Keep MITM profile config internal

2026-05-16 01:02:48 +00:00 · 2026-05-14 12:42:59 +02:00
parent 1014074ec3
commit f7779d856e
4 changed files with 0 additions and 322 deletions
--- a/codex-rs/config/src/permissions_toml.rs
+++ b/codex-rs/config/src/permissions_toml.rs
@@ -1,6 +1,5 @@
 use std::collections::BTreeMap;

-use codex_network_proxy::MitmHookConfig;
 use codex_network_proxy::NetworkDomainPermission as ProxyNetworkDomainPermission;
 use codex_network_proxy::NetworkMode;
 use codex_network_proxy::NetworkProxyConfig;
@@ -159,9 +158,6 @@ pub struct NetworkToml {
    pub domains: Option<NetworkDomainPermissionsToml>,
    pub unix_sockets: Option<NetworkUnixSocketPermissionsToml>,
    pub allow_local_binding: Option<bool>,
-    pub mitm: Option<bool>,
-    #[schemars(with = "Option<Vec<MitmHookConfigSchema>>")]
-    pub mitm_hooks: Option<Vec<MitmHookConfig>>,
 }

 #[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq, JsonSchema)]
@@ -171,46 +167,6 @@ enum NetworkModeSchema {
    Full,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, Default, PartialEq, Eq, JsonSchema)]
-#[serde(default)]
-struct MitmHookConfigSchema {
-    pub host: String,
-    #[serde(rename = "match", default)]
-    pub matcher: MitmHookMatchConfigSchema,
-    #[serde(default)]
-    pub actions: MitmHookActionsConfigSchema,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, Default, PartialEq, Eq, JsonSchema)]
-#[serde(default)]
-struct MitmHookMatchConfigSchema {
-    pub methods: Vec<String>,
-    pub path_prefixes: Vec<String>,
-    pub query: BTreeMap<String, Vec<String>>,
-    pub headers: BTreeMap<String, Vec<String>>,
-    pub body: Option<MitmHookBodyConfigSchema>,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, Default, PartialEq, Eq, JsonSchema)]
-#[serde(default)]
-struct MitmHookActionsConfigSchema {
-    pub strip_request_headers: Vec<String>,
-    pub inject_request_headers: Vec<InjectedHeaderConfigSchema>,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, Default, PartialEq, Eq, JsonSchema)]
-#[serde(default)]
-struct InjectedHeaderConfigSchema {
-    pub name: String,
-    pub secret_env_var: Option<String>,
-    pub secret_file: Option<String>,
-    pub prefix: Option<String>,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, JsonSchema)]
-#[serde(transparent)]
-struct MitmHookBodyConfigSchema(pub serde_json::Value);
-
 impl NetworkToml {
    pub fn apply_to_network_proxy_config(&self, config: &mut NetworkProxyConfig) {
        if let Some(enabled) = self.enabled {
@@ -263,12 +219,6 @@ impl NetworkToml {
        if let Some(allow_local_binding) = self.allow_local_binding {
            config.network.allow_local_binding = allow_local_binding;
        }
-        if let Some(mitm) = self.mitm {
-            config.network.mitm = mitm;
-        }
-        if let Some(mitm_hooks) = self.mitm_hooks.as_ref() {
-            config.network.mitm_hooks = mitm_hooks.clone();
-        }
    }

