Move sanitizer into codex-secrets (#12306)

## Summary
- move the sanitizer implementation into `codex-secrets`
(`secrets/src/sanitizer.rs`) and re-export `redact_secrets`
- switch `codex-core` to depend on/import `codex-secrets` for sanitizer
usage
- remove the old `utils/sanitizer` crate wiring and refresh lockfiles

## Testing
- `just fmt`
- `cargo test -p codex-secrets`
- `cargo test -p codex-core --no-run`
- `cargo clippy -p codex-secrets -p codex-core --all-targets
--all-features -- -D warnings`
- `just bazel-lock-update`
- `just bazel-lock-check`

## Notes
- not run: `cargo test --all-features` (full workspace suite)

codex-rs/Cargo.lock

@@ -1637,6 +1637,7 @@ dependencies = [
  "codex-otel",
  "codex-protocol",
  "codex-rmcp-client",
+ "codex-secrets",
  "codex-shell-command",
  "codex-state",
  "codex-utils-absolute-path",
@@ -1644,7 +1645,6 @@ dependencies = [
  "codex-utils-home-dir",
  "codex-utils-pty",
  "codex-utils-readiness",
- "codex-utils-sanitizer",
  "codex-utils-string",
  "codex-windows-sandbox",
  "core-foundation 0.9.4",
@@ -2151,6 +2151,7 @@ dependencies = [
  "keyring",
  "pretty_assertions",
  "rand 0.9.2",
+ "regex",
  "schemars 0.8.22",
  "serde",
  "serde_json",
@@ -2439,13 +2440,6 @@ dependencies = [
  "pretty_assertions",
 ]
 
-[[package]]
-name = "codex-utils-sanitizer"
-version = "0.0.0"
-dependencies = [
- "regex",
-]
-
 [[package]]
 name = "codex-utils-sleep-inhibitor"
 version = "0.0.0"

codex-rs/Cargo.toml

@@ -53,7 +53,6 @@ members = [
     "utils/cli",
     "utils/elapsed",
     "utils/sandbox-summary",
-    "utils/sanitizer",
     "utils/sleep-inhibitor",
     "utils/approval-presets",
     "utils/oss",
@@ -131,7 +130,6 @@ codex-utils-pty = { path = "utils/pty" }
 codex-utils-readiness = { path = "utils/readiness" }
 codex-utils-rustls-provider = { path = "utils/rustls-provider" }
 codex-utils-sandbox-summary = { path = "utils/sandbox-summary" }
-codex-utils-sanitizer = { path = "utils/sanitizer" }
 codex-utils-sleep-inhibitor = { path = "utils/sleep-inhibitor" }
 codex-utils-string = { path = "utils/string" }
 codex-windows-sandbox = { path = "windows-sandbox-rs" }

codex-rs/core/Cargo.toml

@@ -48,7 +48,7 @@ codex-utils-absolute-path = { workspace = true }
 codex-utils-home-dir = { workspace = true }
 codex-utils-pty = { workspace = true }
 codex-utils-readiness = { workspace = true }
-codex-utils-sanitizer = { workspace = true }
+codex-secrets = { workspace = true }
 codex-utils-string = { workspace = true }
 codex-windows-sandbox = { package = "codex-windows-sandbox", path = "../windows-sandbox-rs" }
 dirs = { workspace = true }

codex-rs/core/src/memories/phase1.rs

@@ -20,7 +20,7 @@ use codex_protocol::openai_models::ModelInfo;
 use codex_protocol::openai_models::ReasoningEffort as ReasoningEffortConfig;
 use codex_protocol::protocol::RolloutItem;
 use codex_protocol::protocol::TokenUsage;
-use codex_utils_sanitizer::redact_secrets;
+use codex_secrets::redact_secrets;
 use futures::StreamExt;
 use serde::Deserialize;
 use serde_json::Value;

codex-rs/secrets/BUILD.bazel

@@ -0,0 +1,6 @@
+load("//:defs.bzl", "codex_rust_crate")
+
+codex_rust_crate(
+    name = "secrets",
+    crate_name = "codex_secrets",
+)

codex-rs/secrets/Cargo.toml

@@ -13,6 +13,7 @@ anyhow = { workspace = true }
 base64 = { workspace = true }
 codex-keyring-store = { workspace = true }
 rand = { workspace = true }
+regex = { workspace = true }
 schemars = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }

codex-rs/secrets/src/lib.rs

@@ -13,8 +13,10 @@ use sha2::Digest;
 use sha2::Sha256;
 
 mod local;
+mod sanitizer;
 
 pub use local::LocalSecretsBackend;
+pub use sanitizer::redact_secrets;
 
 const KEYRING_SERVICE: &str = "codex";
 

codex-rs/utils/sanitizer/BUILD.bazel

@@ -1,6 +0,0 @@
-load("//:defs.bzl", "codex_rust_crate")
-
-codex_rust_crate(
-    name = "sanitizer",
-    crate_name = "codex_utils_sanitizer",
-)

codex-rs/utils/sanitizer/Cargo.toml

@@ -1,11 +0,0 @@
-[package]
-name = "codex-utils-sanitizer"
-version.workspace = true
-edition.workspace = true
-license.workspace = true
-
-[dependencies]
-regex = "1.12.3"
-
-[lints]
-workspace = true