fix: gate profile proxy startup on feature

Co-authored-by: Codex noreply@openai.com
2026-05-16 01:02:48 +00:00 · 2026-05-01 13:44:15 -07:00
parent 79610eb11c
commit bf8850b31f
3 changed files with 16 additions and 47 deletions
--- a/codex-rs/core/src/config/config_tests.rs
+++ b/codex-rs/core/src/config/config_tests.rs
@@ -837,7 +837,8 @@ async fn permissions_profiles_network_enabled_allows_runtime_network_without_pro
 }

 #[tokio::test]
-async fn permissions_profiles_proxy_policy_starts_managed_network_proxy() -> std::io::Result<()> {
+async fn permissions_profiles_proxy_policy_does_not_start_managed_network_proxy_without_feature()
+-> std::io::Result<()> {
    let codex_home = TempDir::new()?;
    let cwd = TempDir::new()?;
    std::fs::write(cwd.path().join(".git"), "gitdir: nowhere")?;
@@ -878,15 +879,9 @@ async fn permissions_profiles_proxy_policy_starts_managed_network_proxy() -> std
        config.permissions.network_sandbox_policy(),
        NetworkSandboxPolicy::Enabled
    );
-    let network = config
-        .permissions
-        .network
-        .as_ref()
-        .expect("profile proxy policy should start the managed network proxy");
-    assert_eq!(network.proxy_host_and_port(), "127.0.0.1:43128");
    assert!(
-        !network.socks_enabled(),
-        "profile proxy policy should preserve SOCKS config"
+        config.permissions.network.is_none(),
+        "profile proxy policy should not start the managed network proxy without the feature"
    );
    Ok(())
 }
@@ -1099,7 +1094,8 @@ proxy_url = "http://127.0.0.1:43128"
 }

 #[tokio::test]
-async fn disabled_network_proxy_feature_preserves_profile_proxy_policy() -> std::io::Result<()> {
+async fn disabled_network_proxy_feature_does_not_start_profile_proxy_policy() -> std::io::Result<()>
+{
    let codex_home = TempDir::new()?;
    let cwd = TempDir::new()?;
    let config = Config::load_from_base_config_with_overrides(
@@ -1145,13 +1141,10 @@ enabled = false
    .await?;

    assert!(!config.features.enabled(Feature::NetworkProxy));
-    let network = config
-        .permissions
-        .network
-        .as_ref()
-        .expect("profile proxy policy should still start the managed proxy");
-    assert_eq!(network.proxy_host_and_port(), "127.0.0.1:43128");
-    assert!(!network.socks_enabled());
+    assert!(
+        config.permissions.network.is_none(),
+        "disabled feature should keep profile proxy policy from starting the managed proxy"
+    );
    Ok(())
 }

--- a/codex-rs/core/src/config/permissions.rs
+++ b/codex-rs/core/src/config/permissions.rs
@@ -117,37 +117,13 @@ pub(crate) fn network_proxy_config_from_profile_network(
        NetworkProxyConfig::default,
        NetworkToml::to_network_proxy_config,
    );
-    // Profile `network.enabled` controls sandbox network access. Do not start a
-    // managed proxy for that bit alone, but keep the proxy enabled when the
-    // profile also supplied policy that only the proxy can enforce.
-    config.network.enabled = network.is_some_and(profile_network_requires_proxy);
+    // Profile `network.enabled` controls sandbox network access. Profiles may
+    // provide proxy settings for the feature gate to consume, but they do not
+    // start the managed proxy on their own.
+    config.network.enabled = false;
    config
 }

-fn profile_network_requires_proxy(network: &NetworkToml) -> bool {
-    if network.enabled != Some(true) {
-        return false;
-    }
-
-    network.proxy_url.is_some()
-        || network.enable_socks5 == Some(true)
-        || network.socks_url.is_some()
-        || network.enable_socks5_udp == Some(true)
-        || network.allow_upstream_proxy == Some(true)
-        || network.dangerously_allow_non_loopback_proxy == Some(true)
-        || network.dangerously_allow_all_unix_sockets == Some(true)
-        || network.mode.is_some()
-        || network
-            .domains
-            .as_ref()
-            .is_some_and(|domains| !domains.is_empty())
-        || network
-            .unix_sockets
-            .as_ref()
-            .is_some_and(|unix_sockets| !unix_sockets.is_empty())
-        || network.allow_local_binding == Some(true)
-}
-
 pub(crate) fn apply_network_proxy_feature_config(
    config: &mut NetworkProxyConfig,
    feature_config: &NetworkProxyConfigToml,
--- a/codex-rs/core/src/config/permissions_tests.rs
+++ b/codex-rs/core/src/config/permissions_tests.rs
@@ -247,7 +247,7 @@ fn profile_network_proxy_config_keeps_proxy_disabled_for_bare_network_access() {
 }

 #[test]
-fn profile_network_proxy_config_enables_proxy_for_proxy_policy() {
+fn profile_network_proxy_config_keeps_proxy_disabled_for_proxy_policy() {
    let config = network_proxy_config_from_profile_network(Some(&NetworkToml {
        enabled: Some(true),
        proxy_url: Some("http://127.0.0.1:43128".to_string()),
@@ -261,7 +261,7 @@ fn profile_network_proxy_config_enables_proxy_for_proxy_policy() {
        ..Default::default()
    }));

-    assert!(config.network.enabled);
+    assert!(!config.network.enabled);
    assert_eq!(config.network.proxy_url, "http://127.0.0.1:43128");
    assert!(!config.network.enable_socks5);
    assert_eq!(