From f7779d856eee92bccf2ff4d45c9e48e20789f0ac Mon Sep 17 00:00:00 2001
From: Eva Wong <evawong@openai.com>
Date: Thu, 14 May 2026 12:42:59 +0200
Subject: [PATCH] Keep MITM profile config internal

---
 codex-rs/config/src/permissions_toml.rs       |  50 -------
 codex-rs/core/config.schema.json              | 125 ------------------
 codex-rs/core/src/config/config_tests.rs      |  78 -----------
 .../core/src/network_proxy_loader_tests.rs    |  69 ----------
 4 files changed, 322 deletions(-)

diff --git a/codex-rs/config/src/permissions_toml.rs b/codex-rs/config/src/permissions_toml.rs
index 7bab8250ab..cee68d7abb 100644
--- a/codex-rs/config/src/permissions_toml.rs
+++ b/codex-rs/config/src/permissions_toml.rs
@@ -1,6 +1,5 @@
 use std::collections::BTreeMap;
 
-use codex_network_proxy::MitmHookConfig;
 use codex_network_proxy::NetworkDomainPermission as ProxyNetworkDomainPermission;
 use codex_network_proxy::NetworkMode;
 use codex_network_proxy::NetworkProxyConfig;
@@ -159,9 +158,6 @@ pub struct NetworkToml {
     pub domains: Option<NetworkDomainPermissionsToml>,
     pub unix_sockets: Option<NetworkUnixSocketPermissionsToml>,
     pub allow_local_binding: Option<bool>,
-    pub mitm: Option<bool>,
-    #[schemars(with = "Option<Vec<MitmHookConfigSchema>>")]
-    pub mitm_hooks: Option<Vec<MitmHookConfig>>,
 }
 
 #[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq, JsonSchema)]
@@ -171,46 +167,6 @@ enum NetworkModeSchema {
     Full,
 }
 
-#[derive(Serialize, Deserialize, Debug, Clone, Default, PartialEq, Eq, JsonSchema)]
-#[serde(default)]
-struct MitmHookConfigSchema {
-    pub host: String,
-    #[serde(rename = "match", default)]
-    pub matcher: MitmHookMatchConfigSchema,
-    #[serde(default)]
-    pub actions: MitmHookActionsConfigSchema,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, Default, PartialEq, Eq, JsonSchema)]
-#[serde(default)]
-struct MitmHookMatchConfigSchema {
-    pub methods: Vec<String>,
-    pub path_prefixes: Vec<String>,
-    pub query: BTreeMap<String, Vec<String>>,
-    pub headers: BTreeMap<String, Vec<String>>,
-    pub body: Option<MitmHookBodyConfigSchema>,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, Default, PartialEq, Eq, JsonSchema)]
-#[serde(default)]
-struct MitmHookActionsConfigSchema {
-    pub strip_request_headers: Vec<String>,
-    pub inject_request_headers: Vec<InjectedHeaderConfigSchema>,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, Default, PartialEq, Eq, JsonSchema)]
-#[serde(default)]
-struct InjectedHeaderConfigSchema {
-    pub name: String,
-    pub secret_env_var: Option<String>,
-    pub secret_file: Option<String>,
-    pub prefix: Option<String>,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, JsonSchema)]
-#[serde(transparent)]
-struct MitmHookBodyConfigSchema(pub serde_json::Value);
-
 impl NetworkToml {
     pub fn apply_to_network_proxy_config(&self, config: &mut NetworkProxyConfig) {
         if let Some(enabled) = self.enabled {
@@ -263,12 +219,6 @@ impl NetworkToml {
         if let Some(allow_local_binding) = self.allow_local_binding {
             config.network.allow_local_binding = allow_local_binding;
         }
-        if let Some(mitm) = self.mitm {
-            config.network.mitm = mitm;
-        }
-        if let Some(mitm_hooks) = self.mitm_hooks.as_ref() {
-            config.network.mitm_hooks = mitm_hooks.clone();
-        }
     }
 
     pub fn to_network_proxy_config(&self) -> NetworkProxyConfig {
diff --git a/codex-rs/core/config.schema.json b/codex-rs/core/config.schema.json
index f80dada762..d8c64a0d13 100644
--- a/codex-rs/core/config.schema.json
+++ b/codex-rs/core/config.schema.json
@@ -1098,27 +1098,6 @@
       },
       "type": "object"
     },
-    "InjectedHeaderConfigSchema": {
-      "properties": {
-        "name": {
-          "default": "",
-          "type": "string"
-        },
-        "prefix": {
-          "default": null,
-          "type": "string"
-        },
-        "secret_env_var": {
-          "default": null,
-          "type": "string"
-        },
-        "secret_file": {
-          "default": null,
-          "type": "string"
-        }
-      },
-      "type": "object"
-    },
     "KeybindingsSpec": {
       "anyOf": [
         {
@@ -1299,101 +1278,6 @@
       },
       "type": "object"
     },
-    "MitmHookActionsConfigSchema": {
-      "properties": {
-        "inject_request_headers": {
-          "default": [],
-          "items": {
-            "$ref": "#/definitions/InjectedHeaderConfigSchema"
-          },
-          "type": "array"
-        },
-        "strip_request_headers": {
-          "default": [],
-          "items": {
-            "type": "string"
-          },
-          "type": "array"
-        }
-      },
-      "type": "object"
-    },
-    "MitmHookConfigSchema": {
-      "properties": {
-        "actions": {
-          "allOf": [
-            {
-              "$ref": "#/definitions/MitmHookActionsConfigSchema"
-            }
-          ],
-          "default": {
-            "inject_request_headers": [],
-            "strip_request_headers": []
-          }
-        },
-        "host": {
-          "default": "",
-          "type": "string"
-        },
-        "match": {
-          "allOf": [
-            {
-              "$ref": "#/definitions/MitmHookMatchConfigSchema"
-            }
-          ],
-          "default": {
-            "body": null,
-            "headers": {},
-            "methods": [],
-            "path_prefixes": [],
-            "query": {}
-          }
-        }
-      },
-      "type": "object"
-    },
-    "MitmHookMatchConfigSchema": {
-      "properties": {
-        "body": {
-          "default": null
-        },
-        "headers": {
-          "additionalProperties": {
-            "items": {
-              "type": "string"
-            },
-            "type": "array"
-          },
-          "default": {},
-          "type": "object"
-        },
-        "methods": {
-          "default": [],
-          "items": {
-            "type": "string"
-          },
-          "type": "array"
-        },
-        "path_prefixes": {
-          "default": [],
-          "items": {
-            "type": "string"
-          },
-          "type": "array"
-        },
-        "query": {
-          "additionalProperties": {
-            "items": {
-              "type": "string"
-            },
-            "type": "array"
-          },
-          "default": {},
-          "type": "object"
-        }
-      },
-      "type": "object"
-    },
     "ModelAvailabilityNuxConfig": {
       "additionalProperties": {
         "format": "uint32",
@@ -1732,15 +1616,6 @@
         "enabled": {
           "type": "boolean"
         },
-        "mitm": {
-          "type": "boolean"
-        },
-        "mitm_hooks": {
-          "items": {
-            "$ref": "#/definitions/MitmHookConfigSchema"
-          },
-          "type": "array"
-        },
         "mode": {
           "$ref": "#/definitions/NetworkModeSchema"
         },
diff --git a/codex-rs/core/src/config/config_tests.rs b/codex-rs/core/src/config/config_tests.rs
index e9947c14e3..5d09e9daed 100644
--- a/codex-rs/core/src/config/config_tests.rs
+++ b/codex-rs/core/src/config/config_tests.rs
@@ -66,10 +66,6 @@ use codex_model_provider_info::LMSTUDIO_OSS_PROVIDER_ID;
 use codex_model_provider_info::OLLAMA_OSS_PROVIDER_ID;
 use codex_model_provider_info::WireApi;
 use codex_models_manager::bundled_models_response;
-use codex_network_proxy::InjectedHeaderConfig;
-use codex_network_proxy::MitmHookActionsConfig;
-use codex_network_proxy::MitmHookConfig;
-use codex_network_proxy::MitmHookMatchConfig;
 use codex_network_proxy::NetworkMode;
 use codex_protocol::config_types::ServiceTier;
 use codex_protocol::models::ActivePermissionProfile;
@@ -733,28 +729,9 @@ proxy_url = "http://127.0.0.1:43128"
 enable_socks5 = false
 allow_upstream_proxy = false
 mode = "full"
-mitm = true
 
 [permissions.workspace.network.domains]
 "openai.com" = "allow"
-
-[[permissions.workspace.network.mitm_hooks]]
-host = "api.github.com"
-
-[permissions.workspace.network.mitm_hooks.match]
-methods = ["POST", "PUT"]
-path_prefixes = ["/repos/openai/"]
-
-[permissions.workspace.network.mitm_hooks.match.headers]
-"x-github-api-version" = ["2022-11-28"]
-
-[permissions.workspace.network.mitm_hooks.actions]
-strip_request_headers = ["authorization"]
-
-[[permissions.workspace.network.mitm_hooks.actions.inject_request_headers]]
-name = "authorization"
-secret_env_var = "CODEX_GITHUB_TOKEN"
-prefix = "Bearer "
 "#;
     let cfg: ConfigToml =
         toml::from_str(toml).expect("TOML deserialization should succeed for permissions profiles");
@@ -800,29 +777,6 @@ prefix = "Bearer "
                         }),
                         unix_sockets: None,
                         allow_local_binding: None,
-                        mitm: Some(true),
-                        mitm_hooks: Some(vec![MitmHookConfig {
-                            host: "api.github.com".to_string(),
-                            matcher: MitmHookMatchConfig {
-                                methods: vec!["POST".to_string(), "PUT".to_string()],
-                                path_prefixes: vec!["/repos/openai/".to_string()],
-                                query: BTreeMap::new(),
-                                headers: BTreeMap::from([(
-                                    "x-github-api-version".to_string(),
-                                    vec!["2022-11-28".to_string()],
-                                )]),
-                                body: None,
-                            },
-                            actions: MitmHookActionsConfig {
-                                strip_request_headers: vec!["authorization".to_string()],
-                                inject_request_headers: vec![InjectedHeaderConfig {
-                                    name: "authorization".to_string(),
-                                    secret_env_var: Some("CODEX_GITHUB_TOKEN".to_string()),
-                                    secret_file: None,
-                                    prefix: Some("Bearer ".to_string()),
-                                }],
-                            },
-                        }]),
                     }),
                 },
             )]),
@@ -830,38 +784,6 @@ prefix = "Bearer "
     );
 }
 
-#[test]
-fn permissions_profile_network_to_proxy_config_preserves_mitm_hooks() {
-    let network = NetworkToml {
-        mode: Some(NetworkMode::Full),
-        mitm: Some(true),
-        mitm_hooks: Some(vec![MitmHookConfig {
-            host: "api.github.com".to_string(),
-            matcher: MitmHookMatchConfig {
-                methods: vec!["POST".to_string()],
-                path_prefixes: vec!["/repos/openai/".to_string()],
-                ..MitmHookMatchConfig::default()
-            },
-            actions: MitmHookActionsConfig {
-                strip_request_headers: vec!["authorization".to_string()],
-                inject_request_headers: vec![InjectedHeaderConfig {
-                    name: "authorization".to_string(),
-                    secret_env_var: Some("CODEX_GITHUB_TOKEN".to_string()),
-                    secret_file: None,
-                    prefix: Some("Bearer ".to_string()),
-                }],
-            },
-        }]),
-        ..NetworkToml::default()
-    };
-
-    let config = network.to_network_proxy_config();
-
-    assert_eq!(config.network.mode, NetworkMode::Full);
-    assert!(config.network.mitm);
-    assert_eq!(config.network.mitm_hooks, network.mitm_hooks.unwrap());
-}
-
 #[tokio::test]
 async fn permissions_profiles_proxy_policy_does_not_start_managed_network_proxy_without_feature()
 -> std::io::Result<()> {
diff --git a/codex-rs/core/src/network_proxy_loader_tests.rs b/codex-rs/core/src/network_proxy_loader_tests.rs
index 0abd7285f5..b5adb935ec 100644
--- a/codex-rs/core/src/network_proxy_loader_tests.rs
+++ b/codex-rs/core/src/network_proxy_loader_tests.rs
@@ -104,75 +104,6 @@ default_permissions = "workspace"
     assert_eq!(config.network.denied_domains(), None);
 }
 
-#[test]
-fn higher_precedence_profile_network_overrides_mitm_hooks() {
-    let lower_network: toml::Value = toml::from_str(
-        r#"
-default_permissions = "workspace"
-
-[permissions.workspace.network]
-mode = "limited"
-mitm = false
-
-[permissions.workspace.network.domains]
-"lower.example.com" = "allow"
-
-[[permissions.workspace.network.mitm_hooks]]
-host = "lower.example.com"
-
-[permissions.workspace.network.mitm_hooks.match]
-methods = ["POST"]
-path_prefixes = ["/repos/openai/"]
-"#,
-    )
-    .expect("lower layer should parse");
-    let higher_network: toml::Value = toml::from_str(
-        r#"
-default_permissions = "workspace"
-
-[permissions.workspace.network]
-mode = "full"
-mitm = true
-
-[permissions.workspace.network.domains]
-"higher.example.com" = "allow"
-
-[[permissions.workspace.network.mitm_hooks]]
-host = "api.github.com"
-
-[permissions.workspace.network.mitm_hooks.match]
-methods = ["PUT"]
-path_prefixes = ["/repos/openai/"]
-"#,
-    )
-    .expect("higher layer should parse");
-
-    let mut config = NetworkProxyConfig::default();
-    apply_network_tables(
-        &mut config,
-        network_tables_from_toml(&lower_network).expect("lower layer should deserialize"),
-    )
-    .expect("lower layer should apply");
-    apply_network_tables(
-        &mut config,
-        network_tables_from_toml(&higher_network).expect("higher layer should deserialize"),
-    )
-    .expect("higher layer should apply");
-
-    assert_eq!(config.network.mode, codex_network_proxy::NetworkMode::Full);
-    assert!(config.network.mitm);
-    assert_eq!(
-        config.network.allowed_domains(),
-        Some(vec![
-            "lower.example.com".to_string(),
-            "higher.example.com".to_string()
-        ])
-    );
-    assert_eq!(config.network.mitm_hooks.len(), 1);
-    assert_eq!(config.network.mitm_hooks[0].host, "api.github.com");
-    assert_eq!(config.network.mitm_hooks[0].matcher.methods, vec!["PUT"]);
-}
-
 #[test]
 fn execpolicy_network_rules_overlay_network_lists() {
     let mut config = NetworkProxyConfig::default();