feat: include NetworkConfig through ExecParams

2026-02-09 02:13:45 +00:00 · 2026-02-08 17:21:56 -08:00
18 changed files with 113 additions and 43 deletions
--- a/codex-rs/Cargo.lock
+++ b/codex-rs/Cargo.lock
@@ -1907,6 +1907,7 @@ dependencies = [
 "async-trait",
 "clap",
 "codex-utils-absolute-path",
+ "codex-utils-home-dir",
 "globset",
 "pretty_assertions",
 "rama-core",
@@ -1923,6 +1924,7 @@ dependencies = [
 "thiserror 2.0.18",
 "time",
 "tokio",
+ "toml 0.9.11+spec-1.1.0",
 "tracing",
 "url",
 ]
--- a/codex-rs/Cargo.toml
+++ b/codex-rs/Cargo.toml
@@ -94,6 +94,7 @@ codex-linux-sandbox = { path = "linux-sandbox" }
 codex-lmstudio = { path = "lmstudio" }
 codex-login = { path = "login" }
 codex-mcp-server = { path = "mcp-server" }
+codex-network-proxy = { path = "network-proxy" }
 codex-ollama = { path = "ollama" }
 codex-otel = { path = "otel" }
 codex-process-hardening = { path = "process-hardening" }
--- a/codex-rs/app-server/src/codex_message_processor.rs
+++ b/codex-rs/app-server/src/codex_message_processor.rs
@@ -1636,6 +1636,7 @@ impl CodexMessageProcessor {
            cwd,
            expiration: timeout_ms.into(),
            env,
+            network: self.config.network.clone(),
            sandbox_permissions: SandboxPermissions::UseDefault,
            windows_sandbox_level,
            justification: None,
--- a/codex-rs/core/Cargo.toml
+++ b/codex-rs/core/Cargo.toml
@@ -35,6 +35,7 @@ codex-execpolicy = { workspace = true }
 codex-file-search = { workspace = true }
 codex-git = { workspace = true }
 codex-keyring-store = { workspace = true }
+codex-network-proxy = { workspace = true }
 codex-otel = { workspace = true }
 codex-protocol = { workspace = true }
 codex-rmcp-client = { workspace = true }
--- a/codex-rs/core/src/codex.rs
+++ b/codex-rs/core/src/codex.rs
@@ -6658,6 +6658,7 @@ mod tests {
            cwd: turn_context.cwd.clone(),
            expiration: timeout_ms.into(),
            env: HashMap::new(),
+            network: None,
            sandbox_permissions,
            windows_sandbox_level: turn_context.windows_sandbox_level,
            justification: Some("test".to_string()),
@@ -6670,6 +6671,7 @@ mod tests {
            cwd: params.cwd.clone(),
            expiration: timeout_ms.into(),
            env: HashMap::new(),
+            network: None,
            windows_sandbox_level: turn_context.windows_sandbox_level,
            justification: params.justification.clone(),
            arg0: None,
--- a/codex-rs/core/src/config/mod.rs
+++ b/codex-rs/core/src/config/mod.rs
@@ -47,6 +47,7 @@ use crate::protocol::SandboxPolicy;
 use crate::windows_sandbox::WindowsSandboxLevelExt;
 use codex_app_server_protocol::Tools;
 use codex_app_server_protocol::UserSavedConfig;
+use codex_network_proxy::NetworkProxy;
 use codex_protocol::config_types::AltScreenMode;
 use codex_protocol::config_types::ForcedLoginMethod;
 use codex_protocol::config_types::ModeKind;
@@ -152,6 +153,9 @@ pub struct Config {
    /// using backend-specific headers or URLs to enforce this.
    pub enforce_residency: Constrained<Option<ResidencyRequirement>>,

