core-agent-ide/codex-rs/keyring-store/Cargo.toml

[package]
name = "codex-keyring-store"
version.workspace = true
edition.workspace = true
license.workspace = true

[lints]
workspace = true

[dependencies]
keyring = { workspace = true, features = ["crypto-rust"] }
tracing = { workspace = true }

[target.'cfg(target_os = "linux")'.dependencies]
keyring = { workspace = true, features = ["linux-native-async-persistent"] }

[target.'cfg(target_os = "macos")'.dependencies]
keyring = { workspace = true, features = ["apple-native"] }

[target.'cfg(target_os = "windows")'.dependencies]
keyring = { workspace = true, features = ["windows-native"] }

[target.'cfg(any(target_os = "freebsd", target_os = "openbsd"))'.dependencies]
keyring = { workspace = true, features = ["sync-secret-service"] }
[Auth] Add keyring support for Codex CLI (#5591) Follow-up PR to #5569. Add Keyring Support for Auth Storage in Codex CLI as well as a hybrid mode (default to persisting in keychain but fall back to file when unavailable.) It also refactors out the keyringstore implementation from rmcp-client [here](https://github.com/openai/codex/blob/main/codex-rs/rmcp-client/src/oauth.rs) to a new keyring-store crate. There will be a follow-up that picks the right credential mode depending on the config, instead of hardcoding `AuthCredentialsStoreMode::File`. 2025-10-27 12:10:11 -07:00			`[package]`
			`name = "codex-keyring-store"`
chore: add cargo-deny configuration (#7119) - add GitHub workflow running cargo-deny on push/PR - document cargo-deny allowlist with workspace-dep notes and advisory ignores - align workspace crates to inherit version/edition/license for consistent checks 2025-11-24 12:22:18 -08:00			`version.workspace = true`
			`edition.workspace = true`
			`license.workspace = true`
[Auth] Add keyring support for Codex CLI (#5591) Follow-up PR to #5569. Add Keyring Support for Auth Storage in Codex CLI as well as a hybrid mode (default to persisting in keychain but fall back to file when unavailable.) It also refactors out the keyringstore implementation from rmcp-client [here](https://github.com/openai/codex/blob/main/codex-rs/rmcp-client/src/oauth.rs) to a new keyring-store crate. There will be a follow-up that picks the right credential mode depending on the config, instead of hardcoding `AuthCredentialsStoreMode::File`. 2025-10-27 12:10:11 -07:00
			`[lints]`
			`workspace = true`

