Skip to content

Add outbound network diagnostics scaffolding#24801

Closed
canvrno-oai wants to merge 4 commits into
mainfrom
pia/phase0-network-diagnostics
Closed

Add outbound network diagnostics scaffolding#24801
canvrno-oai wants to merge 4 commits into
mainfrom
pia/phase0-network-diagnostics

Conversation

@canvrno-oai

@canvrno-oai canvrno-oai commented May 27, 2026

Copy link
Copy Markdown
Contributor

Summary

  • reserve the [network] proxy config surface and schema entries, with project-local overrides denied
  • add redacted route diagnostic types plus opt-in auth diagnostics via CODEX_NETWORK_DIAGNOSTICS=1
  • emit sanitized auth-path snapshots/failure classifications for OAuth token exchange and API-key exchange without changing routing behavior

Diagnostic behavior

When CODEX_NETWORK_DIAGNOSTICS=1 is set, auth flows log only presence bits for proxy/CA env vars, CODEX_SYSTEM_PROXY state, coarse HTTP/transport failure classes, and status codes. Proxy values, URLs, headers, bodies, tokens, CA paths, and credentials are not logged. With the env var unset, the new diagnostic helpers are silent.

@canvrno-oai canvrno-oai force-pushed the pia/phase0-network-diagnostics branch 2 times, most recently from 5fc55d2 to ee112a0 Compare May 27, 2026 18:24
@canvrno-oai canvrno-oai force-pushed the pia/phase0-network-diagnostics branch from ee112a0 to beb17da Compare May 27, 2026 18:33
@canvrno-oai canvrno-oai force-pushed the pia/phase0-network-diagnostics branch from a673d13 to 53d4eab Compare May 27, 2026 19:12
@canvrno-oai

Copy link
Copy Markdown
Contributor Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown
Contributor

Codex Review: Didn't find any major issues. 🚀

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@canvrno-oai canvrno-oai marked this pull request as ready for review May 27, 2026 21:57
@canvrno-oai canvrno-oai requested a review from a team as a code owner May 27, 2026 21:57

@fcoury-oai fcoury-oai left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Manually verified opt-in OAuth network diagnostics: forced a proxied token-exchange failure, confirmed redacted diagnostic logs appear only when enabled, are captured with default login logging, and do not expose sensitive values.

Codex review had one suggestion that I am leaving as optional.

Other than that code looks good. Approved 👍

if rendered.contains("tls") || rendered.contains("certificate") || rendered.contains("cert") {
return RouteFailureClass::TlsError;
}
if error.is_connect() {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion by Codex:

is_connect() is broader than DNS resolution, so proxy connection refusals and other connection-stage failures will be emitted as resolver_error. Could we add a generic connection failure class, or fall back to other, unless we have evidence that resolution itself failed?

@canvrno-oai

Copy link
Copy Markdown
Contributor Author

Closed in favor of #26706 , first in a series of stacked PRs for PAC functionality.

@canvrno-oai canvrno-oai closed this Jun 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants