Skip to content

Prepare managed network sandbox context#29456

Open
jif-oai wants to merge 5 commits into
mainfrom
jif/prepare-managed-network
Open

Prepare managed network sandbox context#29456
jif-oai wants to merge 5 commits into
mainfrom
jif/prepare-managed-network

Conversation

@jif-oai

@jif-oai jif-oai commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Why

Managed network configures commands to use local HTTP and SOCKS proxies. For commands delegated to the exec server, the proxy environment and the sandbox policy were prepared separately. On macOS, that meant a command could receive HTTPS_PROXY=http://127.0.0.1:43123 while Seatbelt still denied access to port 43123.

What changed

NetworkProxy now prepares the command environment and sandbox context together from the same runtime snapshot:

Prepared managed network
├── command environment: HTTPS_PROXY=http://127.0.0.1:43123
└── sandbox context: allow outbound to 127.0.0.1:43123

That context travels with remote exec requests. The exec server preserves the managed proxy and CA environment, and macOS Seatbelt allows only the prepared loopback proxy ports without enabling broad network access or local binding.

The protocol field is optional and the existing enforcement flag remains in place, preserving compatibility with callers that do not send the new context.

@jif-oai jif-oai requested a review from a team as a code owner June 22, 2026 16:02
@jif-oai

jif-oai commented Jun 22, 2026

Copy link
Copy Markdown
Collaborator Author

@codex review

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Jun 22, 2026
View reviewed changes

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 869f37eadd

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread codex-rs/exec-server/Cargo.toml
@jif-oai

jif-oai commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator Author

@codex review

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Jun 23, 2026
View reviewed changes

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2bd224f3b8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread codex-rs/exec-server/Cargo.toml
Comment thread codex-rs/core/src/tools/runtimes/unified_exec.rs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jif-oai