feat(config): add permissions.network proxy config wiring (#12054)

## Summary Implements the `ConfigToml.permissions.network` and uses it to populate `NetworkProxyConfig`. We now parse a new nested permissions/network config shape which is converted into the proxy’s runtime config. When managed requirements exist, we still apply those constraints on top of user settings (so managed policy still wins). * Cleaned up the old constructor path so it now accepts both user config + managed constraints directly. * Updated the reload path so live proxy config reloads respect [permissions.network] too, while still supporting the existing top-level [network] format. ### Behavior - User-defined `[permissions.network]` values are now honored. - Managed constraints still take effect and are validated against the resulting policy.
2026-04-28 18:32:04 +03:00 · 2026-02-19 13:44:55 -08:00
parent 2668789560
commit 4edb1441a7
5 changed files with 446 additions and 61 deletions
--- a/codex-rs/core/config.schema.json
+++ b/codex-rs/core/config.schema.json
@@ -625,6 +625,70 @@
      ],
      "type": "object"
    },
+    "NetworkModeSchema": {
+      "enum": [
+        "limited",
+        "full"
+      ],
+      "type": "string"
+    },
+    "NetworkToml": {
+      "additionalProperties": false,
+      "properties": {
+        "admin_url": {
+          "type": "string"
+        },
+        "allow_local_binding": {
+          "type": "boolean"
+        },
+        "allow_unix_sockets": {
+          "items": {
+            "type": "string"
+          },
+          "type": "array"
+        },
+        "allow_upstream_proxy": {
+          "type": "boolean"
+        },
+        "allowed_domains": {
+          "items": {
+            "type": "string"
+          },
+          "type": "array"
+        },
+        "dangerously_allow_non_loopback_admin": {
+          "type": "boolean"
+        },
+        "dangerously_allow_non_loopback_proxy": {
+          "type": "boolean"
+        },
+        "denied_domains": {
+          "items": {
+            "type": "string"
+          },
+          "type": "array"
+        },
+        "enable_socks5": {
+          "type": "boolean"
+        },
+        "enable_socks5_udp": {
+          "type": "boolean"
+        },
+        "enabled": {
+          "type": "boolean"
+        },
+        "mode": {
+          "$ref": "#/definitions/NetworkModeSchema"
+        },
+        "proxy_url": {
+          "type": "string"
+        },
+        "socks_url": {
+          "type": "string"
+        }
+      },
+      "type": "object"
+    },
    "Notice": {
      "description": "Settings for notices we display to users via the tui and app-server clients (primarily the Codex IDE extension). NOTE: these are different from notifications - notices are warnings, NUX screens, acknowledgements, etc.",
      "properties": {
@@ -866,6 +930,20 @@
      },
      "type": "object"
    },
+    "PermissionsToml": {
+      "additionalProperties": false,
+      "properties": {
+        "network": {
+          "allOf": [
+            {
+              "$ref": "#/definitions/NetworkToml"
+            }
+          ],
+          "description": "Network proxy settings from `[permissions.network]`. User config can enable the proxy; managed requirements may still constrain values."
+        }
+      },
+      "type": "object"
+    },
    "Personality": {
      "enum": [
        "none",
@@ -1718,6 +1796,15 @@
      ],
      "description": "OTEL configuration."
    },
+    "permissions": {
+      "allOf": [
+        {
+          "$ref": "#/definitions/PermissionsToml"
+        }
+      ],
+      "default": null,
+      "description": "Nested permissions settings."
+    },
    "personality": {
      "allOf": [
        {