataBuilder;
-use rama_tls_boring::client::TlsConnectorLayer;
+use rama_tls_rustls::client::TlsConnectorDataBuilder;
+use rama_tls_rustls::client::TlsConnectorLayer;
 use tracing::warn;

 #[cfg(target_os = "macos")]
@@ -165,7 +165,9 @@ fn build_http_connector() -> BoxService<
 > {
    let transport = TcpConnector::default();
    let proxy = HttpProxyConnectorLayer::optional().into_layer(transport);
-    let tls_config = TlsConnectorDataBuilder::new_http_auto().into_shared_builder();
+    let tls_config = TlsConnectorDataBuilder::new()
+        .with_alpn_protocols_http_auto()
+        .build();
    let tls = TlsConnectorLayer::auto()
        .with_connector_data(tls_config)
        .into_layer(proxy);
--- a/patches/aws-lc-sys_memcmp_check.patch
+++ b/patches/aws-lc-sys_memcmp_check.patch
@@ -0,0 +1,86 @@
+diff --git a/builder/cc_builder.rs b/builder/cc_builder.rs
+--- a/builder/cc_builder.rs
+++ b/builder/cc_builder.rs
+@@ -26,7 +26,7 @@
+ };
+ use std::cell::Cell;
+ use std::collections::HashMap;
+-use std::path::PathBuf;
+use std::path::{Path, PathBuf};
+ 
+ #[non_exhaustive]
+ #[derive(PartialEq, Eq)]
+@@ -661,6 +661,16 @@
+         }
+         let mut memcmp_compile_args = Vec::from(memcmp_compiler.args());
+ 
+        // Keep the probe self-contained and avoid invoking external debug tools
+        // (for example `dsymutil`) that may be missing in hermetic sandboxes.
+        memcmp_compile_args.retain(|arg| {
+            let Some(arg_str) = arg.to_str() else {
+                return true;
+            };
+            !arg_str.starts_with("-g")
+        });
+        memcmp_compile_args.push("-g0".into());
+
+         // This check invokes the compiled executable and hence needs to link
+         // it. CMake handles this via LDFLAGS but `cc` doesn't. In setups with
+         // custom linker setups this could lead to a mismatch between the
+@@ -672,6 +682,15 @@
+             }
+         }
+ 
+        if let Some(execroot) = Self::bazel_execroot(self.manifest_dir.as_path()) {
+            // In Bazel build-script sandboxes, `cc` can pass `bazel-out/...` args
+            // relative to the execroot while the process runs from elsewhere.
+            // Normalize those args to absolute paths so this check can still link.
+            for arg in &mut memcmp_compile_args {
+                Self::rewrite_bazel_execroot_arg(execroot.as_path(), arg);
+            }
+        }
+
+         memcmp_compile_args.push(
+             self.manifest_dir
+                 .join("aws-lc")
+@@ -725,6 +744,40 @@
+         }
+         let _ = fs::remove_file(exec_path);
+     }
+
+    fn rewrite_bazel_execroot_arg(execroot: &Path, arg: &mut std::ffi::OsString) {
+        let Some(arg_str) = arg.to_str() else {
+            return;
+        };
+
+        if arg_str.starts_with("bazel-out/") {
+            *arg = execroot.join(arg_str).into_os_string();
+            return;
+        }
+
+        for flag_prefix in ["-B", "-L"] {
+            if let Some(path) = arg_str.strip_prefix(flag_prefix) {
+                if path.starts_with("bazel-out/") {
+                    *arg = format!("{flag_prefix}{}", execroot.join(path).display()).into();
+                    return;
+                }
+            }
+        }
+    }
+
+    fn bazel_execroot(path: &Path) -> Option<PathBuf> {
+        let mut prefix = PathBuf::new();
+        for component in path.components() {
+            if component.as_os_str() == "bazel-out" {
+                return Some(prefix);
+            }
+
+            prefix.push(component.as_os_str());
+        }
+
+        None
+    }
+
+     fn run_compiler_checks(&self, cc_build: &mut cc::Build) {
+         if self.compiler_check("stdalign_check", Vec::<&'static str>::new()) {
+             cc_build.define("AWS_LC_STDALIGN_AVAILABLE", Some("1"));
--- a/patches/toolchains_llvm_bootstrapped_resource_dir.patch
+++ b/patches/toolchains_llvm_bootstrapped_resource_dir.patch
@@ -0,0 +1,85 @@
+diff --git a/toolchain/args/BUILD.bazel b/toolchain/args/BUILD.bazel
+index e6dc56c..b323589 100644
+--- a/toolchain/args/BUILD.bazel
+++ b/toolchain/args/BUILD.bazel
+@@ -17,8 +17,8 @@ package(default_visibility = ["//visibility:public"])
+ cc_args(
+     name = "resource_dir",
+     actions = [
+        "@rules_cc//cc/toolchains/actions:compile_actions",
+         "@rules_cc//cc/toolchains/actions:link_actions",
+-        # We may need it for other actions too?
+     ],
+     args = [
+         "-resource-dir",
+@@ -32,6 +32,46 @@ cc_args(
+     ],
+ )
+ 
+alias(
+    name = "clang_builtin_headers_include_search_directory",
+    actual = select({
+        "@toolchains_llvm_bootstrapped//platforms/config:linux_x86_64": "@llvm-toolchain-minimal-21.1.8-linux-amd64//:builtin_headers",
+        "@toolchains_llvm_bootstrapped//platforms/config:linux_aarch64": "@llvm-toolchain-minimal-21.1.8-linux-arm64//:builtin_headers",
+        "@toolchains_llvm_bootstrapped//platforms/config:linux_x86_64_gnu": "@llvm-toolchain-minimal-21.1.8-linux-amd64//:builtin_headers",
+        "@toolchains_llvm_bootstrapped//platforms/config:linux_aarch64_gnu": "@llvm-toolchain-minimal-21.1.8-linux-arm64//:builtin_headers",
+        "@toolchains_llvm_bootstrapped//platforms/config:linux_x86_64_musl": "@llvm-toolchain-minimal-21.1.8-linux-amd64//:builtin_headers",
+        "@toolchains_llvm_bootstrapped//platforms/config:linux_aarch64_musl": "@llvm-toolchain-minimal-21.1.8-linux-arm64//:builtin_headers",
+        "@toolchains_llvm_bootstrapped//platforms/config:macos_x86_64": "@llvm-toolchain-minimal-21.1.8-darwin-arm64//:builtin_headers",
+        "@toolchains_llvm_bootstrapped//platforms/config:macos_aarch64": "@llvm-toolchain-minimal-21.1.8-darwin-arm64//:builtin_headers",
+        "@toolchains_llvm_bootstrapped//platforms/config:windows_x86_64": "@llvm-toolchain-minimal-21.1.8-windows-amd64//:builtin_headers",
+        "@toolchains_llvm_bootstrapped//platforms/config:windows_aarch64": "@llvm-toolchain-minimal-21.1.8-windows-arm64//:builtin_headers",
+        "@toolchains_llvm_bootstrapped//platforms/config:none_wasm32": "@llvm-toolchain-minimal-21.1.8-linux-amd64//:builtin_headers",
+        "@toolchains_llvm_bootstrapped//platforms/config:none_wasm64": "@llvm-toolchain-minimal-21.1.8-linux-amd64//:builtin_headers",
+    }),
+    visibility = ["//toolchain:__subpackages__"],
+)
+
+cc_args(
+    name = "clang_builtin_headers_include_search_paths",
+    actions = [
+        "@rules_cc//cc/toolchains/actions:compile_actions",
+        "@rules_cc//cc/toolchains/actions:link_actions",
+    ],
+    args = [
+        "-isystem",
+        "{clang_builtin_headers_include_search_path}",
+    ],
+    format = {
+        "clang_builtin_headers_include_search_path": ":clang_builtin_headers_include_search_directory",
+    },
+    data = [
+        ":clang_builtin_headers_include_search_directory",
+    ],
+    allowlist_include_directories = [
+        ":clang_builtin_headers_include_search_directory",
+    ],
+)
+
+ cc_args(
+     name = "llvm_target_for_platform",
+     actions = [
+diff --git a/toolchain/BUILD.bazel b/toolchain/BUILD.bazel
+index 6ffc9f7..e02089a 100644
+--- a/toolchain/BUILD.bazel
+++ b/toolchain/BUILD.bazel
+@@ -100,6 +100,7 @@ cc_args_list(
+         "@platforms//os:macos": [],
+         "//conditions:default": [
+             "//toolchain/args:resource_dir",
+            "//toolchain/args:clang_builtin_headers_include_search_paths",
+         ],
+     }),
+ )
+diff --git a/toolchain/llvm/llvm.bzl b/toolchain/llvm/llvm.bzl
+index d068085..c152552 100644
+--- a/toolchain/llvm/llvm.bzl
+++ b/toolchain/llvm/llvm.bzl
+@@ -7,6 +7,7 @@ def declare_llvm_targets(*, suffix = ""):
+         name = "builtin_headers",
+         # Grab whichever version-specific dir is there.
+         path = native.glob(["lib/clang/*"], exclude_directories = 0)[0] + "/include",
+        visibility = ["//visibility:public"],
+     )
+ 
+     # Convenient exports