refactor(proxy): clarify sandbox block messages (#17168)

## Summary - Replace Codex-branded network-proxy block responses with concise reason text - Mention sandbox policy for local/private network and deny-policy wording - Remove “managed” from the proxy-disabled denial detail
2026-05-02 04:11:39 +03:00 · 2026-04-09 10:53:06 -07:00
parent 76de99ff25
commit 7ab825e047
2 changed files with 11 additions and 18 deletions
--- a/codex-rs/network-proxy/src/responses.rs
+++ b/codex-rs/network-proxy/src/responses.rs
@@ -6,6 +6,7 @@ use crate::reasons::REASON_METHOD_NOT_ALLOWED;
 use crate::reasons::REASON_MITM_REQUIRED;
 use crate::reasons::REASON_NOT_ALLOWED;
 use crate::reasons::REASON_NOT_ALLOWED_LOCAL;
+use crate::reasons::REASON_PROXY_DISABLED;
 use rama_http::Body;
 use rama_http::Response;
 use rama_http::StatusCode;
@@ -59,18 +60,13 @@ pub fn blocked_header_value(reason: &str) -> &'static str {

 pub fn blocked_message(reason: &str) -> &'static str {
    match reason {
-        REASON_NOT_ALLOWED => {
-            "Codex blocked this request: domain not in allowlist (this is not a denylist block)."
-        }
-        REASON_NOT_ALLOWED_LOCAL => {
-            "Codex blocked this request: local/private addresses not allowed."
-        }
-        REASON_DENIED => "Codex blocked this request: domain denied by policy.",
-        REASON_METHOD_NOT_ALLOWED => {
-            "Codex blocked this request: method not allowed in limited mode."
-        }
-        REASON_MITM_REQUIRED => "Codex blocked this request: MITM required for limited HTTPS.",
-        _ => "Codex blocked this request by network policy.",
+        REASON_NOT_ALLOWED => "Domain not in allowlist.",
+        REASON_NOT_ALLOWED_LOCAL => "Sandbox policy blocks local/private network addresses.",
+        REASON_DENIED => "Domain denied by the sandbox policy.",
+        REASON_METHOD_NOT_ALLOWED => "Method not allowed in limited mode.",
+        REASON_MITM_REQUIRED => "MITM required for limited HTTPS.",
+        REASON_PROXY_DISABLED => "network proxy is disabled",
+        _ => "Request blocked by network policy.",
    }
 }

@@ -117,9 +113,6 @@ mod tests {
        };

        let message = blocked_message_with_policy(REASON_NOT_ALLOWED, &details);
-        assert_eq!(
-            message,
-            "Codex blocked this request: domain not in allowlist (this is not a denylist block)."
-        );
+        assert_eq!(message, "Domain not in allowlist.");
    }
 }