hanges

2026-03-12 09:33:32 +00:00 · 2026-03-11 19:05:15 -07:00
10 changed files with 313 additions and 40 deletions
--- a/codex-rs/core/src/codex.rs
+++ b/codex-rs/core/src/codex.rs
@@ -169,6 +169,8 @@ use crate::error::CodexErr;
 use crate::error::Result as CodexResult;
 #[cfg(test)]
 use crate::exec::StreamOutput;
+use crate::network_proxy_registry::NetworkProxyRegistry;
+use crate::network_proxy_registry::NetworkProxyScope;
 use codex_config::CONFIG_TOML_FILE;

 mod rollout_reconstruction;
@@ -1093,6 +1095,52 @@ impl Session {
        Ok((network_proxy, session_network_proxy))
    }

+    pub(crate) async fn get_or_start_network_proxy(
+        self: &Arc<Self>,
+        scope: NetworkProxyScope,
+        sandbox_policy: &SandboxPolicy,
+    ) -> anyhow::Result<Option<NetworkProxy>> {
+        let session = Arc::clone(self);
+        let started = self
+            .services
+            .network_proxies
+            .get_or_start(
+                scope.clone(),
+                move |spec, managed_enabled, audit_metadata| {
+                    let session = Arc::clone(&session);
+                    let scope = scope.clone();
+                    let sandbox_policy = sandbox_policy.clone();
+                    async move {
+                        let network_policy_decider = session
+                            .services
+                            .network_policy_decider_session
+                            .as_ref()
+                            .map(|network_policy_decider_session| {
+                                build_network_policy_decider(
+                                    Arc::clone(&session.services.network_approval),
+                                    Arc::clone(network_policy_decider_session),
+                                    scope,
+                                )
+                            });
+                        spec.start_proxy(
+                            &sandbox_policy,
+                            network_policy_decider,
+                            session
+                                .services
+                                .network_blocked_request_observer
+                                .as_ref()
+                                .map(Arc::clone),
+                            managed_enabled,
+                            audit_metadata,
+                        )
+                        .await
+                    }
+                },
+            )
+            .await?;
+        Ok(started.map(|started| started.proxy()))
+    }
+
    /// Don't expand the number of mutated arguments on config. We are in the process of getting rid of it.
    pub(crate) fn build_per_turn_config(session_configuration: &SessionConfiguration) -> Config {
        // todo(aibrahim): store this state somewhere else so we don't need to mut config
@@ -1563,9 +1611,10 @@ impl Session {
                    build_network_policy_decider(
                        Arc::clone(&network_approval),
                        Arc::clone(network_policy_decider_session),
+                        NetworkProxyScope::SessionDefault,
                    )
                });
-        let (network_proxy, session_network_proxy) =
+        let (default_network_proxy, session_network_proxy) =
            if let Some(spec) = config.permissions.network.as_ref() {
                let (network_proxy, session_network_proxy) = Self::start_managed_network_proxy(
                    spec,
@@ -1573,13 +1622,19 @@ impl Session {
                    network_policy_decider.as_ref().map(Arc::clone),
                    blocked_request_observer.as_ref().map(Arc::clone),
                    managed_network_requirements_enabled,
-                    network_proxy_audit_metadata,
+                    network_proxy_audit_metadata.clone(),
                )
                .await?;
                (Some(network_proxy), Some(session_network_proxy))
            } else {
                (None, None)
            };
+        let network_proxies = NetworkProxyRegistry::new(
+            config.permissions.network.clone(),
+            managed_network_requirements_enabled,
+            network_proxy_audit_metadata.clone(),
+            default_network_proxy,
+        );

