inline hostname resolution for remote sandbox config (#19739)

# Why

Requirements support host-specific
`remote_sandbox_config.hostname_patterns`, but config loading previously
resolved and passed the system hostname through every config-loading
path even when no requirements layer used `remote_sandbox_config`. On
machines where hostname lookup is slow, startup and app-server config
reads paid for a feature that was not active.

We only need the hostname when a requirements layer actually declares
`remote_sandbox_config`, so this moves hostname resolution to the single
requirements merge point and keeps all other config callers unaware of
hostname matching.

# What

- Removed the eager `host_name` plumbing from
`load_config_layers_state`, `load_requirements_toml`, `ConfigBuilder`,
app-server `ConfigManager`, network proxy loading, and related call
sites.
- Resolve the hostname inside
`merge_requirements_with_remote_sandbox_config` only when the incoming
requirements contain `remote_sandbox_config`.

codex-rs/config/src/config_requirements.rs

@@ -842,10 +842,10 @@ pub enum ResidencyRequirement {
 
 impl ConfigRequirementsToml {
     pub fn apply_remote_sandbox_config(&mut self, hostname: Option<&str>) {
-        let Some(hostname) = hostname.and_then(normalize_hostname) else {
+        let Some(remote_sandbox_config) = self.remote_sandbox_config.as_ref() else {
             return;
         };
-        let Some(remote_sandbox_config) = self.remote_sandbox_config.as_ref() else {
+        let Some(hostname) = hostname.and_then(normalize_hostname) else {
             return;
         };
         let Some(matched_config) = remote_sandbox_config

codex-rs/config/src/loader/README.md

@@ -10,7 +10,7 @@ This module is the canonical place to **load and describe Codex configuration la
 
 Exported from `codex_config::loader`:
 
-- `load_config_layers_state(fs, codex_home, cwd_opt, cli_overrides, overrides, cloud_requirements, thread_config_loader, host_name) -> ConfigLayerStack`
+- `load_config_layers_state(fs, codex_home, cwd_opt, cli_overrides, overrides, cloud_requirements, thread_config_loader) -> ConfigLayerStack`
 - `ConfigLayerStack`
   - `effective_config() -> toml::Value`
   - `origins() -> HashMap<String, ConfigLayerMetadata>`
@@ -59,7 +59,6 @@ let layers = load_config_layers_state(
     LoaderOverrides::default(),
     CloudRequirementsLoader::default(),
     &NoopThreadConfigLoader,
-    /*host_name*/ None,
 ).await?;
 
 let effective = layers.effective_config();

codex-rs/config/src/loader/macos.rs

@@ -65,7 +65,6 @@ fn load_managed_admin_config() -> io::Result<Option<ManagedAdminConfigLayer>> {
 pub(crate) async fn load_managed_admin_requirements_toml(
     target: &mut ConfigRequirementsWithSources,
     override_base64: Option<&str>,
-    host_name: Option<&str>,
 ) -> io::Result<()> {
     if let Some(encoded) = override_base64 {
         let trimmed = encoded.trim();
@@ -77,7 +76,6 @@ pub(crate) async fn load_managed_admin_requirements_toml(
             target,
             managed_preferences_requirements_source(),
             parse_managed_requirements_base64(trimmed)?,
-            host_name,
         );
         return Ok(());
     }
@@ -89,7 +87,6 @@ pub(crate) async fn load_managed_admin_requirements_toml(
                     target,
                     managed_preferences_requirements_source(),
                     requirements,
-                    host_name,
                 );
             }
             Ok(())

codex-rs/config/src/loader/mod.rs

@@ -91,7 +91,6 @@ pub async fn load_config_layers_state(
     overrides: LoaderOverrides,
     cloud_requirements: CloudRequirementsLoader,
     thread_config_loader: &dyn ThreadConfigLoader,
-    host_name: Option<&str>,
 ) -> io::Result<ConfigLayerStack> {
     let ignore_user_config = overrides.ignore_user_config;
     let ignore_user_and_project_exec_policy_rules =
@@ -103,7 +102,6 @@ pub async fn load_config_layers_state(
             &mut config_requirements_toml,
             RequirementSource::CloudRequirements,
             requirements,
-            host_name,
         );
     }
 
@@ -113,19 +111,12 @@ pub async fn load_config_layers_state(
         overrides
             .macos_managed_config_requirements_base64
             .as_deref(),
-        host_name,
     )
     .await?;
 
     // Honor the system requirements.toml location.
     let requirements_toml_file = system_requirements_toml_file_with_overrides(&overrides)?;
-    load_requirements_toml(
-        fs,
-        &mut config_requirements_toml,
-        &requirements_toml_file,
-        host_name,
-    )
-    .await?;
+    load_requirements_toml(fs, &mut config_requirements_toml, &requirements_toml_file).await?;
 
     // Make a best-effort to support the legacy `managed_config.toml` as a
     // requirements specification.
@@ -134,7 +125,6 @@ pub async fn load_config_layers_state(
     load_requirements_from_legacy_scheme(
         &mut config_requirements_toml,
         loaded_config_layers.clone(),
-        host_name,
     )
     .await?;
 
@@ -388,7 +378,6 @@ pub async fn load_requirements_toml(
     fs: &dyn ExecutorFileSystem,
     config_requirements_toml: &mut ConfigRequirementsWithSources,
     requirements_toml_file: &AbsolutePathBuf,
-    host_name: Option<&str>,
 ) -> io::Result<()> {
     match fs
         .read_file_text(requirements_toml_file, /*sandbox*/ None)
@@ -421,7 +410,6 @@ pub async fn load_requirements_toml(
                     file: requirements_toml_file.clone(),
                 },
                 requirements_config,
-                host_name,
             );
         }
         Err(e) => {
@@ -554,7 +542,6 @@ fn windows_program_data_dir_from_known_folder() -> io::Result<PathBuf> {
 async fn load_requirements_from_legacy_scheme(
     config_requirements_toml: &mut ConfigRequirementsWithSources,
     loaded_config_layers: LoadedConfigLayers,
-    host_name: Option<&str>,
 ) -> io::Result<()> {
     // In this implementation, earlier layers cannot be overwritten by later
     // layers, so list managed_config_from_mdm first because it has the highest
@@ -591,7 +578,6 @@ async fn load_requirements_from_legacy_scheme(
             config_requirements_toml,
             source,
             ConfigRequirementsToml::from(legacy_config),
-            host_name,
         );
     }
 
@@ -602,9 +588,11 @@ pub(super) fn merge_requirements_with_remote_sandbox_config(
     target: &mut ConfigRequirementsWithSources,
     source: RequirementSource,
     mut requirements: ConfigRequirementsToml,
-    host_name: Option<&str>,
 ) {
-    requirements.apply_remote_sandbox_config(host_name);
+    if requirements.remote_sandbox_config.is_some() {
+        let host_name = crate::host_name();
+        requirements.apply_remote_sandbox_config(host_name.as_deref());
+    }
     target.merge_unset_fields(source, requirements);
 }