core/core-agent-ide
8
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Agent IDE — Codex fork for AI-native development environment
4558 commits 2 branches 0 tags 80 MiB
Find a file
Colin Young d692b74007
Add auth 401 observability to client bug reports (#14611) 
CXC-392

  [With
  401](https://openai.sentry.io/issues/7333870443/?project=4510195390611458&query=019ce8f8-560c-7f10-a00a-c59553740674&referrer=issue-stream)
  <img width="1909" height="555" alt="401 auth tags in Sentry"
  src="https://github.com/user-attachments/assets/412ea950-61c4-4780-9697-15c270971ee3"
  />


  - auth_401_*: preserved facts from the latest unauthorized response snapshot
  - auth_*: latest auth-related facts from the latest request attempt
  - auth_recovery_*: unauthorized recovery state and follow-up result


  Without 401
  <img width="1917" height="522" alt="happy-path auth tags in Sentry"
  src="https://github.com/user-attachments/assets/3381ed28-8022-43b0-b6c0-623a630e679f"
  />

  ###### Summary
  - Add client-visible 401 diagnostics for auth attachment, upstream auth classification, and 401 request id / cf-ray correlation.
  - Record unauthorized recovery mode, phase, outcome, and retry/follow-up status without changing auth behavior.
  - Surface the highest-signal auth and recovery fields on uploaded client bug reports so they are usable in Sentry.
  - Preserve original unauthorized evidence under `auth_401_*` while keeping follow-up result tags separate.

  ###### Rationale (from spec findings)
  - The dominant bucket needed proof of whether the client attached auth before send or upstream still classified the request as missing auth.
  - Client uploads needed to show whether unauthorized recovery ran and what the client tried next.
  - Request id and cf-ray needed to be preserved on the unauthorized response so server-side correlation is immediate.
  - The bug-report path needed the same auth evidence as the request telemetry path, otherwise the observability would not be operationally useful.

  ###### Scope
  - Add auth 401 and unauthorized-recovery observability in `codex-rs/core`, `codex-rs/codex-api`, and `codex-rs/otel`, including feedback-tag surfacing.
  - Keep auth semantics, refresh behavior, retry behavior, endpoint classification, and geo-denial follow-up work out of this PR.

  ###### Trade-offs
  - This exports only safe auth evidence: header presence/name, upstream auth classification, request ids, and recovery state. It does not export token values or raw upstream bodies.
  - This keeps websocket connection reuse as a transport clue because it can help distinguish stale reused sessions from fresh reconnects.
  - Misroute/base-url classification and geo-denial are intentionally deferred to a separate follow-up PR so this review stays focused on the dominant auth 401 bucket.

  ###### Client follow-up
  - PR 2 will add misroute/provider and geo-denial observability plus the matching feedback-tag surfacing.
  - A separate host/app-server PR should log auth-decision inputs so pre-send host auth state can be correlated with client request evidence.
  - `device_id` remains intentionally separate until there is a safe existing source on the feedback upload path.

  ###### Testing
  - `cargo test -p codex-core refresh_available_models_sorts_by_priority`
  - `cargo test -p codex-core emit_feedback_request_tags_`
  - `cargo test -p codex-core emit_feedback_auth_recovery_tags_`
  - `cargo test -p codex-core auth_request_telemetry_context_tracks_attached_auth_and_retry_phase`
  - `cargo test -p codex-core extract_response_debug_context_decodes_identity_headers`
  - `cargo test -p codex-core identity_auth_details`
  - `cargo test -p codex-core telemetry_error_messages_preserve_non_http_details`
  - `cargo test -p codex-core --all-features --no-run`
  - `cargo test -p codex-otel otel_export_routing_policy_routes_api_request_auth_observability`
  - `cargo test -p codex-otel otel_export_routing_policy_routes_websocket_connect_auth_observability`
  - `cargo test -p codex-otel otel_export_routing_policy_routes_websocket_request_transport_observability`
2026-03-14 15:38:51 -07:00
.codex/skills Add PR babysitting skill for this repo (#12513) 2026-02-22 15:36:28 -08:00
.devcontainer fix: include libcap-dev dependency when creating a devcontainer for building Codex (#13814) 2026-03-06 16:21:14 -08:00
.github check for large binaries in CI (#14382) 2026-03-11 22:39:08 +00:00
.vscode chore: rm --all-features flag from rust-analyzer (#13381) 2026-03-03 11:44:54 -08:00
codex-cli Update pnpm versions to fix cve-2026-24842 (#12009) 2026-02-19 14:27:55 -08:00
codex-rs Add auth 401 observability to client bug reports (#14611) 2026-03-14 15:38:51 -07:00
docs client: extend custom CA handling across HTTPS and websocket clients (#14239) 2026-03-13 00:59:26 +00:00
patches [bazel] Bump up cc and rust toolchains (#14542) 2026-03-13 18:01:38 +00:00
scripts check for large binaries in CI (#14382) 2026-03-11 22:39:08 +00:00
sdk Refresh Python SDK generated types (#14646) 2026-03-14 05:50:33 +00:00
shell-tool-mcp refactor: delete exec-server and move execve wrapper into shell-escalation (#12632) 2026-02-23 20:10:22 -08:00
third_party Add feature-gated freeform js_repl core runtime (#10674) 2026-02-11 12:05:02 -08:00
tools/argument-comment-lint Add argument-comment Dylint runner (#14651) 2026-03-14 08:18:04 -07:00
.bazelignore [bazel] Improve runfiles handling (#10098) 2026-01-29 00:15:44 +00:00
.bazelrc [bazel] Bump up cc and rust toolchains (#14542) 2026-03-13 18:01:38 +00:00
.bazelversion [bazel] Upgrade to bazel9 (#9576) 2026-01-21 13:25:36 +00:00
.codespellignore feat(network-proxy): structured policy signaling and attempt correlation to core (#11662) 2026-02-13 09:01:11 +00:00
.codespellrc feat(network-proxy): structured policy signaling and attempt correlation to core (#11662) 2026-02-13 09:01:11 +00:00
.gitignore gitignore bazel-* (#8911) 2026-01-08 07:50:58 -08:00
.markdownlint-cli2.yaml fix(tui): document paste-burst state machine (#9020) 2026-01-13 11:48:31 -08:00
.npmrc chore: migrate to pnpm for improved monorepo management (#287) 2025-04-18 16:25:15 -07:00
.prettierignore [apply-patch] Clean up apply-patch tool definitions (#2539) 2025-08-21 20:07:41 -07:00
.prettierrc.toml Initial commit 2025-04-16 12:56:08 -04:00
AGENTS.md Add argument-comment Dylint runner (#14651) 2026-03-14 08:18:04 -07:00
announcement_tip.toml nit: test an (#10892) 2026-02-06 14:41:53 +01:00
BUILD.bazel fix(ci): restore guardian coverage and bazel unit tests (#13912) 2026-03-08 12:05:19 -07:00
CHANGELOG.md Documentation improvement: add missing period (#3754) 2025-10-30 13:01:33 -07:00
cliff.toml docs(changelog): update install command to @openai/codex@<version> (#2073) 2025-10-18 11:02:22 -07:00
defs.bzl fix(ci): restore guardian coverage and bazel unit tests (#13912) 2026-03-08 12:05:19 -07:00
flake.lock fix(nix): update flake for newer Rust toolchain requirements (#10302) 2026-01-31 11:34:53 -08:00
flake.nix fix(nix): use correct version from Cargo.toml in flake build (#11770) 2026-02-13 12:19:25 -08:00
justfile Add argument-comment Dylint runner (#14651) 2026-03-14 08:18:04 -07:00
LICENSE Initial commit 2025-04-16 12:56:08 -04:00
MODULE.bazel [bazel] Bump up cc and rust toolchains (#14542) 2026-03-13 18:01:38 +00:00
MODULE.bazel.lock [bazel] Bump up cc and rust toolchains (#14542) 2026-03-13 18:01:38 +00:00
NOTICE Add feature-gated freeform js_repl core runtime (#10674) 2026-02-11 12:05:02 -08:00
package.json start of hooks engine (#13276) 2026-03-10 04:11:31 +00:00
pnpm-lock.yaml chore: ensure pnpm-workspace.yaml is up-to-date (#10140) 2026-01-29 10:49:03 -08:00
pnpm-workspace.yaml chore: ensure pnpm-workspace.yaml is up-to-date (#10140) 2026-01-29 10:49:03 -08:00
rbe.bzl [bazel] Bump rules_rs and llvm (#13366) 2026-03-04 01:59:32 +00:00
README.md docs: mention Codex app in README intro (#11926) 2026-02-16 17:35:05 +01:00
SECURITY.md docs: add codex security policy (#12193) 2026-02-19 09:12:59 -08:00
workspace_root_test_launcher.bat.tpl fix(ci): restore guardian coverage and bazel unit tests (#13912) 2026-03-08 12:05:19 -07:00
workspace_root_test_launcher.sh.tpl fix(ci): restore guardian coverage and bazel unit tests (#13912) 2026-03-08 12:05:19 -07:00

README.md

npm i -g @openai/codex
or brew install --cask codex

Codex CLI is a coding agent from OpenAI that runs locally on your computer.

Codex CLI splash


If you want Codex in your code editor (VS Code, Cursor, Windsurf), install in your IDE.
If you want the desktop app experience, run codex app or visit the Codex App page.
If you are looking for the cloud-based agent from OpenAI, Codex Web, go to chatgpt.com/codex.

Quickstart

Installing and running Codex CLI

Install globally with your preferred package manager:

# Install using npm
npm install -g @openai/codex

# Install using Homebrew
brew install --cask codex

Then simply run codex to get started.

You can also go to the latest GitHub Release and download the appropriate binary for your platform.

Each GitHub Release contains many executables, but in practice, you likely want one of these:

  • macOS
    • Apple Silicon/arm64: codex-aarch64-apple-darwin.tar.gz
    • x86_64 (older Mac hardware): codex-x86_64-apple-darwin.tar.gz
  • Linux
    • x86_64: codex-x86_64-unknown-linux-musl.tar.gz
    • arm64: codex-aarch64-unknown-linux-musl.tar.gz

Each archive contains a single entry with the platform baked into the name (e.g., codex-x86_64-unknown-linux-musl), so you likely want to rename it to codex after extracting it.

Using Codex with your ChatGPT plan

Run codex and select Sign in with ChatGPT. We recommend signing into your ChatGPT account to use Codex as part of your Plus, Pro, Team, Edu, or Enterprise plan. Learn more about what's included in your ChatGPT plan.

You can also use Codex with an API key, but this requires additional setup.

Docs

This repository is licensed under the Apache-2.0 License.