        let mut hook_shell_argv = default_shell.derive_exec_args("", false);
        let hook_shell_program = hook_shell_argv.remove(0);
@@ -1637,7 +1692,9 @@ impl Session {
            mcp_manager: Arc::clone(&mcp_manager),
            file_watcher,
            agent_control,
-            network_proxy,
+            network_proxies,
+            network_policy_decider_session,
+            network_blocked_request_observer: blocked_request_observer,
            network_approval: Arc::clone(&network_approval),
            state_db: state_db_ctx.clone(),
            model_client: ModelClient::new(
@@ -1674,7 +1731,9 @@ impl Session {
            js_repl,
            next_internal_sub_id: AtomicU64::new(0),
        });
-        if let Some(network_policy_decider_session) = network_policy_decider_session {
+        if let Some(network_policy_decider_session) =
+            sess.services.network_policy_decider_session.as_ref()
+        {
            let mut guard = network_policy_decider_session.write().await;
            *guard = Arc::downgrade(&sess);
        }
@@ -2306,8 +2365,10 @@ impl Session {
            model_info,
            &self.services.models_manager,
            self.services
-                .network_proxy
-                .as_ref()
+                .network_proxies
+                .get(&NetworkProxyScope::SessionDefault)
+                .await
+                .as_deref()
                .map(StartedNetworkProxy::proxy),
            sub_id,
            Arc::clone(&self.js_repl),
@@ -2679,6 +2740,7 @@ impl Session {
        &self,
        amendment: &NetworkPolicyAmendment,
        network_approval_context: &NetworkApprovalContext,
+        scope: &NetworkProxyScope,
    ) -> anyhow::Result<()> {
        let host =
            Self::validated_network_policy_amendment_host(amendment, network_approval_context)?;
@@ -2692,7 +2754,7 @@ impl Session {
        let execpolicy_amendment =
            execpolicy_network_rule_amendment(amendment, network_approval_context, &host);

-        if let Some(started_network_proxy) = self.services.network_proxy.as_ref() {
+        if let Some(started_network_proxy) = self.services.network_proxies.get(scope).await {
            let proxy = started_network_proxy.proxy();
            match amendment.action {
                NetworkPolicyRuleAction::Allow => proxy
--- a/codex-rs/core/src/codex_tests.rs
+++ b/codex-rs/core/src/codex_tests.rs
@@ -11,9 +11,11 @@ use crate::exec::ExecToolCallOutput;
 use crate::function_tool::FunctionCallError;
 use crate::mcp_connection_manager::ToolInfo;
 use crate::models_manager::model_info;
+use crate::network_proxy_registry::NetworkProxyRegistry;
 use crate::shell::default_user_shell;
 use crate::tools::format_exec_output_str;

+use codex_network_proxy::NetworkProxyAuditMetadata;
 use codex_protocol::ThreadId;
 use codex_protocol::models::FunctionCallOutputBody;
 use codex_protocol::models::FunctionCallOutputPayload;
@@ -2233,7 +2235,14 @@ pub(crate) async fn make_session_and_context() -> (Session, TurnContext) {
        mcp_manager,
        file_watcher,
        agent_control,
-        network_proxy: None,
+        network_proxies: NetworkProxyRegistry::new(
+            None,
+            false,
+            NetworkProxyAuditMetadata::default(),
+            None,
+        ),
+        network_policy_decider_session: None,
+        network_blocked_request_observer: None,
        network_approval: Arc::clone(&network_approval),
        state_db: None,
        model_client: ModelClient::new(
@@ -2794,7 +2803,14 @@ pub(crate) async fn make_session_and_context_with_dynamic_tools_and_rx(
        mcp_manager,
        file_watcher,
        agent_control,
-        network_proxy: None,
+        network_proxies: NetworkProxyRegistry::new(
+            None,
+            false,
+            NetworkProxyAuditMetadata::default(),
+            None,
+        ),
+        network_policy_decider_session: None,
+        network_blocked_request_observer: None,
        network_approval: Arc::clone(&network_approval),
        state_db: None,
        model_client: ModelClient::new(
--- a/codex-rs/core/src/guardian.rs
+++ b/codex-rs/core/src/guardian.rs
@@ -39,6 +39,7 @@ use crate::config::Constrained;
 use crate::config::NetworkProxySpec;
 use crate::event_mapping::is_contextual_user_message_content;
 use crate::features::Feature;
+use crate::network_proxy_registry::NetworkProxyScope;
 use crate::protocol::Op;
 use crate::protocol::SandboxPolicy;
 use crate::truncate::approx_bytes_for_tokens;
@@ -550,7 +551,12 @@ async fn run_guardian_subagent(
    schema: Value,
    cancel_token: CancellationToken,
 ) -> anyhow::Result<GuardianAssessment> {
-    let live_network_config = match session.services.network_proxy.as_ref() {
+    let live_network_config = match session
+        .services
+        .network_proxies
+        .get(&NetworkProxyScope::SessionDefault)
+        .await
+    {
        Some(network_proxy) => Some(network_proxy.proxy().current_cfg().await?),
        None => None,
    };
--- a/codex-rs/core/src/lib.rs
+++ b/codex-rs/core/src/lib.rs
@@ -50,6 +50,7 @@ mod mcp_connection_manager;
 pub mod models_manager;
 mod network_policy_decision;
 pub mod network_proxy_loader;
+mod network_proxy_registry;
 mod original_image_detail;
 pub use mcp_connection_manager::MCP_SANDBOX_STATE_CAPABILITY;
 pub use mcp_connection_manager::MCP_SANDBOX_STATE_METHOD;
--- a/codex-rs/core/src/network_proxy_registry.rs
+++ b/codex-rs/core/src/network_proxy_registry.rs
@@ -0,0 +1,77 @@
+use crate::config::NetworkProxySpec;
+use crate::config::StartedNetworkProxy;
+use anyhow::Result;
+use codex_network_proxy::NetworkProxyAuditMetadata;
+use std::collections::HashMap;
+use std::future::Future;
+use std::path::PathBuf;
+use std::sync::Arc;
+use tokio::sync::Mutex;
+
+#[derive(Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)]
+pub(crate) enum NetworkProxyScope {
+    SessionDefault,
+    Skill { path_to_skills_md: PathBuf },
+}
+
+pub(crate) struct NetworkProxyRegistry {
+    spec: Option<NetworkProxySpec>,
+    managed_network_requirements_enabled: bool,
+    audit_metadata: NetworkProxyAuditMetadata,
+    proxies: Mutex<HashMap<NetworkProxyScope, Arc<StartedNetworkProxy>>>,
+}
+
+impl NetworkProxyRegistry {
+    pub(crate) fn new(
+        spec: Option<NetworkProxySpec>,
+        managed_network_requirements_enabled: bool,
+        audit_metadata: NetworkProxyAuditMetadata,
+        default_proxy: Option<StartedNetworkProxy>,
+    ) -> Self {
+        let mut proxies = HashMap::new();
+        if let Some(default_proxy) = default_proxy {
+            proxies.insert(NetworkProxyScope::SessionDefault, Arc::new(default_proxy));
+        }
+
+        Self {
+            spec,
+            managed_network_requirements_enabled,
+            audit_metadata,
+            proxies: Mutex::new(proxies),
+        }
+    }
+
+    pub(crate) async fn get(&self, scope: &NetworkProxyScope) -> Option<Arc<StartedNetworkProxy>> {
+        self.proxies.lock().await.get(scope).cloned()
+    }
+
+    pub(crate) async fn get_or_start<F, Fut>(
+        &self,
+        scope: NetworkProxyScope,
+        start: F,
+    ) -> Result<Option<Arc<StartedNetworkProxy>>>
+    where
+        F: FnOnce(NetworkProxySpec, bool, NetworkProxyAuditMetadata) -> Fut,
+        Fut: Future<Output = std::io::Result<StartedNetworkProxy>>,
+    {
+        let mut proxies = self.proxies.lock().await;
+        if let Some(existing) = proxies.get(&scope).cloned() {
+            return Ok(Some(existing));
+        }
+
+        let Some(spec) = self.spec.clone() else {
+            return Ok(None);
+        };
+
+        let started = Arc::new(
+            start(
+                spec,
+                self.managed_network_requirements_enabled,
+                self.audit_metadata.clone(),
+            )
+            .await?,
+        );
+        proxies.insert(scope, Arc::clone(&started));
+        Ok(Some(started))
+    }
+}
--- a/codex-rs/core/src/state/service.rs
+++ b/codex-rs/core/src/state/service.rs
@@ -6,12 +6,13 @@ use crate::RolloutRecorder;
 use crate::agent::AgentControl;
 use crate::analytics_client::AnalyticsEventsClient;
 use crate::client::ModelClient;
-use crate::config::StartedNetworkProxy;
+use crate::codex::Session;
 use crate::exec_policy::ExecPolicyManager;
 use crate::file_watcher::FileWatcher;
 use crate::mcp::McpManager;
 use crate::mcp_connection_manager::McpConnectionManager;
 use crate::models_manager::manager::ModelsManager;
+use crate::network_proxy_registry::NetworkProxyRegistry;
 use crate::plugins::PluginsManager;
 use crate::skills::SkillsManager;
 use crate::state_db::StateDbHandle;
@@ -20,10 +21,12 @@ use crate::tools::runtimes::ExecveSessionApproval;
 use crate::tools::sandboxing::ApprovalStore;
 use crate::unified_exec::UnifiedExecProcessManager;
 use codex_hooks::Hooks;
+use codex_network_proxy::BlockedRequestObserver;
 use codex_otel::SessionTelemetry;
 use codex_utils_absolute_path::AbsolutePathBuf;
 use serde_json::Value as JsonValue;
 use std::path::PathBuf;
+use std::sync::Weak;
 use tokio::sync::Mutex;
 use tokio::sync::RwLock;
 use tokio::sync::watch;
@@ -77,7 +80,9 @@ pub(crate) struct SessionServices {
    pub(crate) mcp_manager: Arc<McpManager>,
    pub(crate) file_watcher: Arc<FileWatcher>,
    pub(crate) agent_control: AgentControl,
-    pub(crate) network_proxy: Option<StartedNetworkProxy>,
+    pub(crate) network_proxies: NetworkProxyRegistry,
+    pub(crate) network_policy_decider_session: Option<Arc<RwLock<Weak<Session>>>>,
+    pub(crate) network_blocked_request_observer: Option<Arc<dyn BlockedRequestObserver>>,
    pub(crate) network_approval: Arc<NetworkApprovalService>,
    pub(crate) state_db: Option<StateDbHandle>,
    /// Session-scoped model client shared across turns.
--- a/codex-rs/core/src/tasks/mod.rs
+++ b/codex-rs/core/src/tasks/mod.rs
@@ -46,6 +46,7 @@ use codex_protocol::protocol::RolloutItem;
 use codex_protocol::user_input::UserInput;

 use crate::features::Feature;
+use crate::network_proxy_registry::NetworkProxyScope;
 pub(crate) use compact::CompactTask;
 pub(crate) use ghost_snapshot::GhostSnapshotTask;
 pub(crate) use regular::RegularTask;
@@ -295,7 +296,12 @@ impl Session {
                    "false"
                },
            );
-            let network_proxy_active = match self.services.network_proxy.as_ref() {
+            let network_proxy_active = match self
+                .services
+                .network_proxies
+                .get(&NetworkProxyScope::SessionDefault)
+                .await
+            {
                Some(started_network_proxy) => {
                    match started_network_proxy.proxy().current_cfg().await {
                        Ok(config) => config.network.enabled,
--- a/codex-rs/core/src/tools/network_approval.rs
+++ b/codex-rs/core/src/tools/network_approval.rs
@@ -4,6 +4,7 @@ use crate::guardian::GuardianApprovalRequest;
 use crate::guardian::review_approval_request;
 use crate::guardian::routes_approval_to_guardian;
 use crate::network_policy_decision::denied_network_policy_message;
+use crate::network_proxy_registry::NetworkProxyScope;
 use crate::tools::sandboxing::ToolError;
 use codex_network_proxy::BlockedRequest;
 use codex_network_proxy::BlockedRequestObserver;
@@ -76,14 +77,20 @@ impl ActiveNetworkApproval {

 #[derive(Clone, Debug, Eq, Hash, PartialEq)]
 struct HostApprovalKey {
+    scope: NetworkProxyScope,
    host: String,
    protocol: &'static str,
    port: u16,
 }

 impl HostApprovalKey {
-    fn from_request(request: &NetworkPolicyRequest, protocol: NetworkApprovalProtocol) -> Self {
+    fn from_request(
+        request: &NetworkPolicyRequest,
+        protocol: NetworkApprovalProtocol,
+        scope: NetworkProxyScope,
+    ) -> Self {
        Self {
+            scope,
            host: request.host.to_ascii_lowercase(),
            protocol: protocol_key_label(protocol),
            port: request.port,
@@ -279,6 +286,7 @@ impl NetworkApprovalService {
        &self,
        session: Arc<Session>,
        request: NetworkPolicyRequest,
+        scope: NetworkProxyScope,
    ) -> NetworkDecision {
        const REASON_NOT_ALLOWED: &str = "not_allowed";

@@ -288,7 +296,7 @@ impl NetworkApprovalService {
            NetworkProtocol::Socks5Tcp => NetworkApprovalProtocol::Socks5Tcp,
            NetworkProtocol::Socks5Udp => NetworkApprovalProtocol::Socks5Udp,
        };
-        let key = HostApprovalKey::from_request(&request, protocol);
+        let key = HostApprovalKey::from_request(&request, protocol, scope.clone());

        {
            let denied_hosts = self.session_denied_hosts.lock().await;
@@ -387,6 +395,7 @@ impl NetworkApprovalService {
                        .persist_network_policy_amendment(
                            &network_policy_amendment,
                            &network_approval_context,
+                            &scope,
                        )
                        .await
                    {
@@ -417,6 +426,7 @@ impl NetworkApprovalService {
                        .persist_network_policy_amendment(
                            &network_policy_amendment,
                            &network_approval_context,
+                            &scope,
                        )
                        .await
                    {
@@ -506,16 +516,18 @@ pub(crate) fn build_blocked_request_observer(
 pub(crate) fn build_network_policy_decider(
    network_approval: Arc<NetworkApprovalService>,
    network_policy_decider_session: Arc<RwLock<std::sync::Weak<Session>>>,
+    scope: NetworkProxyScope,
 ) -> Arc<dyn NetworkPolicyDecider> {
    Arc::new(move |request: NetworkPolicyRequest| {
        let network_approval = Arc::clone(&network_approval);
        let network_policy_decider_session = Arc::clone(&network_policy_decider_session);
+        let scope = scope.clone();
        async move {
            let Some(session) = network_policy_decider_session.read().await.upgrade() else {
                return NetworkDecision::ask("not_allowed");
            };
            network_approval
-                .handle_inline_policy_request(session, request)
+                .handle_inline_policy_request(session, request, scope)
                .await
        }
    })
@@ -592,14 +604,22 @@ pub(crate) async fn finish_deferred_network_approval(
 #[cfg(test)]
 mod tests {
    use super::*;
+    use crate::network_proxy_registry::NetworkProxyScope;
    use codex_network_proxy::BlockedRequestArgs;
    use codex_protocol::protocol::AskForApproval;
    use pretty_assertions::assert_eq;

+    fn scope(name: &str) -> NetworkProxyScope {
+        NetworkProxyScope::Skill {
+            path_to_skills_md: format!("/tmp/{name}/SKILL.md").into(),
+        }
+    }
+
    #[tokio::test]
    async fn pending_approvals_are_deduped_per_host_protocol_and_port() {
        let service = NetworkApprovalService::default();
        let key = HostApprovalKey {
+            scope: scope("alpha"),
            host: "example.com".to_string(),
            protocol: "http",
            port: 443,
@@ -617,11 +637,13 @@ mod tests {
    async fn pending_approvals_do_not_dedupe_across_ports() {
        let service = NetworkApprovalService::default();
        let first_key = HostApprovalKey {
+            scope: scope("alpha"),
            host: "example.com".to_string(),
            protocol: "https",
            port: 443,
        };
        let second_key = HostApprovalKey {
+            scope: scope("alpha"),
            host: "example.com".to_string(),
            protocol: "https",
            port: 8443,
@@ -635,6 +657,30 @@ mod tests {
        assert!(!Arc::ptr_eq(&first, &second));
    }

