Skip to content

build: ratchet direct reqwest dependencies#31431

Draft
bolinfest wants to merge 1 commit into
pr31363from
pr31431
Draft

build: ratchet direct reqwest dependencies#31431
bolinfest wants to merge 1 commit into
pr31363from
pr31431

Conversation

@bolinfest

@bolinfest bolinfest commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator

Why

The codex-http-client migration now has a shared implementation and several migrated request paths, but nothing prevents a new crate from adding another direct reqwest dependency while the remaining call sites are being converted. The dependency graph should both enforce the direction of travel and make the remaining scope visible.

This PR adds that ratchet on top of #31363. It does not claim the migration is complete: the allowlist deliberately records all 18 first-party crates that still depend on reqwest directly.

What changed

  • Ban reqwest with cargo-deny unless its immediate parent is an explicitly listed wrapper.
  • Identify codex-http-client as the intended owner.
  • Record the 18 current first-party direct dependents as temporary migration exceptions.
  • Separately allow six third-party integrations that own their reqwest dependency: oauth2, opentelemetry-http, opentelemetry-otlp, rmcp, sentry, and webrtc-sys-build.
  • Cover both reqwest 0.12 and 0.13 with the same package-level rule.

Migration rule

A new first-party crate cannot add reqwest. When a listed crate finishes migrating, its direct Cargo dependency and its wrapper entry should be removed in the same PR, so the first-party list can only shrink.

Review guide

The entire change is the new reqwest entry in codex-rs/deny.toml:

  1. codex-http-client is the permanent intended wrapper.
  2. The next 18 entries are the first-party migration backlog.
  3. The final six entries are separately documented third-party parents required by cargo-deny graph semantics.

Validation

  • cargo deny check bans --hide-inclusion-graph (bans ok; existing duplicate-version warnings remain warnings)

Stack created with Sapling. Best reviewed with ReviewStack.

@bolinfest bolinfest changed the base branch from main to pr31363 July 7, 2026 16:30
bolinfest added a commit that referenced this pull request Jul 7, 2026
## Why

#31335 lets HTTP callers obtain proxy-aware clients from
`HttpClientFactory`, but a non-HTTP transport such as WebSockets also
needs two pieces of policy owned by `codex-http-client`: a concrete
route decision for its destination and the same custom-CA-aware rustls
trust configuration used by HTTPS.

Keeping these prerequisites in the shared abstraction means the
dependent Responses WebSocket change (#31441) cannot independently
reinterpret `features.respect_system_proxy`, PAC results, or enterprise
CA settings.

## What changed

- Add a redaction-safe `OutboundProxyRoute` with explicit
transport-default, direct, and concrete-proxy outcomes.
- Add `HttpClientFactory::resolve_proxy_route()` so transports can
resolve a destination through the already-selected outbound proxy
policy.
- Resolve `ws://` and `wss://` URLs through their HTTP equivalents so
system and PAC rules apply consistently.
- Add an always-returned rustls config builder that starts from native
roots and layers in any configured Codex custom CA bundle. The existing
optional builder remains available to callers that can delegate the
default configuration to their transport.
- Continue redacting proxy URLs from `Debug` output because they may
contain credentials.

## Review guide

1. `http-client/src/outbound_proxy.rs` defines the transport-neutral
route result and WebSocket URL normalization.
2. `http-client/src/custom_ca.rs` factors the native-root/custom-CA
construction so callers that perform TLS themselves can always obtain a
config.
3. `http-client/src/outbound_proxy_tests.rs` verifies WebSocket
normalization and legacy transport-default behavior.

## Test plan

- `just test -p codex-http-client outbound_proxy`
- `just test -p codex-http-client custom_ca`

---
[//]: # (BEGIN SAPLING FOOTER)
Stack created with [Sapling](https://sapling-scm.com). Best reviewed
with [ReviewStack](https://reviewstack.dev/openai/codex/pull/31342).
* #31431
* #31363
* #31362
* #31361
* #31442
* #31441
* __->__ #31342
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant