feat: introducing a network sandbox proxy (#8442)

This add a new crate, `codex-network-proxy`, a local network proxy service used by Codex to enforce fine-grained network policy (domain allow/deny) and to surface blocked network events for interactive approvals. - New crate: `codex-rs/network-proxy/` (`codex-network-proxy` binary + library) - Core capabilities: - HTTP proxy support (including CONNECT tunneling) - SOCKS5 proxy support (in the later PR) - policy evaluation (allowed/denied domain lists; denylist wins; wildcard support) - small admin API for polling/reload/mode changes - optional MITM support for HTTPS CONNECT to enforce “limited mode” method restrictions (later PR) Will follow up integration with codex in subsequent PRs. ## Testing - `cd codex-rs && cargo build -p codex-network-proxy` - `cd codex-rs && cargo run -p codex-network-proxy -- proxy`
2026-05-01 03:42:05 +03:00 · 2026-01-23 20:47:09 -05:00
parent 69cfc73dc6
commit 77222492f9
22 changed files with 4904 additions and 21 deletions
--- a/.github/scripts/install-musl-build-tools.sh
+++ b/.github/scripts/install-musl-build-tools.sh
@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+: "${TARGET:?TARGET environment variable is required}"
+: "${GITHUB_ENV:?GITHUB_ENV environment variable is required}"
+
+apt_update_args=()
+if [[ -n "${APT_UPDATE_ARGS:-}" ]]; then
+  # shellcheck disable=SC2206
+  apt_update_args=(${APT_UPDATE_ARGS})
+fi
+
+apt_install_args=()
+if [[ -n "${APT_INSTALL_ARGS:-}" ]]; then
+  # shellcheck disable=SC2206
+  apt_install_args=(${APT_INSTALL_ARGS})
+fi
+
+sudo apt-get update "${apt_update_args[@]}"
+sudo apt-get install -y "${apt_install_args[@]}" musl-tools pkg-config g++ clang libc++-dev libc++abi-dev lld
+
+case "${TARGET}" in
+  x86_64-unknown-linux-musl)
+    arch="x86_64"
+    ;;
+  aarch64-unknown-linux-musl)
+    arch="aarch64"
+    ;;
+  *)
+    echo "Unexpected musl target: ${TARGET}" >&2
+    exit 1
+    ;;
+esac
+
+if command -v clang++ >/dev/null; then
+  cxx="$(command -v clang++)"
+  echo "CXXFLAGS=--target=${TARGET} -stdlib=libc++ -pthread" >> "$GITHUB_ENV"
+  echo "CFLAGS=--target=${TARGET} -pthread" >> "$GITHUB_ENV"
+  if command -v clang >/dev/null; then
+    cc="$(command -v clang)"
+    echo "CC=${cc}" >> "$GITHUB_ENV"
+    echo "TARGET_CC=${cc}" >> "$GITHUB_ENV"
+    target_cc_var="CC_${TARGET}"
+    target_cc_var="${target_cc_var//-/_}"
+    echo "${target_cc_var}=${cc}" >> "$GITHUB_ENV"
+  fi
+elif command -v "${arch}-linux-musl-g++" >/dev/null; then
+  cxx="$(command -v "${arch}-linux-musl-g++")"
+elif command -v musl-g++ >/dev/null; then
+  cxx="$(command -v musl-g++)"
+elif command -v musl-gcc >/dev/null; then
+  cxx="$(command -v musl-gcc)"
+  echo "CFLAGS=-pthread" >> "$GITHUB_ENV"
+else
+  echo "musl g++ not found after install; arch=${arch}" >&2
+  exit 1
+fi
+
+echo "CXX=${cxx}" >> "$GITHUB_ENV"
+echo "CMAKE_CXX_COMPILER=${cxx}" >> "$GITHUB_ENV"
+echo "CMAKE_ARGS=-DCMAKE_HAVE_THREADS_LIBRARY=1 -DCMAKE_USE_PTHREADS_INIT=1 -DCMAKE_THREAD_LIBS_INIT=-pthread -DTHREADS_PREFER_PTHREAD_FLAG=ON" >> "$GITHUB_ENV"