+    #[tokio::test]
+    async fn pending_approvals_do_not_dedupe_across_proxy_scopes() {
+        let service = NetworkApprovalService::default();
+        let first_key = HostApprovalKey {
+            scope: scope("alpha"),
+            host: "example.com".to_string(),
+            protocol: "https",
+            port: 443,
+        };
+        let second_key = HostApprovalKey {
+            scope: scope("beta"),
+            host: "example.com".to_string(),
+            protocol: "https",
+            port: 443,
+        };
+
+        let (first, first_is_owner) = service.get_or_create_pending_approval(first_key).await;
+        let (second, second_is_owner) = service.get_or_create_pending_approval(second_key).await;
+
+        assert!(first_is_owner);
+        assert!(second_is_owner);
+        assert!(!Arc::ptr_eq(&first, &second));
+    }
+
    #[tokio::test]
    async fn session_approved_hosts_preserve_protocol_and_port_scope() {
        let source = NetworkApprovalService::default();
@@ -642,16 +688,19 @@ mod tests {
            let mut approved_hosts = source.session_approved_hosts.lock().await;
            approved_hosts.extend([
                HostApprovalKey {
+                    scope: scope("alpha"),
                    host: "example.com".to_string(),
                    protocol: "https",
                    port: 443,
                },
                HostApprovalKey {
+                    scope: scope("alpha"),
                    host: "example.com".to_string(),
                    protocol: "https",
                    port: 8443,
                },
                HostApprovalKey {
+                    scope: scope("alpha"),
                    host: "example.com".to_string(),
                    protocol: "http",
                    port: 80,
@@ -669,22 +718,27 @@ mod tests {
            .iter()
            .cloned()
            .collect::<Vec<_>>();
-        copied.sort_by(|a, b| (&a.host, a.protocol, a.port).cmp(&(&b.host, b.protocol, b.port)));
+        copied.sort_by(|a, b| {
+            (&a.host, a.protocol, a.port, &a.scope).cmp(&(&b.host, b.protocol, b.port, &b.scope))
+        });

        assert_eq!(
            copied,
            vec![
                HostApprovalKey {
+                    scope: scope("alpha"),
                    host: "example.com".to_string(),
                    protocol: "http",
                    port: 80,
                },
                HostApprovalKey {
+                    scope: scope("alpha"),
                    host: "example.com".to_string(),
                    protocol: "https",
                    port: 443,
                },
                HostApprovalKey {
+                    scope: scope("alpha"),
                    host: "example.com".to_string(),
                    protocol: "https",
                    port: 8443,
--- a/codex-rs/core/src/tools/runtimes/shell/unix_escalation.rs
+++ b/codex-rs/core/src/tools/runtimes/shell/unix_escalation.rs
@@ -9,6 +9,7 @@ use crate::features::Feature;
 use crate::guardian::GuardianApprovalRequest;
 use crate::guardian::review_approval_request;
 use crate::guardian::routes_approval_to_guardian;
+use crate::network_proxy_registry::NetworkProxyScope;
 use crate::sandboxing::ExecRequest;
 use crate::sandboxing::SandboxPermissions;
 use crate::shell::ShellType;
@@ -50,6 +51,7 @@ use codex_shell_escalation::ShellCommandExecutor;
 use codex_shell_escalation::Stopwatch;
 use codex_utils_absolute_path::AbsolutePathBuf;
 use std::collections::HashMap;
+use std::path::Path;
 use std::path::PathBuf;
 use std::sync::Arc;
 use std::time::Duration;
@@ -126,6 +128,7 @@ pub(super) async fn try_run_zsh_fork(
        ctx.session.services.exec_policy.current().as_ref().clone(),
    ));
    let command_executor = CoreShellCommandExecutor {
+        session: Some(Arc::clone(&ctx.session)),
        command,
        cwd: sandbox_cwd,
        sandbox_policy,
@@ -238,6 +241,7 @@ pub(crate) async fn prepare_unified_exec_zsh_fork(
        ctx.session.services.exec_policy.current().as_ref().clone(),
    ));
    let command_executor = CoreShellCommandExecutor {
+        session: Some(Arc::clone(&ctx.session)),
        command: exec_request.command.clone(),
        cwd: exec_request.cwd.clone(),
        sandbox_policy: exec_request.sandbox_policy.clone(),
@@ -477,26 +481,7 @@ impl CoreShellActionProvider {
    /// an absolute path. The idea is that we check to see whether it matches
    /// any skills.
    async fn find_skill(&self, program: &AbsolutePathBuf) -> Option<SkillMetadata> {
-        let force_reload = false;
-        let skills_outcome = self
-            .session
-            .services
-            .skills_manager
-            .skills_for_cwd(&self.turn.cwd, force_reload)
-            .await;
-
-        let program_path = program.as_path();
-        for skill in skills_outcome.skills {
-            // We intentionally ignore "enabled" status here for now.
-            let Some(skill_root) = skill.path_to_skills_md.parent() else {
-                continue;
-            };
-            if program_path.starts_with(skill_root.join("scripts")) {
-                return Some(skill);
-            }
-        }
-
-        None
+        find_skill_for_program(self.session.as_ref(), self.turn.cwd.as_path(), program).await
    }

