network-proxy: store MITM certs under CODEX_HOME/proxy

codex-rs/network-proxy/README.md

@@ -35,6 +35,15 @@ dangerously_allow_non_loopback_proxy = false
 dangerously_allow_non_loopback_admin = false
 mode = "full" # default when unset; use "limited" for read-only mode
 
+[network.mitm]
+# When enabled, HTTPS CONNECT can be terminated so limited-mode method policy still applies.
+# CA cert/key paths are relative to CODEX_HOME by default.
+enabled = false
+ca_cert_path = "proxy/ca.pem"
+ca_key_path = "proxy/ca.key"
+# Maximum size of request/response bodies MITM will buffer for inspection.
+max_body_bytes = 1048576
+
 # Hosts must match the allowlist (unless denied).
 # If `allowed_domains` is empty, the proxy blocks requests until an allowlist is configured.
 allowed_domains = ["*.openai.com"]

codex-rs/network-proxy/src/config.rs

@@ -131,11 +131,11 @@ fn default_socks_url() -> String {
 }
 
 fn default_ca_cert_path() -> PathBuf {
-    PathBuf::from("network_proxy/mitm/ca.pem")
+    PathBuf::from("proxy/ca.pem")
 }
 
 fn default_ca_key_path() -> PathBuf {
-    PathBuf::from("network_proxy/mitm/ca.key")
+    PathBuf::from("proxy/ca.key")
 }
 
 fn default_mitm_max_body_bytes() -> usize {

codex-rs/network-proxy/src/init.rs

@@ -6,13 +6,11 @@ use tracing::info;
 
 pub fn run_init() -> Result<()> {
     let codex_home = find_codex_home().context("failed to resolve CODEX_HOME")?;
-    let root = codex_home.join("network_proxy");
-    let mitm_dir = root.join("mitm");
+    let proxy_dir = codex_home.join("proxy");
 
-    fs::create_dir_all(&root).with_context(|| format!("failed to create {}", root.display()))?;
-    fs::create_dir_all(&mitm_dir)
-        .with_context(|| format!("failed to create {}", mitm_dir.display()))?;
+    fs::create_dir_all(&proxy_dir)
+        .with_context(|| format!("failed to create {}", proxy_dir.display()))?;
 
-    info!("ensured {}", mitm_dir.display());
+    info!("ensured {}", proxy_dir.display());
     Ok(())
 }