Skip to content

PAC 3 - Add Windows system proxy resolver#26708

Merged
canvrno-oai merged 4 commits into
mainfrom
canvnro/codex-pac-pr3-win
Jun 22, 2026
Merged

PAC 3 - Add Windows system proxy resolver#26708
canvrno-oai merged 4 commits into
mainfrom
canvnro/codex-pac-pr3-win

Conversation

@canvrno-oai

@canvrno-oai canvrno-oai commented Jun 6, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Stacked on #26707.

Adds the Windows implementation of the shared system-proxy contract. This allows Codex-owned auth clients to use the route Windows selects for each auth URL, including explicit PAC configuration, WPAD auto-detection, static proxies, and bypass rules.

The respect_system_proxy feature is disabled by default, so existing client behavior remains unchanged unless explicitly enabled.

Implementation

  • Adds Windows-only codex-client dependencies:
    • windows-sys with Win32_Foundation and Win32_Networking_WinHttp;
    • sha2 for redacted cache keys.
  • Dispatches system-proxy resolution to outbound_proxy/windows.rs on Windows.
  • Reads the current-user WinHTTP/IE proxy configuration via WinHttpGetIEProxyConfigForCurrentUser.
  • Resolves explicit PAC URLs first, then OS-enabled WPAD auto-detection, then static proxy and bypass settings.
  • Uses WinHttpGetProxyForUrl for PAC/WPAD and maps results into the shared SystemProxyDecision::{Direct, Proxy, Unavailable} contract.
  • Parses DIRECT, PROXY, HTTPS, and keyed static proxy entries.
  • Treats unsupported schemes such as SOCKS as unavailable so the shared resolver can apply its environment-proxy fallback.
  • Handles Windows bypass entries, including <local> and host, suffix, wildcard, and port matching.
  • Releases WinHTTP-owned strings with GlobalFree and closes sessions with WinHttpCloseHandle.
  • Hashes URL-specific cache keys with SHA-256 so PAC decisions remain URL-specific without retaining raw request URLs or query strings.

End-user behavior

  • Disabled/default: existing client behavior is unchanged.
  • Enabled with [features.respect_system_proxy]:
    • Windows auth clients honor explicit PAC configuration, OS-enabled WPAD, static proxies, and bypass rules;
    • valid OS/PAC DIRECT decisions use a direct connection;
    • unavailable system resolution falls back to explicit environment proxy variables, then DIRECT, through the shared contract from PAC 2 - Add shared auth system proxy contract #26707.
  • Unsupported proxy schemes are not silently translated into a different route.
  • Custom CA handling remains separate from proxy selection.

Tests

Adds coverage for:

  • PAC-style proxy tokens such as PROXY proxy.internal:8080 and HTTPS proxy.internal:8443;
  • static WinHTTP proxy entries keyed by target scheme;
  • DIRECT and unsupported proxy-token behavior;
  • Windows bypass matching, including <local>, wildcard, suffix, and port-qualified entries;
  • preserving URL-specific PAC cache decisions without retaining the raw URL on Windows.

@canvrno-oai canvrno-oai mentioned this pull request Jun 6, 2026
Merged
@canvrno-oai canvrno-oai changed the title [codex] Add Windows system proxy resolver PAC - Add Windows system proxy resolver Jun 6, 2026
@canvrno-oai canvrno-oai force-pushed the canvnro/codex-pac-pr2-contract branch from 6fcd2bd to c1f900e Compare June 8, 2026 17:44
@canvrno-oai canvrno-oai force-pushed the canvnro/codex-pac-pr3-win branch from 4cc962b to a55b700 Compare June 8, 2026 17:44
@canvrno-oai canvrno-oai force-pushed the canvnro/codex-pac-pr2-contract branch from c1f900e to 86815bc Compare June 8, 2026 18:19
@canvrno-oai canvrno-oai force-pushed the canvnro/codex-pac-pr3-win branch 3 times, most recently from 216cb3f to 2777480 Compare June 8, 2026 19:23
@canvrno-oai canvrno-oai force-pushed the canvnro/codex-pac-pr2-contract branch from 4ffc2f4 to 968f40d Compare June 8, 2026 20:39
@canvrno-oai canvrno-oai force-pushed the canvnro/codex-pac-pr3-win branch from c02c09b to 847b03a Compare June 8, 2026 20:40
@canvrno-oai canvrno-oai changed the title PAC - Add Windows system proxy resolver PAC 3 - Add Windows system proxy resolver Jun 9, 2026
@canvrno-oai canvrno-oai force-pushed the canvnro/codex-pac-pr2-contract branch from 1eebefb to a9bed73 Compare June 10, 2026 18:23
@canvrno-oai canvrno-oai force-pushed the canvnro/codex-pac-pr3-win branch from 847b03a to da0445f Compare June 10, 2026 18:23
iceweasel-oai
iceweasel-oai reviewed Jun 10, 2026
View reviewed changes

@iceweasel-oai iceweasel-oai left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(from Codex): Added inline review comments.

Comment thread codex-rs/codex-client/src/outbound_proxy/windows.rs
Comment thread codex-rs/codex-client/src/outbound_proxy.rs Outdated
Comment thread codex-rs/codex-client/src/outbound_proxy.rs Outdated
@canvrno-oai canvrno-oai force-pushed the canvnro/codex-pac-pr2-contract branch from a9bed73 to 9a9be5d Compare June 11, 2026 19:14
@canvrno-oai canvrno-oai force-pushed the canvnro/codex-pac-pr3-win branch 2 times, most recently from 47a7061 to 8a2b646 Compare June 11, 2026 20:13
@canvrno-oai canvrno-oai force-pushed the canvnro/codex-pac-pr2-contract branch from ca6d44e to 7d9743d Compare June 16, 2026 05:25
@canvrno-oai canvrno-oai force-pushed the canvnro/codex-pac-pr3-win branch from d1af2f3 to 30866d1 Compare June 16, 2026 05:57
@canvrno-oai

canvrno-oai commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

@codex review

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Jun 16, 2026
View reviewed changes

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 30866d153a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread codex-rs/codex-client/Cargo.toml
Comment thread codex-rs/codex-client/src/outbound_proxy.rs
Comment thread codex-rs/codex-client/src/outbound_proxy/windows.rs Outdated
@canvrno-oai canvrno-oai force-pushed the canvnro/codex-pac-pr2-contract branch from 008144e to fa620b3 Compare June 16, 2026 16:37
@canvrno-oai canvrno-oai force-pushed the canvnro/codex-pac-pr3-win branch 2 times, most recently from 5497d3d to 354094e Compare June 16, 2026 20:28
@canvrno-oai canvrno-oai force-pushed the canvnro/codex-pac-pr2-contract branch from e74fc31 to a2f4da6 Compare June 17, 2026 00:01
@canvrno-oai canvrno-oai force-pushed the canvnro/codex-pac-pr3-win branch from d44ee4e to 5dd5bac Compare June 17, 2026 00:59
@canvrno-oai canvrno-oai force-pushed the canvnro/codex-pac-pr2-contract branch from a2f4da6 to 860d6e5 Compare June 17, 2026 18:51
@canvrno-oai canvrno-oai force-pushed the canvnro/codex-pac-pr3-win branch from 5dd5bac to 2243326 Compare June 17, 2026 18:52
@canvrno-oai canvrno-oai force-pushed the canvnro/codex-pac-pr3-win branch 3 times, most recently from 2e71f40 to c590f10 Compare June 22, 2026 18:46
Base automatically changed from canvnro/codex-pac-pr2-contract to main June 22, 2026 20:03
@canvrno-oai canvrno-oai force-pushed the canvnro/codex-pac-pr3-win branch from c590f10 to 13cc356 Compare June 22, 2026 20:09
@canvrno-oai canvrno-oai marked this pull request as ready for review June 22, 2026 20:24
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Jun 22, 2026
View reviewed changes

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 13cc356ec8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread codex-rs/codex-client/src/outbound_proxy/windows.rs Outdated
Comment thread codex-rs/codex-client/src/outbound_proxy.rs Outdated
Comment thread codex-rs/codex-client/src/outbound_proxy.rs Outdated
Comment thread codex-rs/codex-client/src/outbound_proxy.rs
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Jun 22, 2026
View reviewed changes

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c33069fc0e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread codex-rs/codex-client/src/outbound_proxy.rs
Comment thread codex-rs/codex-client/src/outbound_proxy/windows.rs
Comment thread codex-rs/codex-client/src/outbound_proxy/windows.rs
@canvrno-oai canvrno-oai merged commit 5f129a4 into main Jun 22, 2026
31 checks passed
@canvrno-oai canvrno-oai deleted the canvnro/codex-pac-pr3-win branch June 22, 2026 21:38
@github-actions github-actions Bot locked and limited conversation to collaborators Jun 22, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments
@iceweasel-oai iceweasel-oai iceweasel-oai approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@canvrno-oai @iceweasel-oai