+    /// Effective network configuration applied to all spawned processes.
+    pub network: Option<NetworkProxy>,
+
    /// True if the user passed in an override or set a value in config.toml
    /// for either of approval_policy or sandbox_mode.
    pub did_user_set_custom_approval_policy_or_sandbox_mode: bool,
@@ -1690,6 +1694,7 @@ impl Config {
            approval_policy: constrained_approval_policy.value,
            sandbox_policy: constrained_sandbox_policy.value,
            enforce_residency: enforce_residency.value,
+            network: None,
            did_user_set_custom_approval_policy_or_sandbox_mode,
            forced_auto_mode_downgraded_on_windows,
            shell_environment_policy,
@@ -4003,6 +4008,7 @@ model_verbosity = "high"
                approval_policy: Constrained::allow_any(AskForApproval::Never),
                sandbox_policy: Constrained::allow_any(SandboxPolicy::new_read_only_policy()),
                enforce_residency: Constrained::allow_any(None),
+                network: None,
                did_user_set_custom_approval_policy_or_sandbox_mode: true,
                forced_auto_mode_downgraded_on_windows: false,
                shell_environment_policy: ShellEnvironmentPolicy::default(),
@@ -4091,6 +4097,7 @@ model_verbosity = "high"
            approval_policy: Constrained::allow_any(AskForApproval::UnlessTrusted),
            sandbox_policy: Constrained::allow_any(SandboxPolicy::new_read_only_policy()),
            enforce_residency: Constrained::allow_any(None),
+            network: None,
            did_user_set_custom_approval_policy_or_sandbox_mode: true,
            forced_auto_mode_downgraded_on_windows: false,
            shell_environment_policy: ShellEnvironmentPolicy::default(),
@@ -4194,6 +4201,7 @@ model_verbosity = "high"
            approval_policy: Constrained::allow_any(AskForApproval::OnFailure),
            sandbox_policy: Constrained::allow_any(SandboxPolicy::new_read_only_policy()),
            enforce_residency: Constrained::allow_any(None),
+            network: None,
            did_user_set_custom_approval_policy_or_sandbox_mode: true,
            forced_auto_mode_downgraded_on_windows: false,
            shell_environment_policy: ShellEnvironmentPolicy::default(),
@@ -4283,6 +4291,7 @@ model_verbosity = "high"
            approval_policy: Constrained::allow_any(AskForApproval::OnFailure),
            sandbox_policy: Constrained::allow_any(SandboxPolicy::new_read_only_policy()),
            enforce_residency: Constrained::allow_any(None),
+            network: None,
            did_user_set_custom_approval_policy_or_sandbox_mode: true,
            forced_auto_mode_downgraded_on_windows: false,
            shell_environment_policy: ShellEnvironmentPolicy::default(),
--- a/codex-rs/core/src/exec.rs
+++ b/codex-rs/core/src/exec.rs
@@ -32,6 +32,7 @@ use crate::sandboxing::SandboxPermissions;
 use crate::spawn::StdioPolicy;
 use crate::spawn::spawn_child_async;
 use crate::text_encoding::bytes_to_string_smart;
+use codex_network_proxy::NetworkProxy;
 use codex_utils_pty::process_group::kill_child_process_group;

 pub const DEFAULT_EXEC_COMMAND_TIMEOUT_MS: u64 = 10_000;
@@ -63,6 +64,7 @@ pub struct ExecParams {
    pub cwd: PathBuf,
    pub expiration: ExecExpiration,
    pub env: HashMap<String, String>,
+    pub network: Option<NetworkProxy>,
    pub sandbox_permissions: SandboxPermissions,
    pub windows_sandbox_level: codex_protocol::config_types::WindowsSandboxLevel,
    pub justification: Option<String>,
@@ -170,13 +172,13 @@ pub async fn process_exec_tool_call(
        command,
        cwd,
        expiration,
-        env,
+        mut env,
+        network,
        sandbox_permissions,
        windows_sandbox_level,
        justification,
        arg0: _,
    } = params;
-
    let (program, args) = command.split_first().ok_or_else(|| {
        CodexErr::Io(io::Error::new(
            io::ErrorKind::InvalidInput,
@@ -208,12 +210,13 @@ pub async fn process_exec_tool_call(
        .map_err(CodexErr::from)?;

    // Route through the sandboxing module for a single, unified execution path.
-    crate::sandboxing::execute_env(exec_env, sandbox_policy, stdout_stream).await
+    crate::sandboxing::execute_env(exec_env, sandbox_policy, stdout_stream, network).await
 }

 pub(crate) async fn execute_exec_env(
    env: ExecEnv,
    sandbox_policy: &SandboxPolicy,
+    network: Option<NetworkProxy>,
    stdout_stream: Option<StdoutStream>,
 ) -> Result<ExecToolCallOutput> {
    let ExecEnv {
@@ -233,6 +236,7 @@ pub(crate) async fn execute_exec_env(
        cwd,
        expiration,
        env,
+        network,
        sandbox_permissions,
        windows_sandbox_level,
        justification,
@@ -324,11 +328,15 @@ async fn exec_windows_sandbox(
    let ExecParams {
        command,
        cwd,
-        env,
+        mut env,
+        network,
        expiration,
        windows_sandbox_level,
        ..
    } = params;
+    if let Some(network) = network.as_ref() {
+        network.apply_to_env(&mut env);
+    }
    // TODO(iceweasel-oai): run_windows_sandbox_capture should support all
    // variants of ExecExpiration, not just timeout.
    let timeout_ms = expiration.timeout_ms();
@@ -677,12 +685,16 @@ async fn exec(
    let ExecParams {
        command,
        cwd,
-        env,
+        mut env,
+        network,
        arg0,
        expiration,
        windows_sandbox_level: _,
        ..
    } = params;
+    if let Some(network) = network.as_ref() {
+        network.apply_to_env(&mut env);
+    }

    let (program, args) = command.split_first().ok_or_else(|| {
        CodexErr::Io(io::Error::new(
@@ -1061,6 +1073,7 @@ mod tests {
            cwd: std::env::current_dir()?,
            expiration: 500.into(),
            env,
+            network: None,
            sandbox_permissions: SandboxPermissions::UseDefault,
            windows_sandbox_level: codex_protocol::config_types::WindowsSandboxLevel::Disabled,
            justification: None,
@@ -1107,6 +1120,7 @@ mod tests {
            cwd: cwd.clone(),
            expiration: ExecExpiration::Cancellation(cancel_token),
            env,
+            network: None,
            sandbox_permissions: SandboxPermissions::UseDefault,
            windows_sandbox_level: codex_protocol::config_types::WindowsSandboxLevel::Disabled,
            justification: None,
--- a/codex-rs/core/src/sandboxing/mod.rs
+++ b/codex-rs/core/src/sandboxing/mod.rs
@@ -21,6 +21,7 @@ use crate::seatbelt::create_seatbelt_command_args;
 use crate::spawn::CODEX_SANDBOX_ENV_VAR;
 use crate::spawn::CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR;
 use crate::tools::sandboxing::SandboxablePreference;
+use codex_network_proxy::NetworkProxy;
 use codex_protocol::config_types::WindowsSandboxLevel;
 pub use codex_protocol::models::SandboxPermissions;
 use std::collections::HashMap;
@@ -207,6 +208,7 @@ pub async fn execute_env(
    env: ExecEnv,
    policy: &SandboxPolicy,
    stdout_stream: Option<StdoutStream>,
+    network: Option<NetworkProxy>,
 ) -> crate::error::Result<ExecToolCallOutput> {
-    execute_exec_env(env, policy, stdout_stream).await
+    execute_exec_env(env, policy, network, stdout_stream).await
 }
--- a/codex-rs/core/src/tasks/user_shell.rs
+++ b/codex-rs/core/src/tasks/user_shell.rs
@@ -160,9 +160,14 @@ pub(crate) async fn execute_user_shell_command(
    });

    let sandbox_policy = SandboxPolicy::DangerFullAccess;
-    let exec_result = execute_exec_env(exec_env, &sandbox_policy, stdout_stream)
-        .or_cancel(&cancellation_token)
-        .await;
+    let exec_result = execute_exec_env(
+        exec_env,
+        &sandbox_policy,
+        turn_context.config.network.clone(),
+        stdout_stream,
+    )
+    .or_cancel(&cancellation_token)
+    .await;

    match exec_result {
        Err(CancelErr::Cancelled) => {
--- a/codex-rs/core/src/tools/handlers/shell.rs
+++ b/codex-rs/core/src/tools/handlers/shell.rs
@@ -53,6 +53,7 @@ impl ShellHandler {
            cwd: turn_context.resolve_path(params.workdir.clone()),
            expiration: params.timeout_ms.into(),
            env: create_env(&turn_context.shell_environment_policy, Some(thread_id)),
+            network: turn_context.config.network.clone(),
            sandbox_permissions: params.sandbox_permissions.unwrap_or_default(),
            windows_sandbox_level: turn_context.windows_sandbox_level,
            justification: params.justification.clone(),
@@ -81,6 +82,7 @@ impl ShellCommandHandler {
            cwd: turn_context.resolve_path(params.workdir.clone()),
            expiration: params.timeout_ms.into(),
            env: create_env(&turn_context.shell_environment_policy, Some(thread_id)),
+            network: turn_context.config.network.clone(),
            sandbox_permissions: params.sandbox_permissions.unwrap_or_default(),
            windows_sandbox_level: turn_context.windows_sandbox_level,
            justification: params.justification.clone(),
@@ -311,6 +313,7 @@ impl ShellHandler {
            cwd: exec_params.cwd.clone(),
            timeout_ms: exec_params.expiration.timeout_ms(),
            env: exec_params.env.clone(),
+            network: exec_params.network.clone(),
            sandbox_permissions: exec_params.sandbox_permissions,
            justification: exec_params.justification.clone(),
            exec_approval_requirement,
@@ -441,6 +444,7 @@ mod tests {
        assert_eq!(exec_params.command, expected_command);
        assert_eq!(exec_params.cwd, expected_cwd);
        assert_eq!(exec_params.env, expected_env);
+        assert_eq!(exec_params.network, turn_context.config.network);
        assert_eq!(exec_params.expiration.timeout_ms(), timeout_ms);
        assert_eq!(exec_params.sandbox_permissions, sandbox_permissions);
        assert_eq!(exec_params.justification, justification);
--- a/codex-rs/core/src/tools/runtimes/apply_patch.rs
+++ b/codex-rs/core/src/tools/runtimes/apply_patch.rs
@@ -153,7 +153,7 @@ impl ToolRuntime<ApplyPatchRequest, ExecToolCallOutput> for ApplyPatchRuntime {
        let env = attempt
            .env_for(spec)
            .map_err(|err| ToolError::Codex(err.into()))?;
-        let out = execute_env(env, attempt.policy, Self::stdout_stream(ctx))
+        let out = execute_env(env, attempt.policy, Self::stdout_stream(ctx), None)
            .await
            .map_err(ToolError::Codex)?;
        Ok(out)
--- a/codex-rs/core/src/tools/runtimes/shell.rs
+++ b/codex-rs/core/src/tools/runtimes/shell.rs
@@ -23,6 +23,7 @@ use crate::tools::sandboxing::ToolCtx;
 use crate::tools::sandboxing::ToolError;
 use crate::tools::sandboxing::ToolRuntime;
 use crate::tools::sandboxing::with_cached_approval;
+use codex_network_proxy::NetworkProxy;
 use codex_protocol::protocol::ReviewDecision;
 use futures::future::BoxFuture;
 use std::path::PathBuf;
@@ -33,6 +34,7 @@ pub struct ShellRequest {
    pub cwd: PathBuf,
    pub timeout_ms: Option<u64>,
    pub env: std::collections::HashMap<String, String>,
+    pub network: Option<NetworkProxy>,
    pub sandbox_permissions: SandboxPermissions,
    pub justification: Option<String>,
    pub exec_approval_requirement: ExecApprovalRequirement,
@@ -155,10 +157,11 @@ impl ToolRuntime<ShellRequest, ExecToolCallOutput> for ShellRuntime {
            command
        };

+        let env = req.env.clone();
        let spec = build_command_spec(
            &command,
            &req.cwd,
-            &req.env,
+            &env,
            req.timeout_ms.into(),
            req.sandbox_permissions,
            req.justification.clone(),
@@ -166,9 +169,14 @@ impl ToolRuntime<ShellRequest, ExecToolCallOutput> for ShellRuntime {
        let env = attempt
            .env_for(spec)
            .map_err(|err| ToolError::Codex(err.into()))?;
-        let out = execute_env(env, attempt.policy, Self::stdout_stream(ctx))
-            .await
-            .map_err(ToolError::Codex)?;
+        let out = execute_env(
+            env,
+            attempt.policy,
+            Self::stdout_stream(ctx),
+            req.network.clone(),
+        )
+        .await
+        .map_err(ToolError::Codex)?;
        Ok(out)
    }
 }
--- a/codex-rs/core/src/tools/runtimes/unified_exec.rs
+++ b/codex-rs/core/src/tools/runtimes/unified_exec.rs
@@ -27,6 +27,7 @@ use crate::tools::sandboxing::with_cached_approval;
 use crate::unified_exec::UnifiedExecError;
 use crate::unified_exec::UnifiedExecProcess;
 use crate::unified_exec::UnifiedExecProcessManager;
+use codex_network_proxy::NetworkProxy;
 use codex_protocol::protocol::ReviewDecision;
 use futures::future::BoxFuture;
 use std::collections::HashMap;
@@ -37,6 +38,7 @@ pub struct UnifiedExecRequest {
    pub command: Vec<String>,
    pub cwd: PathBuf,
    pub env: HashMap<String, String>,
+    pub network: Option<NetworkProxy>,
    pub tty: bool,
    pub sandbox_permissions: SandboxPermissions,
    pub justification: Option<String>,
@@ -55,28 +57,6 @@ pub struct UnifiedExecRuntime<'a> {
    manager: &'a UnifiedExecProcessManager,
 }

-impl UnifiedExecRequest {
-    pub fn new(
-        command: Vec<String>,
-        cwd: PathBuf,
-        env: HashMap<String, String>,
-        tty: bool,
-        sandbox_permissions: SandboxPermissions,
-        justification: Option<String>,
-        exec_approval_requirement: ExecApprovalRequirement,
-    ) -> Self {
-        Self {
-            command,
-            cwd,
-            env,
-            tty,
-            sandbox_permissions,
-            justification,
-            exec_approval_requirement,
-        }
-    }
-}
-
 impl<'a> UnifiedExecRuntime<'a> {
    pub fn new(manager: &'a UnifiedExecProcessManager) -> Self {
        Self { manager }
@@ -181,10 +161,14 @@ impl<'a> ToolRuntime<UnifiedExecRequest, UnifiedExecProcess> for UnifiedExecRunt
            command
        };

+        let mut env = req.env.clone();
+        if let Some(network) = req.network.as_ref() {
+            network.apply_to_env(&mut env);
+        }
        let spec = build_command_spec(
            &command,
            &req.cwd,
-            &req.env,
+            &env,
            ExecExpiration::DefaultTimeout,
            req.sandbox_permissions,
            req.justification.clone(),
--- a/codex-rs/core/src/unified_exec/process_manager.rs
+++ b/codex-rs/core/src/unified_exec/process_manager.rs
@@ -501,15 +501,16 @@ impl UnifiedExecProcessManager {
                prefix_rule: request.prefix_rule.clone(),
            })
            .await;
-        let req = UnifiedExecToolRequest::new(
-            request.command.clone(),
+        let req = UnifiedExecToolRequest {
+            command: request.command.clone(),
            cwd,
            env,
-            request.tty,
-            request.sandbox_permissions,
-            request.justification.clone(),
+            network: context.turn.config.network.clone(),
+            tty: request.tty,
+            sandbox_permissions: request.sandbox_permissions,
+            justification: request.justification.clone(),
            exec_approval_requirement,
-        );
+        };
        let tool_ctx = ToolCtx {
            session: context.session.as_ref(),
            turn: context.turn.as_ref(),
--- a/codex-rs/core/tests/suite/exec.rs
+++ b/codex-rs/core/tests/suite/exec.rs
@@ -36,6 +36,7 @@ async fn run_test_cmd(tmp: TempDir, cmd: Vec<&str>) -> Result<ExecToolCallOutput
        cwd: tmp.path().to_path_buf(),
        expiration: 1000.into(),
        env: HashMap::new(),
+        network: None,
        sandbox_permissions: SandboxPermissions::UseDefault,
        windows_sandbox_level: WindowsSandboxLevel::Disabled,
        justification: None,
--- a/codex-rs/exec-server/src/posix/escalate_server.rs
+++ b/codex-rs/exec-server/src/posix/escalate_server.rs
@@ -87,6 +87,7 @@ impl EscalateServer {
                cwd: PathBuf::from(&workdir),
                expiration: ExecExpiration::Cancellation(cancel_rx),
                env,
+                network: None,
                sandbox_permissions: SandboxPermissions::UseDefault,
                windows_sandbox_level: WindowsSandboxLevel::Disabled,
                justification: None,
--- a/codex-rs/linux-sandbox/tests/suite/landlock.rs
+++ b/codex-rs/linux-sandbox/tests/suite/landlock.rs
@@ -75,6 +75,7 @@ async fn run_cmd_result_with_writable_roots(
        cwd,
        expiration: timeout_ms.into(),
        env: create_env_from_core_vars(),
+        network: None,
        sandbox_permissions: SandboxPermissions::UseDefault,
        windows_sandbox_level: WindowsSandboxLevel::Disabled,
        justification: None,
@@ -231,6 +232,7 @@ async fn assert_network_blocked(cmd: &[&str]) {
        // do not stall the suite.
        expiration: NETWORK_TIMEOUT_MS.into(),
        env: create_env_from_core_vars(),
+        network: None,
        sandbox_permissions: SandboxPermissions::UseDefault,
        windows_sandbox_level: WindowsSandboxLevel::Disabled,
        justification: None,
--- a/codex-rs/network-proxy/src/proxy.rs
+++ b/codex-rs/network-proxy/src/proxy.rs
@@ -8,6 +8,7 @@ use crate::state::NetworkProxyState;
 use anyhow::Context;
 use anyhow::Result;
 use clap::Parser;
+use std::collections::HashMap;
 use std::net::SocketAddr;
 use std::sync::Arc;
 use tokio::task::JoinHandle;
@@ -89,11 +90,42 @@ pub struct NetworkProxy {
    policy_decider: Option<Arc<dyn NetworkPolicyDecider>>,
 }

+impl std::fmt::Debug for NetworkProxy {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        // Avoid logging internal state (config contents, derived globsets, etc.) which can be noisy
+        // and may contain sensitive paths.
+        f.debug_struct("NetworkProxy")
+            .field("http_addr", &self.http_addr)
+            .field("socks_addr", &self.socks_addr)
+            .field("admin_addr", &self.admin_addr)
+            .finish_non_exhaustive()
+    }
+}
+
+impl PartialEq for NetworkProxy {
+    fn eq(&self, other: &Self) -> bool {
+        self.http_addr == other.http_addr
+            && self.socks_addr == other.socks_addr
+            && self.admin_addr == other.admin_addr
+    }
+}
+
+impl Eq for NetworkProxy {}
+
 impl NetworkProxy {
    pub fn builder() -> NetworkProxyBuilder {
        NetworkProxyBuilder::default()
    }

+    pub fn apply_to_env(&self, env: &mut HashMap<String, String>) {
+        // Enforce proxying for all child processes when configured. We always override to ensure
+        // the proxy is actually used even if the caller passed conflicting environment variables.
+        let proxy_url = format!("http://{}", self.http_addr);
+        for key in ["HTTP_PROXY", "HTTPS_PROXY", "http_proxy", "https_proxy"] {
+            env.insert(key.to_string(), proxy_url.clone());
+        }
+    }
+
    pub async fn run(&self) -> Result<NetworkProxyHandle> {
        let current_cfg = self.state.current_cfg().await?;
        if !current_cfg.network.enabled {