Problem
AgentSight currently does not support capturing LLM calls from OpenAI Codex. Codex is built as a stripped static-PIE musl Rust binary that links rustls + ring, which the existing sslsniff probe cannot cover:
- No stable exported symbols like
SSL_write / SSL_read after stripping.
- Rust ABI is unstable and compiler-specific.
- Trait methods are often monomorphized or inlined, so there is no stable vtable entry.
- Function prologues change across compilations, unlike BoringSSL.
As a result, AgentSight cannot observe Codex's Chat Completions request body or reliably compute input/output token counts.
Proposed Solution
Add a rustls-aware plaintext capture path for static Rust binaries:
- Discover candidate hook offsets generically via
.eh_frame, .rodata rustls source paths, and panic::Location cross-references.
- Attach a minimal BPF uprobe tap on the discovered candidates.
- Reassemble plaintext fragments into OpenAI-style SSE streams for the existing analyzer pipeline.
- Find a request-side hook point inside the rustls/ring encryption path so that
request.messages and token metadata can be captured or computed locally.
Component
Additional Context
The response-side SSE stream can already be reconstructed in prototype work, but without the request side the record remains incomplete. The root cause is that Codex encrypts the request body through rustls internal paths that differ from the decryption paths the current candidates intercept.
Problem
AgentSight currently does not support capturing LLM calls from OpenAI Codex. Codex is built as a stripped static-PIE musl Rust binary that links
rustls + ring, which the existingsslsniffprobe cannot cover:SSL_write/SSL_readafter stripping.As a result, AgentSight cannot observe Codex's Chat Completions request body or reliably compute input/output token counts.
Proposed Solution
Add a rustls-aware plaintext capture path for static Rust binaries:
.eh_frame,.rodatarustls source paths, andpanic::Locationcross-references.request.messagesand token metadata can be captured or computed locally.Component
sight(agentsight)cosh(copilot-shell)agent-sec(agent-sec-core)tokenlessAdditional Context
The response-side SSE stream can already be reconstructed in prototype work, but without the request side the record remains incomplete. The root cause is that Codex encrypts the request body through rustls internal paths that differ from the decryption paths the current candidates intercept.