Cache cloud requirements (#11305)

We're loading these from the web on every startup. This puts them in a local file with a 1hr TTL. We sign the downloaded requirements with a key compiled into the Codex CLI to prevent unsophisticated tampering (determined circumvention is outside of our threat model: after all, one could just compile Codex without any of these checks). If any of the following are true, we ignore the local cache and re-fetch from Cloud: * The signature is invalid for the payload (== requirements, sign time, ttl, user identity) * The identity does not match the auth'd user's identity * The TTL has expired * We cannot parse requirements.toml from the payload
2026-05-01 11:52:10 +03:00 · 2026-02-11 14:06:41 +00:00
parent f5d4a21098
commit 886d9377d3
7 changed files with 666 additions and 29 deletions
--- a/codex-rs/app-server/src/lib.rs
+++ b/codex-rs/app-server/src/lib.rs
@@ -237,7 +237,11 @@ pub async fn run_main(
                false,
                config.cli_auth_credentials_store_mode,
            );
-            cloud_requirements_loader(auth_manager, config.chatgpt_base_url)
+            cloud_requirements_loader(
+                auth_manager,
+                config.chatgpt_base_url,
+                config.codex_home.clone(),
+            )
        }
        Err(err) => {
            warn!(error = %err, "Failed to preload config for cloud requirements");