core-agent-ide

Agent IDE — Codex fork for AI-native development environment

Find a file

mcgrew-oai 9a393c9b6f feat(network-proxy): add embedded OTEL policy audit logging (#12046 ) PR Summary This PR adds embedded-only OTEL policy audit logging for `codex-network-proxy` and threads audit metadata from `codex-core` into managed proxy startup. ### What changed - Added structured audit event emission in `network_policy.rs` with target `codex_otel.network_proxy`. - Emitted: - `codex.network_proxy.domain_policy_decision` once per domain-policy evaluation. - `codex.network_proxy.block_decision` for non-domain denies. - Added required policy/network fields, RFC3339 UTC millisecond `event.timestamp`, and fallback defaults (`http.request.method="none"`, `client.address="unknown"`). - Added non-domain deny audit emission in HTTP/SOCKS handlers for mode-guard and proxy-state denies, including unix-socket deny paths. - Added `REASON_UNIX_SOCKET_UNSUPPORTED` and used it for unsupported unix-socket auditing. - Added `NetworkProxyAuditMetadata` to runtime/state, re-exported from `lib.rs` and `state.rs`. - Added `start_proxy_with_audit_metadata(...)` in core config, with `start_proxy()` delegating to default metadata. - Wired metadata construction in `codex.rs` from session/auth context, including originator sanitization for OTEL-safe tagging. - Updated `network-proxy/README.md` with embedded-mode audit schema and behavior notes. - Refactored HTTP block-audit emission to a small local helper to reduce duplication. - Preserved existing unix-socket proxy-disabled host/path behavior for responses and blocked history while using an audit-only endpoint override (`server.address="unix-socket"`, `server.port=0`). ### Explicit exclusions - No standalone proxy OTEL startup work. - No `main.rs` binary wiring. - No `standalone_otel.rs`. - No standalone docs/tests. ### Tests - Extended `network_policy.rs` tests for event mapping, metadata propagation, fallbacks, timestamp format, and target prefix. - Extended HTTP tests to assert unix-socket deny block audit events. - Extended SOCKS tests to cover deny emission from handler deny branches. - Added/updated core tests to verify audit metadata threading into managed proxy state. ### Validation run - `just fmt` - `cargo test -p codex-network-proxy` ✅ - `cargo test -p codex-core` ran with one unrelated flaky timeout (`shell_snapshot::tests::snapshot_shell_does_not_inherit_stdin`), and the test passed when rerun directly ✅ --------- Co-authored-by: viyatb-oai <viyatb@openai.com>		2026-02-25 11:46:37 -05:00
.codex/skills	Add PR babysitting skill for this repo (#12513 )	2026-02-22 15:36:28 -08:00
.devcontainer	chore: install an extension for TOML syntax highlighting in the devcontainer (#1650 )	2025-07-22 10:58:09 -07:00
.github	tests(js_repl): stabilize CI runtime test execution (#12407 )	2026-02-24 21:04:34 -08:00
.vscode	Move rust analyzer target dir (#5328 )	2025-10-18 17:31:46 -07:00
codex-cli	Update pnpm versions to fix cve-2026-24842 (#12009 )	2026-02-19 14:27:55 -08:00
codex-rs	feat(network-proxy): add embedded OTEL policy audit logging (#12046 )	2026-02-25 11:46:37 -05:00
docs	Agent jobs (spawn_agents_on_csv) + progress UI (#10935 )	2026-02-24 21:00:19 +00:00
patches	voice transcription (#3381 )	2026-02-23 22:15:18 +00:00
scripts	bazel: enforce MODULE.bazel.lock sync with Cargo.lock (#11790 )	2026-02-14 02:11:19 +00:00
sdk/typescript	Update pnpm versions to fix cve-2026-24842 (#12009 )	2026-02-19 14:27:55 -08:00
shell-tool-mcp	refactor: delete exec-server and move execve wrapper into shell-escalation (#12632 )	2026-02-23 20:10:22 -08:00
third_party	Add feature-gated freeform js_repl core runtime (#10674 )	2026-02-11 12:05:02 -08:00
.bazelignore	[bazel] Improve runfiles handling (#10098 )	2026-01-29 00:15:44 +00:00
.bazelrc	[bazel] Upgrade some rulesets in preparation for enabling windows (#11109 )	2026-02-08 13:40:32 -08:00
.bazelversion	[bazel] Upgrade to bazel9 (#9576 )	2026-01-21 13:25:36 +00:00
.codespellignore	feat(network-proxy): structured policy signaling and attempt correlation to core (#11662 )	2026-02-13 09:01:11 +00:00
.codespellrc	feat(network-proxy): structured policy signaling and attempt correlation to core (#11662 )	2026-02-13 09:01:11 +00:00
.gitignore	gitignore bazel-* (#8911 )	2026-01-08 07:50:58 -08:00
.markdownlint-cli2.yaml	fix(tui): document paste-burst state machine (#9020 )	2026-01-13 11:48:31 -08:00
.npmrc	chore: migrate to pnpm for improved monorepo management (#287 )	2025-04-18 16:25:15 -07:00
.prettierignore	[apply-patch] Clean up apply-patch tool definitions (#2539 )	2025-08-21 20:07:41 -07:00
.prettierrc.toml	Initial commit	2025-04-16 12:56:08 -04:00
AGENTS.md	feat: discourage the use of the --all-features flag (#12429 )	2026-02-20 23:02:24 -08:00
announcement_tip.toml	nit: test an (#10892 )	2026-02-06 14:41:53 +01:00
BUILD.bazel	voice transcription (#3381 )	2026-02-23 22:15:18 +00:00
CHANGELOG.md	Documentation improvement: add missing period (#3754 )	2025-10-30 13:01:33 -07:00
cliff.toml	docs(changelog): update install command to @openai/codex@<version> (#2073 )	2025-10-18 11:02:22 -07:00
defs.bzl	[bazel] Fix proc_macro_dep libs (#12274 )	2026-02-19 13:38:37 -08:00
flake.lock	fix(nix): update flake for newer Rust toolchain requirements (#10302 )	2026-01-31 11:34:53 -08:00
flake.nix	fix(nix): use correct version from Cargo.toml in flake build (#11770 )	2026-02-13 12:19:25 -08:00
justfile	feat: discourage the use of the --all-features flag (#12429 )	2026-02-20 23:02:24 -08:00
LICENSE	Initial commit	2025-04-16 12:56:08 -04:00
MODULE.bazel	voice transcription (#3381 )	2026-02-23 22:15:18 +00:00
MODULE.bazel.lock	feat(network-proxy): add embedded OTEL policy audit logging (#12046 )	2026-02-25 11:46:37 -05:00
NOTICE	Add feature-gated freeform js_repl core runtime (#10674 )	2026-02-11 12:05:02 -08:00
package.json	Update pnpm versions to fix cve-2026-24842 (#12009 )	2026-02-19 14:27:55 -08:00
pnpm-lock.yaml	chore: ensure pnpm-workspace.yaml is up-to-date (#10140 )	2026-01-29 10:49:03 -08:00
pnpm-workspace.yaml	chore: ensure pnpm-workspace.yaml is up-to-date (#10140 )	2026-01-29 10:49:03 -08:00
rbe.bzl	feat: update Docker image digest to reflect #12205 (#12372 )	2026-02-24 22:19:46 -08:00
README.md	docs: mention Codex app in README intro (#11926 )	2026-02-16 17:35:05 +01:00
SECURITY.md	docs: add codex security policy (#12193 )	2026-02-19 09:12:59 -08:00

