viyatb-oai

This commit delivers a crucial **bug fix** for the **`codex-sandboxing`** module, resolving an issue where the system `bwrap` executable was not correctly discovered on systems with multi-entry `PATH` environment variables. Previously, the `find_system_bwrap_in_path` function failed to properly parse `PATH`, leading to an incorrect fallback to a vendored `bwrap` binary. The fix ensures that the `PATH` is now correctly split into individual entries, allowing for accurate discovery of system-installed `bwrap` binaries. This improves the reliability of **`bwrap` discovery** and includes new regression tests to prevent future regressions related to multi-entry `PATH` scenarios.

This commit introduces **enforced network proxy support** for the **Windows sandbox**, ensuring that sandboxed processes configured for proxy use are strictly limited to communicating only with the local proxy. This **new capability** routes proxy-enforced runs through the `offline` sandbox user, applying OS-level firewall rules via `codex-rs/windows-sandbox-rs/src/firewall.rs` that block all direct outbound traffic and restrict loopback access to configured proxy ports. Conversely, direct network access runs utilize the `online` user without such restrictions, bringing Windows sandbox network control in line with intended security models. The changes involve significant updates to **sandbox setup orchestration** (`codex-rs/windows-sandbox-rs/src/setup_orchestrator.rs`), **identity management**, and the **network proxy component** (`codex-rs/network-proxy/src/proxy.rs`), along with new tests to validate the strict network egress controls.

This commit introduces a **security fix** to the **`network-proxy`** module, ensuring it **fails closed** when DNS lookup errors or timeouts occur during local/private IP pre-checks. Previously, a failure in `host_resolves_to_non_public_ip()` would incorrectly treat the destination as public, creating a fail-open vulnerability. Now, such DNS resolution failures are treated as local/private for blocking purposes, preventing unauthorized access. This **bug fix** enhances the proxy's robustness and security posture by preventing requests from being allowed due to transient DNS issues, and includes a **regression test** to validate the corrected behavior.

This **refactoring** centralizes `bubblewrap` (bwrap) related utility functions and their tests into a new, dedicated module within the **`codex-rs/sandboxing` subsystem**. Specifically, `bwrap` PATH lookup and warning helpers, such as `system_bwrap_warning` and `find_system_bwrap_in_path`, are relocated from `codex-rs/core/src/config/mod.rs` to `codex-rs/sandboxing/src/bwrap.rs`. This improves **modularity** by cleaning up the **`core` configuration module** and consolidating all `bwrap` logic, including its tests, into a more appropriate location. The **`codex-rs/linux-sandbox` launcher** is updated to reflect the new import paths, ensuring continued functionality. Additionally, the new module integrates conditional compilation for non-Linux systems, making the `bwrap` utilities more robust.

This commit **fixes** the resolution of the `bwrap` executable by changing the **`codex-core` configuration** to search the system `PATH` instead of using a hardcoded path. It specifically enhances security and reliability by **skipping workspace-local `bwrap` instances** during the search, ensuring a trusted system binary is used for the **Linux sandboxing mechanism**. The `codex-linux-sandbox` launcher now leverages this new, more robust lookup logic, with updated tests and documentation reflecting the change. This prevents potential issues with incorrect `bwrap` versions and improves the overall integrity of the sandbox. A vendored `bubblewrap` fallback is still maintained if no trusted system `bwrap` is found.

This commit provides a **critical bug fix** to enhance the **Linux sandboxing mechanism's compatibility** with older system `bubblewrap` (bwrap) versions. It prevents sandbox failures on hosts where `/usr/bin/bwrap` does not support the `--argv0` flag by dynamically adjusting the sandbox helper's invocation to avoid this flag, rather than falling back to a vendored `bwrap`. This ensures that the system `bwrap` is utilized whenever available, preserving important AppArmor policy integration provided by distro packages. The changes involve updates to the **`arg0` dispatch logic**, **`BubblewrapLauncher` configuration**, and various **runtime components** that interact with the sandbox, along with corresponding **documentation and test updates**.

This commit introduces **websocket authentication** to the `codex-app-server`, enforcing it at the transport boundary before JSON-RPC `initialize` to reject unauthenticated clients during the handshake. This **new capability** significantly **enhances the security posture** of remote `app-server` connections by supporting two authentication modes: file-backed capability tokens and HMAC-signed JWT/JWS bearer tokens with optional issuer/audience validation. The feature is **opt-in** for non-loopback listeners to ensure backward compatibility during rollout, logging warnings if not configured for remote use. It also rejects requests carrying an `Origin` header and integrates new CLI arguments and documentation for the `app-server`'s security configuration.

This commit **enhances the Windows restricted-token sandbox** to support a subset of **split filesystem policies**, allowing for more granular control over sandboxed process access. It introduces a new filesystem overlay mechanism within `codex-rs/core/src/exec.rs` and `windows-sandbox-rs/src/lib.rs` that can apply additional deny-write ACLs to create read-only "carveouts" within an otherwise writable workspace. This **new capability** improves the **security and flexibility of sandboxed execution** on Windows by enabling more complex policy definitions without requiring elevated privileges. The change ensures that unsupported complex policies, such as nested writable descendants under read-only paths, explicitly fail closed to maintain security guarantees.

This commit implements a **security enhancement** by **pinning the `mlugg/setup-zig` GitHub Action** to an immutable commit SHA. This **maintenance update** affects the project's **CI/CD workflows**, specifically `rust-ci.yml`, `rust-release.yml`, and `shell-tool-mcp.yml`. By replacing the mutable `v2` tag with a fixed SHA, the change significantly reduces the risk of arbitrary code execution during automated builds. This ensures a more secure and predictable execution environment for the **Rust compilation** and **shell tool processes**, without impacting the application's core functionality.

This commit introduces **support for `ReadOnlyAccess::Restricted` within the elevated Windows sandbox backend**, enabling more granular control over read access for sandboxed processes. It refines the **Windows sandbox execution logic** and **setup orchestrator** to gather narrower read roots for these restricted policies, while maintaining legacy full-read behavior for unelevated sandboxes. The change ensures `workspace-write` semantics are preserved and correctly honors `include_platform_defaults` for system roots. This **new capability** enhances the security posture of the **Windows sandbox** by allowing more precise read access enforcement and updates **documentation** to reflect these new policy options.

This commit **fixes** a critical issue in the **`codex sandbox` CLI command** where it failed to honor active **permission profiles**, instead forcing legacy `sandbox_mode` settings. It **refactors** the sandbox configuration loading in `codex-rs/cli/src/debug_sandbox.rs` to correctly apply profile-based filesystem and network policies for both macOS and Linux, while maintaining fallback for legacy configurations. This ensures that **permission profiles are properly enforced** within debug sandboxes, preventing unintended access and rejecting incompatible options like `--full-auto` when profiles are in use. The change improves the security and predictability of sandboxed command execution by making the `codex sandbox` command respect the configured permissions.

This commit provides a **bug fix** for **Linux sandbox** failures on Ubuntu/AppArmor systems by **preferring the system's `/usr/bin/bwrap`** over the vendored version. This addresses issues where AppArmor profiles restricted `userns` access to only the system `bwrap` path, causing errors like `Permission denied` with the internal binary. The change **refactors** the `bwrap` launch logic in the `codex-rs/linux-sandbox` module to use the system binary if present, falling back to the vendored one. It also integrates a new warning system into the **app-server** and **TUI** to inform users when the fallback to the vendored `bwrap` occurs, improving **AppArmor compatibility** and user feedback for the **Linux sandbox**.

This commit **fixes a regression** in the **Linux sandbox's bubblewrap integration** by modifying how `workspace-write` roots are processed. Previously, the sandbox would abort startup if a configured writable root did not exist on the current machine, which particularly impacted **mixed Windows/WSL configurations**. The `create_filesystem_args` function in `codex-rs/linux-sandbox/src/bwrap.rs` is now updated to **gracefully ignore non-existent writable roots** while still mounting valid ones. This **bug fix** enhances the robustness and compatibility of the sandbox, preventing unnecessary failures, and is validated by new integration tests.

This **bug fix** resolves an issue in the **Linux sandbox** where `bubblewrap` could inherit a symlinked current working directory (CWD), leading to sandboxed command failures. It semantically separates the caller's logical CWD from the canonical CWD used for sandbox mounts and permissions. The change, primarily within the **`codex-rs/linux-sandbox`** and **`codex-rs/core`** modules, ensures `bubblewrap` explicitly sets the CWD to a canonical, mounted path inside the sandbox when necessary, without compromising existing security policies. This improves the reliability of sandboxed commands for users operating in symlinked workspaces by correctly handling **symlinked CWD canonicalization**.

This commit provides a **bug fix** for **sandbox policies** by **normalizing effective readable, writable, and unreadable roots** within the `codex-protocol` module. It ensures that symlinked roots are resolved to their **canonical runtime paths** after special path resolution, addressing issues like `TMPDIR` bind failures in bubblewrap. The change primarily affects the **`permissions.rs`** file, which now correctly handles path resolution and preserves explicit symlinked carveouts. This **maintenance** task improves the reliability and security of the sandbox environment, with updated **`codex-core`** seatbelt tests and protocol regression tests validating the new behavior.

This commit provides a **bug fix** for the **multi-agent spawning system**, ensuring that spawned subagents correctly inherit **sandbox policies**. It modifies the `apply_spawn_agent_runtime_overrides` function in `codex-rs/core/src/tools/handlers/multi_agents.rs` to reapply **live split filesystem and network sandbox policies** when building subagent configurations. This guarantees that spawned child sessions remain aligned with the parent's turn after role-layer config reloads, preventing subagents from operating with incorrect security contexts. Additionally, **regression tests** have been added in `codex-rs/core/src/tools/handlers/multi_agents_tests.rs` to validate both config construction and spawned child-turn inheritance, improving the robustness of the **sandbox policy enforcement** for subagents.

This commit introduces a **bug fix** to ensure that **network host approvals** selected with "allow this host in the future" are properly **persisted across sessions** for the **managed network proxy**. It modifies the `codex-rs/core` module to pass and apply the current execution policy network rules during the `start_managed_network_proxy` process, leveraging new functionality in `network_proxy_spec.rs` for rule application. This change enhances the **security and usability** of the network proxy by consistently enforcing user-approved network access, preventing the need for repeated host approvals after a session restart. New tests have been added to validate the correct application and persistence of these rules.

This commit provides a **bug fix** for the **Linux sandbox**'s bubblewrap implementation, ensuring that **nested writable filesystem carveouts** are correctly re-enabled even when their parent directories are explicitly marked as `none`. It adjusts the argument generation in `codex-rs/linux-sandbox/src/bwrap.rs` to preserve the intended `write -> none -> write` semantics for complex filesystem policies, preventing paths like `/repo/a/b` from incorrectly becoming unreadable when nested under a `none` parent `/repo/a`. This **enhances the robustness** of the sandbox's filesystem policy enforcement. The change includes a **new regression test** in `landlock.rs` and **documentation updates** in both `codex-rs/core/README.md` and `codex-rs/linux-sandbox/README.md` to clarify this split-policy behavior.

This **bug fix** for the **Linux sandbox** ensures that complex **split filesystem policies** are correctly enforced within `bubblewrap`. It refactors the filesystem argument creation to apply mount masks in the precise order required to preserve narrower rules, such as read-only subpaths within writable roots, and maintain unreadable ancestors. Additionally, the commit improves policy validation in `linux_run_main.rs`, preventing incorrect rejections of semantically equivalent legacy-plus-split configurations and robustly failing closed for partial, mismatched, or unsupported policy combinations. This significantly enhances the correctness and security of **filesystem policy enforcement** for sandboxed processes on Linux.

This commit provides a **bug fix** to restore **backward compatibility** for the **CLI's feature flag parsing**. It re-introduces the legacy `use_linux_sandbox_bwrap` flag into the **`codex-rs/core`** feature management system and configuration schema, marking it as `Removed`. This ensures that older CLI commands using `--enable use_linux_sandbox_bwrap` will no longer fail during parsing, preventing regressions for existing scripts and configurations. While the flag is now a no-op at runtime, this change specifically addresses the parsing issue in the **`codex-rs/cli`** module, allowing the application to gracefully handle deprecated input. New tests have been added to cover this legacy parsing path.