    pub fn to_network_proxy_config(&self) -> NetworkProxyConfig {
--- a/codex-rs/core/config.schema.json
+++ b/codex-rs/core/config.schema.json
@@ -1098,27 +1098,6 @@
      },
      "type": "object"
    },
-    "InjectedHeaderConfigSchema": {
-      "properties": {
-        "name": {
-          "default": "",
-          "type": "string"
-        },
-        "prefix": {
-          "default": null,
-          "type": "string"
-        },
-        "secret_env_var": {
-          "default": null,
-          "type": "string"
-        },
-        "secret_file": {
-          "default": null,
-          "type": "string"
-        }
-      },
-      "type": "object"
-    },
    "KeybindingsSpec": {
      "anyOf": [
        {
@@ -1299,101 +1278,6 @@
      },
      "type": "object"
    },
-    "MitmHookActionsConfigSchema": {
-      "properties": {
-        "inject_request_headers": {
-          "default": [],
-          "items": {
-            "$ref": "#/definitions/InjectedHeaderConfigSchema"
-          },
-          "type": "array"
-        },
-        "strip_request_headers": {
-          "default": [],
-          "items": {
-            "type": "string"
-          },
-          "type": "array"
-        }
-      },
-      "type": "object"
-    },
-    "MitmHookConfigSchema": {
-      "properties": {
-        "actions": {
-          "allOf": [
-            {
-              "$ref": "#/definitions/MitmHookActionsConfigSchema"
-            }
-          ],
-          "default": {
-            "inject_request_headers": [],
-            "strip_request_headers": []
-          }
-        },
-        "host": {
-          "default": "",
-          "type": "string"
-        },
-        "match": {
-          "allOf": [
-            {
-              "$ref": "#/definitions/MitmHookMatchConfigSchema"
-            }
-          ],
-          "default": {
-            "body": null,
-            "headers": {},
-            "methods": [],
-            "path_prefixes": [],
-            "query": {}
-          }
-        }
-      },
-      "type": "object"
-    },
-    "MitmHookMatchConfigSchema": {
-      "properties": {
-        "body": {
-          "default": null
-        },
-        "headers": {
-          "additionalProperties": {
-            "items": {
-              "type": "string"
-            },
-            "type": "array"
-          },
-          "default": {},
-          "type": "object"
-        },
-        "methods": {
-          "default": [],
-          "items": {
-            "type": "string"
-          },
-          "type": "array"
-        },
-        "path_prefixes": {
-          "default": [],
-          "items": {
-            "type": "string"
-          },
-          "type": "array"
-        },
-        "query": {
-          "additionalProperties": {
-            "items": {
-              "type": "string"
-            },
-            "type": "array"
-          },
-          "default": {},
-          "type": "object"
-        }
-      },
-      "type": "object"
-    },
    "ModelAvailabilityNuxConfig": {
      "additionalProperties": {
        "format": "uint32",
@@ -1732,15 +1616,6 @@
        "enabled": {
          "type": "boolean"
        },
-        "mitm": {
-          "type": "boolean"
-        },
-        "mitm_hooks": {
-          "items": {
-            "$ref": "#/definitions/MitmHookConfigSchema"
-          },
-          "type": "array"
-        },
        "mode": {
          "$ref": "#/definitions/NetworkModeSchema"
        },
--- a/codex-rs/core/src/config/config_tests.rs
+++ b/codex-rs/core/src/config/config_tests.rs
@@ -66,10 +66,6 @@ use codex_model_provider_info::LMSTUDIO_OSS_PROVIDER_ID;
 use codex_model_provider_info::OLLAMA_OSS_PROVIDER_ID;
 use codex_model_provider_info::WireApi;
 use codex_models_manager::bundled_models_response;
-use codex_network_proxy::InjectedHeaderConfig;
-use codex_network_proxy::MitmHookActionsConfig;
-use codex_network_proxy::MitmHookConfig;
-use codex_network_proxy::MitmHookMatchConfig;
 use codex_network_proxy::NetworkMode;
 use codex_protocol::config_types::ServiceTier;
 use codex_protocol::models::ActivePermissionProfile;
@@ -733,28 +729,9 @@ proxy_url = "http://127.0.0.1:43128"
 enable_socks5 = false
 allow_upstream_proxy = false
 mode = "full"
-mitm = true

 [permissions.workspace.network.domains]
 "openai.com" = "allow"
-
-[[permissions.workspace.network.mitm_hooks]]
-host = "api.github.com"
-
-[permissions.workspace.network.mitm_hooks.match]
-methods = ["POST", "PUT"]
-path_prefixes = ["/repos/openai/"]
-
-[permissions.workspace.network.mitm_hooks.match.headers]
-"x-github-api-version" = ["2022-11-28"]
-
-[permissions.workspace.network.mitm_hooks.actions]
-strip_request_headers = ["authorization"]
-
-[[permissions.workspace.network.mitm_hooks.actions.inject_request_headers]]
-name = "authorization"
-secret_env_var = "CODEX_GITHUB_TOKEN"
-prefix = "Bearer "
 "#;
    let cfg: ConfigToml =
        toml::from_str(toml).expect("TOML deserialization should succeed for permissions profiles");
@@ -800,29 +777,6 @@ prefix = "Bearer "
                        }),
                        unix_sockets: None,
                        allow_local_binding: None,
-                        mitm: Some(true),
-                        mitm_hooks: Some(vec![MitmHookConfig {
-                            host: "api.github.com".to_string(),
-                            matcher: MitmHookMatchConfig {
-                                methods: vec!["POST".to_string(), "PUT".to_string()],
-                                path_prefixes: vec!["/repos/openai/".to_string()],
-                                query: BTreeMap::new(),
-                                headers: BTreeMap::from([(
-                                    "x-github-api-version".to_string(),
-                                    vec!["2022-11-28".to_string()],
-                                )]),
-                                body: None,
-                            },
-                            actions: MitmHookActionsConfig {
-                                strip_request_headers: vec!["authorization".to_string()],
-                                inject_request_headers: vec![InjectedHeaderConfig {
-                                    name: "authorization".to_string(),
-                                    secret_env_var: Some("CODEX_GITHUB_TOKEN".to_string()),
-                                    secret_file: None,
-                                    prefix: Some("Bearer ".to_string()),
-                                }],
-                            },
-                        }]),
                    }),
                },
            )]),
@@ -830,38 +784,6 @@ prefix = "Bearer "
    );
 }

-#[test]
-fn permissions_profile_network_to_proxy_config_preserves_mitm_hooks() {
-    let network = NetworkToml {
-        mode: Some(NetworkMode::Full),
-        mitm: Some(true),
-        mitm_hooks: Some(vec![MitmHookConfig {
-            host: "api.github.com".to_string(),
-            matcher: MitmHookMatchConfig {
-                methods: vec!["POST".to_string()],
-                path_prefixes: vec!["/repos/openai/".to_string()],
-                ..MitmHookMatchConfig::default()
-            },
-            actions: MitmHookActionsConfig {
-                strip_request_headers: vec!["authorization".to_string()],
-                inject_request_headers: vec![InjectedHeaderConfig {
-                    name: "authorization".to_string(),
-                    secret_env_var: Some("CODEX_GITHUB_TOKEN".to_string()),
-                    secret_file: None,
-                    prefix: Some("Bearer ".to_string()),
-                }],
-            },
-        }]),
-        ..NetworkToml::default()
-    };
-
-    let config = network.to_network_proxy_config();
-
-    assert_eq!(config.network.mode, NetworkMode::Full);
-    assert!(config.network.mitm);
-    assert_eq!(config.network.mitm_hooks, network.mitm_hooks.unwrap());
-}
-
 #[tokio::test]
 async fn permissions_profiles_proxy_policy_does_not_start_managed_network_proxy_without_feature()
 -> std::io::Result<()> {
--- a/codex-rs/core/src/network_proxy_loader_tests.rs
+++ b/codex-rs/core/src/network_proxy_loader_tests.rs
@@ -104,75 +104,6 @@ default_permissions = "workspace"
    assert_eq!(config.network.denied_domains(), None);
 }

-#[test]
-fn higher_precedence_profile_network_overrides_mitm_hooks() {
-    let lower_network: toml::Value = toml::from_str(
-        r#"
-default_permissions = "workspace"
-
-[permissions.workspace.network]
-mode = "limited"
-mitm = false
-
-[permissions.workspace.network.domains]
-"lower.example.com" = "allow"
-
-[[permissions.workspace.network.mitm_hooks]]
-host = "lower.example.com"
-
-[permissions.workspace.network.mitm_hooks.match]
-methods = ["POST"]
-path_prefixes = ["/repos/openai/"]
-"#,
-    )
-    .expect("lower layer should parse");
-    let higher_network: toml::Value = toml::from_str(
-        r#"
-default_permissions = "workspace"
-
-[permissions.workspace.network]
-mode = "full"
-mitm = true
-
-[permissions.workspace.network.domains]
-"higher.example.com" = "allow"
-
-[[permissions.workspace.network.mitm_hooks]]
-host = "api.github.com"
-
-[permissions.workspace.network.mitm_hooks.match]
-methods = ["PUT"]
-path_prefixes = ["/repos/openai/"]
-"#,
-    )
-    .expect("higher layer should parse");
-
-    let mut config = NetworkProxyConfig::default();
-    apply_network_tables(
-        &mut config,
-        network_tables_from_toml(&lower_network).expect("lower layer should deserialize"),
-    )
-    .expect("lower layer should apply");
-    apply_network_tables(
-        &mut config,
-        network_tables_from_toml(&higher_network).expect("higher layer should deserialize"),
-    )
-    .expect("higher layer should apply");
-
-    assert_eq!(config.network.mode, codex_network_proxy::NetworkMode::Full);
-    assert!(config.network.mitm);
-    assert_eq!(
-        config.network.allowed_domains(),
-        Some(vec![
-            "lower.example.com".to_string(),
-            "higher.example.com".to_string()
-        ])
-    );
-    assert_eq!(config.network.mitm_hooks.len(), 1);
-    assert_eq!(config.network.mitm_hooks[0].host, "api.github.com");
-    assert_eq!(config.network.mitm_hooks[0].matcher.methods, vec!["PUT"]);
-}
-
 #[test]
 fn execpolicy_network_rules_overlay_network_lists() {
    let mut config = NetworkProxyConfig::default();