			`[dependencies]`
Fix FreeBSD/OpenBSD builds: target-specific keyring features and BSD hardening (#6680) ## Summary Builds on FreeBSD and OpenBSD were failing due to globally enabled Linux-specific keyring features and hardening code paths not gated by OS. This PR scopes keyring native backends to the appropriate targets, disables default features at the workspace root, and adds a BSD-specific hardening function. Linux/macOS/Windows behavior remains unchanged, while FreeBSD/OpenBSD now build and run with a supported backend. ## Key Changes - Keyring features: - Disable keyring default features at the workspace root to avoid pulling Linux backends on non-Linux. - Move native backend features into target-specific sections in the affected crates: - Linux: linux-native-async-persistent - macOS: apple-native - Windows: windows-native - FreeBSD/OpenBSD: sync-secret-service - Process hardening: - Add pre_main_hardening_bsd() for FreeBSD/OpenBSD, applying: - Set RLIMIT_CORE to 0 - Clear LD_* environment variables - Simplify process-hardening Cargo deps to unconditional libc (avoid conflicting OS fragments). - No changes to CODEX_SANDBOX_* behavior. ## Rationale - Previously, enabling keyring native backends globally pulled Linux-only features on BSD, causing build errors. - Hardening logic was tailored for Linux/macOS; BSD builds lacked a gated path with equivalent safeguards. - Target-scoped features and BSD hardening make the crates portable across these OSes without affecting existing behavior elsewhere. ## Impact by Platform - Linux: No functional change; backends now selected via target cfg. - macOS: No functional change; explicit apple-native mapping. - Windows: No functional change; explicit windows-native mapping. - FreeBSD/OpenBSD: Builds succeed using sync-secret-service; BSD hardening applied during startup. ## Testing - Verified compilation across affected crates with target-specific features. - Smoke-checked that Linux/macOS/Windows feature sets remain identical functionally after scoping. - On BSD, confirmed keyring resolves to sync-secret-service and hardening compiles. ## Risks / Compatibility - Minimal risk: only feature scoping and OS-gated additions. - No public API changes in the crates; runtime behavior on non-BSD platforms is preserved. - On BSD, the new hardening clears LD_; this is consistent with security posture on other Unix platforms. ## Reviewer Notes - Pay attention to target-specific sections for keyring in the affected Cargo.toml files. - Confirm pre_main_hardening_bsd() mirrors the safe subset of Linux/macOS hardening without introducing Linux-only calls. - Confirm no references to CODEX_SANDBOX_ENV_VAR or CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR were added/modified. ## Checklist - Disable keyring default features at workspace root. - Target-specific keyring features mapped per OS (Linux/macOS/Windows/BSD). - Add BSD hardening (RLIMIT_CORE=0, clear LD_). - Simplify process-hardening dependencies to unconditional libc. - No changes to sandbox env var code. - Formatting and linting: just fmt + just fix -p for changed crates. - Project tests pass for changed crates; broader suite unchanged. --------- Co-authored-by: celia-oai <celia@openai.com> 2025-11-16 23:07:34 -06:00			`keyring = { workspace = true, features = ["crypto-rust"] }`
[Auth] Add keyring support for Codex CLI (#5591) Follow-up PR to #5569. Add Keyring Support for Auth Storage in Codex CLI as well as a hybrid mode (default to persisting in keychain but fall back to file when unavailable.) It also refactors out the keyringstore implementation from rmcp-client [here](https://github.com/openai/codex/blob/main/codex-rs/rmcp-client/src/oauth.rs) to a new keyring-store crate. There will be a follow-up that picks the right credential mode depending on the config, instead of hardcoding `AuthCredentialsStoreMode::File`. 2025-10-27 12:10:11 -07:00			`tracing = { workspace = true }`
Fix FreeBSD/OpenBSD builds: target-specific keyring features and BSD hardening (#6680) ## Summary Builds on FreeBSD and OpenBSD were failing due to globally enabled Linux-specific keyring features and hardening code paths not gated by OS. This PR scopes keyring native backends to the appropriate targets, disables default features at the workspace root, and adds a BSD-specific hardening function. Linux/macOS/Windows behavior remains unchanged, while FreeBSD/OpenBSD now build and run with a supported backend. ## Key Changes - Keyring features: - Disable keyring default features at the workspace root to avoid pulling Linux backends on non-Linux. - Move native backend features into target-specific sections in the affected crates: - Linux: linux-native-async-persistent - macOS: apple-native - Windows: windows-native - FreeBSD/OpenBSD: sync-secret-service - Process hardening: - Add pre_main_hardening_bsd() for FreeBSD/OpenBSD, applying: - Set RLIMIT_CORE to 0 - Clear LD_* environment variables - Simplify process-hardening Cargo deps to unconditional libc (avoid conflicting OS fragments). - No changes to CODEX_SANDBOX_* behavior. ## Rationale - Previously, enabling keyring native backends globally pulled Linux-only features on BSD, causing build errors. - Hardening logic was tailored for Linux/macOS; BSD builds lacked a gated path with equivalent safeguards. - Target-scoped features and BSD hardening make the crates portable across these OSes without affecting existing behavior elsewhere. ## Impact by Platform - Linux: No functional change; backends now selected via target cfg. - macOS: No functional change; explicit apple-native mapping. - Windows: No functional change; explicit windows-native mapping. - FreeBSD/OpenBSD: Builds succeed using sync-secret-service; BSD hardening applied during startup. ## Testing - Verified compilation across affected crates with target-specific features. - Smoke-checked that Linux/macOS/Windows feature sets remain identical functionally after scoping. - On BSD, confirmed keyring resolves to sync-secret-service and hardening compiles. ## Risks / Compatibility - Minimal risk: only feature scoping and OS-gated additions. - No public API changes in the crates; runtime behavior on non-BSD platforms is preserved. - On BSD, the new hardening clears LD_; this is consistent with security posture on other Unix platforms. ## Reviewer Notes - Pay attention to target-specific sections for keyring in the affected Cargo.toml files. - Confirm pre_main_hardening_bsd() mirrors the safe subset of Linux/macOS hardening without introducing Linux-only calls. - Confirm no references to CODEX_SANDBOX_ENV_VAR or CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR were added/modified. ## Checklist - Disable keyring default features at workspace root. - Target-specific keyring features mapped per OS (Linux/macOS/Windows/BSD). - Add BSD hardening (RLIMIT_CORE=0, clear LD_). - Simplify process-hardening dependencies to unconditional libc. - No changes to sandbox env var code. - Formatting and linting: just fmt + just fix -p for changed crates. - Project tests pass for changed crates; broader suite unchanged. --------- Co-authored-by: celia-oai <celia@openai.com> 2025-11-16 23:07:34 -06:00
			`[target.'cfg(target_os = "linux")'.dependencies]`
			`keyring = { workspace = true, features = ["linux-native-async-persistent"] }`

			`[target.'cfg(target_os = "macos")'.dependencies]`
			`keyring = { workspace = true, features = ["apple-native"] }`

			`[target.'cfg(target_os = "windows")'.dependencies]`
			`keyring = { workspace = true, features = ["windows-native"] }`

			`[target.'cfg(any(target_os = "freebsd", target_os = "openbsd"))'.dependencies]`
			`keyring = { workspace = true, features = ["sync-secret-service"] }`