    #[allow(clippy::too_many_arguments)]
@@ -605,6 +590,32 @@ impl CoreShellActionProvider {
    }
 }

+async fn find_skill_for_program(
+    session: &crate::codex::Session,
+    cwd: &Path,
+    program: &AbsolutePathBuf,
+) -> Option<SkillMetadata> {
+    let force_reload = false;
+    let skills_outcome = session
+        .services
+        .skills_manager
+        .skills_for_cwd(cwd, force_reload)
+        .await;
+
+    let program_path = program.as_path();
+    for skill in skills_outcome.skills {
+        // We intentionally ignore "enabled" status here for now.
+        let Some(skill_root) = skill.path_to_skills_md.parent() else {
+            continue;
+        };
+        if program_path.starts_with(skill_root.join("scripts")) {
+            return Some(skill);
+        }
+    }
+
+    None
+}
+
 // Shell-wrapper parsing is weaker than direct exec interception because it can
 // only see the script text, not the final resolved executable path. Keep it
 // disabled by default so path-sensitive rules rely on the later authoritative
@@ -821,6 +832,7 @@ fn commands_for_intercepted_exec_policy(
 }

 struct CoreShellCommandExecutor {
+    session: Option<Arc<crate::codex::Session>>,
    command: Vec<String>,
    cwd: PathBuf,
    sandbox_policy: SandboxPolicy,
@@ -844,6 +856,7 @@ struct PrepareSandboxedExecParams<'a> {
    command: Vec<String>,
    workdir: &'a AbsolutePathBuf,
    env: HashMap<String, String>,
+    network: Option<codex_network_proxy::NetworkProxy>,
    sandbox_policy: &'a SandboxPolicy,
    file_system_sandbox_policy: &'a FileSystemSandboxPolicy,
    network_sandbox_policy: NetworkSandboxPolicy,
@@ -925,10 +938,12 @@ impl ShellCommandExecutor for CoreShellCommandExecutor {
                arg0: Some(first_arg.clone()),
            },
            EscalationExecution::TurnDefault => {
+                let network = self.network_for_program(program).await?;
                self.prepare_sandboxed_exec(PrepareSandboxedExecParams {
                    command,
                    workdir,
                    env,
+                    network,
                    sandbox_policy: &self.sandbox_policy,
                    file_system_sandbox_policy: &self.file_system_sandbox_policy,
                    network_sandbox_policy: self.network_sandbox_policy,
@@ -942,12 +957,14 @@ impl ShellCommandExecutor for CoreShellCommandExecutor {
            EscalationExecution::Permissions(EscalationPermissions::PermissionProfile(
                permission_profile,
            )) => {
+                let network = self.network_for_program(program).await?;
                // Merge additive permissions into the existing turn/request sandbox policy.
                // On macOS, additional profile extensions are unioned with the turn defaults.
                self.prepare_sandboxed_exec(PrepareSandboxedExecParams {
                    command,
                    workdir,
                    env,
+                    network,
                    sandbox_policy: &self.sandbox_policy,
                    file_system_sandbox_policy: &self.file_system_sandbox_policy,
                    network_sandbox_policy: self.network_sandbox_policy,
@@ -959,11 +976,13 @@ impl ShellCommandExecutor for CoreShellCommandExecutor {
                })?
            }
            EscalationExecution::Permissions(EscalationPermissions::Permissions(permissions)) => {
+                let network = self.network_for_program(program).await?;
                // Use a fully specified sandbox policy instead of merging into the turn policy.
                self.prepare_sandboxed_exec(PrepareSandboxedExecParams {
                    command,
                    workdir,
                    env,
+                    network,
                    sandbox_policy: &permissions.sandbox_policy,
                    file_system_sandbox_policy: &permissions.file_system_sandbox_policy,
                    network_sandbox_policy: permissions.network_sandbox_policy,
@@ -981,6 +1000,29 @@ impl ShellCommandExecutor for CoreShellCommandExecutor {
 }