README.md

npm i -g @openai/codex
or brew install --cask codex

Codex CLI is a coding agent from OpenAI that runs locally on your computer.

Codex CLI splash

If you want Codex in your code editor (VS Code, Cursor, Windsurf), install in your IDE.
If you want the desktop app experience, run codex app or visit the Codex App page.
If you are looking for the cloud-based agent from OpenAI, Codex Web, go to chatgpt.com/codex.

Quickstart

Installing and running Codex CLI

Install globally with your preferred package manager:

# Install using npm
npm install -g @openai/codex

# Install using Homebrew
brew install --cask codex

Then simply run codex to get started.

You can also go to the latest GitHub Release and download the appropriate binary for your platform.

Each GitHub Release contains many executables, but in practice, you likely want one of these:

macOS
- Apple Silicon/arm64: codex-aarch64-apple-darwin.tar.gz
- x86_64 (older Mac hardware): codex-x86_64-apple-darwin.tar.gz
Linux
- x86_64: codex-x86_64-unknown-linux-musl.tar.gz
- arm64: codex-aarch64-unknown-linux-musl.tar.gz

Each archive contains a single entry with the platform baked into the name (e.g., codex-x86_64-unknown-linux-musl), so you likely want to rename it to codex after extracting it.

Using Codex with your ChatGPT plan

Run codex and select Sign in with ChatGPT. We recommend signing into your ChatGPT account to use Codex as part of your Plus, Pro, Team, Edu, or Enterprise plan. Learn more about what's included in your ChatGPT plan.

You can also use Codex with an API key, but this requires additional setup.

Docs

This repository is licensed under the Apache-2.0 License.