PAC 4 - Add macOS system proxy resolver#26709
Merged
Merged
Conversation
4cc962b to
a55b700
Compare
b532a82 to
87bccd3
Compare
a55b700 to
16ce90d
Compare
87bccd3 to
9f5909a
Compare
16ce90d to
216cb3f
Compare
9f5909a to
70b25b2
Compare
216cb3f to
2777480
Compare
dd4a06d to
ea60fce
Compare
c02c09b to
847b03a
Compare
ea60fce to
b9e4832
Compare
847b03a to
da0445f
Compare
6158992 to
e4b8b92
Compare
5c46f30 to
47a7061
Compare
93e4e84 to
c91497e
Compare
viyatb-oai
reviewed
Jun 15, 2026
viyatb-oai
left a comment
Collaborator
There was a problem hiding this comment.
One routing issue to address in the macOS resolver.
d1af2f3 to
30866d1
Compare
5dd8971 to
bc39031
Compare
30866d1 to
048ff60
Compare
bc39031 to
ab61237
Compare
5497d3d to
354094e
Compare
7354130 to
19ccecb
Compare
d44ee4e to
5dd5bac
Compare
ac90f94 to
bf35429
Compare
5dd5bac to
2243326
Compare
bf35429 to
ac0677a
Compare
2243326 to
0743880
Compare
ac0677a to
9fb47f7
Compare
272021e to
d824f00
Compare
7f0b9ee to
a008e4b
Compare
2e71f40 to
c590f10
Compare
a008e4b to
425162e
Compare
c590f10 to
13cc356
Compare
425162e to
5b73387
Compare
5b73387 to
4627c3e
Compare
viyatb-oai
reviewed
Jun 22, 2026
viyatb-oai
approved these changes
Jun 22, 2026
viyatb-oai
left a comment
Collaborator
There was a problem hiding this comment.
lgtm with one comment to remove a redundant function.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Stacked on #26708.
Adds the macOS implementation of the shared system-proxy contract. This allows Codex-owned auth clients to use the route macOS selects for each auth URL through SystemConfiguration and CFNetwork, including PAC and WPAD results.
The
respect_system_proxyfeature is disabled by default, so existing client behavior remains unchanged unless explicitly enabled.Implementation
system-configurationdependency tocodex-client.outbound_proxy/macos.rson macOS.SCDynamicStoreand resolves the target URL withCFNetworkCopyProxiesForURL.DIRECT, HTTP proxies, and CFNetwork HTTPS entries using HTTP CONNECT; unsupported SOCKS entries map toUnsupportedProxyScheme.SystemProxyDecision::{Direct, Proxy, Unavailable}contract.End-user behavior
[features.respect_system_proxy]:DIRECTdecisions use a direct connection;DIRECT, through the shared contract from PAC 2 - Add shared auth system proxy contract #26707.DIRECTcandidates are not attempted after a connection failure. This matches the current Windows behavior and leaves room for future ordered-fallback support.Tests
just test -p codex-client— 34 tests passed.just clippy -p codex-clientjust fmtjust bazel-lock-check