 impl CoreShellCommandExecutor {
+    async fn network_for_program(
+        &self,
+        program: &AbsolutePathBuf,
+    ) -> anyhow::Result<Option<codex_network_proxy::NetworkProxy>> {
+        let Some(session) = self.session.as_ref() else {
+            return Ok(self.network.clone());
+        };
+        let Some(skill) =
+            find_skill_for_program(session.as_ref(), &self.sandbox_policy_cwd, program).await
+        else {
+            return Ok(self.network.clone());
+        };
+
+        session
+            .get_or_start_network_proxy(
+                NetworkProxyScope::Skill {
+                    path_to_skills_md: skill.path_to_skills_md,
+                },
+                &self.sandbox_policy,
+            )
+            .await
+    }
+
    #[allow(clippy::too_many_arguments)]
    fn prepare_sandboxed_exec(
        &self,
@@ -990,6 +1032,7 @@ impl CoreShellCommandExecutor {
            command,
            workdir,
            env,
+            network,
            sandbox_policy,
            file_system_sandbox_policy,
            network_sandbox_policy,
@@ -1006,7 +1049,7 @@ impl CoreShellCommandExecutor {
            network_sandbox_policy,
            SandboxablePreference::Auto,
            self.windows_sandbox_level,
-            self.network.is_some(),
+            network.is_some(),
        );
        let mut exec_request =
            sandbox_manager.transform(crate::sandboxing::SandboxTransformRequest {
@@ -1028,8 +1071,8 @@ impl CoreShellCommandExecutor {
                file_system_policy: file_system_sandbox_policy,
                network_policy: network_sandbox_policy,
                sandbox,
-                enforce_managed_network: self.network.is_some(),
-                network: self.network.as_ref(),
+                enforce_managed_network: network.is_some(),
+                network: network.as_ref(),
                sandbox_policy_cwd: &self.sandbox_policy_cwd,
                #[cfg(target_os = "macos")]
                macos_seatbelt_profile_extensions,
--- a/codex-rs/core/src/tools/runtimes/shell/unix_escalation_tests.rs
+++ b/codex-rs/core/src/tools/runtimes/shell/unix_escalation_tests.rs
@@ -565,6 +565,7 @@ host_executable(name = "git", paths = ["{allowed_git_literal}"])
 async fn prepare_escalated_exec_turn_default_preserves_macos_seatbelt_extensions() {
    let cwd = AbsolutePathBuf::from_absolute_path(std::env::temp_dir()).unwrap();
    let executor = CoreShellCommandExecutor {
+        session: None,
        command: vec!["echo".to_string(), "ok".to_string()],
        cwd: cwd.to_path_buf(),
        env: HashMap::new(),
@@ -619,6 +620,7 @@ async fn prepare_escalated_exec_turn_default_preserves_macos_seatbelt_extensions
 async fn prepare_escalated_exec_permissions_preserve_macos_seatbelt_extensions() {
    let cwd = AbsolutePathBuf::from_absolute_path(std::env::temp_dir()).unwrap();
    let executor = CoreShellCommandExecutor {
+        session: None,
        command: vec!["echo".to_string(), "ok".to_string()],
        cwd: cwd.to_path_buf(),
        env: HashMap::new(),
@@ -695,6 +697,7 @@ async fn prepare_escalated_exec_permission_profile_unions_turn_and_requested_mac
    let cwd = AbsolutePathBuf::from_absolute_path(std::env::temp_dir()).unwrap();
    let sandbox_policy = SandboxPolicy::new_read_only_policy();
    let executor = CoreShellCommandExecutor {
+        session: None,
        command: vec!["echo".to_string(), "ok".to_string()],
        cwd: cwd.to_path_buf(),
        env: HashMap::new(),