Skip to content

Scope startup CA roots to prepared children#28973

Closed
winston-openai wants to merge 6 commits into
dev/winston/mitm-command-ca-bundlesfrom
dev/winston/mitm-scope-startup-ca-baseline
Closed

Scope startup CA roots to prepared children#28973
winston-openai wants to merge 6 commits into
dev/winston/mitm-command-ca-bundlesfrom
dev/winston/mitm-scope-startup-ca-baseline

Conversation

@winston-openai

Copy link
Copy Markdown
Contributor

Why

Unix startup CA overrides should not be copied into the stable managed MITM bundle before child filesystem policy is evaluated. The preceding PRs now prepare every sandboxed child environment, so this trust narrowing can land without breaking startup CA compatibility.

What

  • omit startup file-backed CA overrides from the stable managed bundle on Unix
  • continue embedding startup file-backed roots on Windows, where the restricted sandbox identity is persistent
  • keep startup values available for policy-checked per-child materialization

Stack

Validation

  • just test -p codex-network-proxy managed_ca_trust_bundle_scopes_startup_ca_override_by_platform
  • the full codex-network-proxy suite passed on the same final stack

…nto dev/winston/mitm-scope-startup-ca-baseline
…nto dev/winston/mitm-scope-startup-ca-baseline
…nto dev/winston/mitm-scope-startup-ca-baseline
…nto dev/winston/mitm-scope-startup-ca-baseline
…nto dev/winston/mitm-scope-startup-ca-baseline
@winston-openai winston-openai marked this pull request as ready for review June 19, 2026 00:17

Copy link
Copy Markdown
Contributor Author

Closing as superseded by the focused #29013 and #29014 stack. The replacement isolates the persisted MITM private key and preserves file-backed custom CAs present at Codex startup, with zero codex-core changes. Per-command bundle materialization, generic sandbox carvebacks, and additional shell-snapshot plumbing are intentionally deferred because they are not required for this scoped completion work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant