Refactor network approvals to host/protocol/port scope (#12140)

## Summary Simplify network approvals by removing per-attempt proxy correlation and moving to session-level approval dedupe keyed by (host, protocol, port). Instead of encoding attempt IDs into proxy credentials/URLs, we now treat approvals as a destination policy decision. - Concurrent calls to the same destination share one approval prompt. - Different destinations (or same host on different ports) get separate prompts. - Allow once approves the current queued request group only. - Allow for session caches that (host, protocol, port) and auto-allows future matching requests. - Never policy continues to deny without prompting. Example: - 3 calls: - a.com (line 443) - b.com (line 443) - a.com (line 443) => 2 prompts total (a, b), second a waits on the first decision. - a.com:80 is treated separately from a.com line 443 ## Testing - `just fmt` (in `codex-rs`) - `cargo test -p codex-core tools::network_approval::tests` - `cargo test -p codex-core` (unit tests pass; existing integration-suite failures remain in this environment)
2026-04-27 16:15:09 +00:00 · 2026-02-20 10:39:55 -08:00
parent 41f15bf07b
commit e8afaed502
40 changed files with 570 additions and 739 deletions
--- a/codex-rs/network-proxy/src/network_policy.rs
+++ b/codex-rs/network-proxy/src/network_policy.rs
@@ -71,7 +71,6 @@ pub struct NetworkPolicyRequest {
    pub method: Option<String>,
    pub command: Option<String>,
    pub exec_policy_hint: Option<String>,
-    pub attempt_id: Option<String>,
 }

 pub struct NetworkPolicyRequestArgs {
@@ -82,7 +81,6 @@ pub struct NetworkPolicyRequestArgs {
    pub method: Option<String>,
    pub command: Option<String>,
    pub exec_policy_hint: Option<String>,
-    pub attempt_id: Option<String>,
 }

 impl NetworkPolicyRequest {
@@ -95,7 +93,6 @@ impl NetworkPolicyRequest {
            method,
            command,
            exec_policy_hint,
-            attempt_id,
        } = args;
        Self {
            protocol,
@@ -105,7 +102,6 @@ impl NetworkPolicyRequest {
            method,
            command,
            exec_policy_hint,
-            attempt_id,
        }
    }
 }
@@ -258,7 +254,6 @@ mod tests {
            method: Some("GET".to_string()),
            command: None,
            exec_policy_hint: None,
-            attempt_id: None,
        });

        let decision = evaluate_host_policy(&state, Some(&decider), &request)
@@ -292,7 +287,6 @@ mod tests {
            method: Some("GET".to_string()),
            command: None,
            exec_policy_hint: None,
-            attempt_id: None,
        });

        let decision = evaluate_host_policy(&state, Some(&decider), &request)
@@ -333,7 +327,6 @@ mod tests {
            method: Some("GET".to_string()),
            command: None,
            exec_policy_hint: None,
-            attempt_id: None,
        });

        let decision = evaluate_host_policy(&state, Some(&decider), &request)