From b075d0ce9166a678905c322c8cee73cf9f74f2cd Mon Sep 17 00:00:00 2001 From: viyatb-oai Date: Wed, 3 Jun 2026 12:09:43 -0700 Subject: [PATCH] feat: add Noise relay primitives Co-authored-by: Codex noreply@openai.com --- MODULE.bazel.lock | 7 + codex-rs/Cargo.lock | 90 ++++- codex-rs/Cargo.toml | 8 + codex-rs/exec-server/Cargo.toml | 2 + codex-rs/exec-server/src/aws_lc_ml_kem.rs | 90 +++++ .../exec-server/src/aws_lc_ml_kem_tests.rs | 31 ++ codex-rs/exec-server/src/lib.rs | 5 + codex-rs/exec-server/src/noise_channel.rs | 379 ++++++++++++++++++ .../exec-server/src/noise_channel_tests.rs | 252 ++++++++++++ .../proto/codex.exec_server.relay.v1.proto | 5 + .../src/proto/codex.exec_server.relay.v1.rs | 9 +- codex-rs/exec-server/src/relay.rs | 147 ++++++- codex-rs/exec-server/src/relay_proto.rs | 2 + 13 files changed, 1005 insertions(+), 22 deletions(-) create mode 100644 codex-rs/exec-server/src/aws_lc_ml_kem.rs create mode 100644 codex-rs/exec-server/src/aws_lc_ml_kem_tests.rs create mode 100644 codex-rs/exec-server/src/noise_channel.rs create mode 100644 codex-rs/exec-server/src/noise_channel_tests.rs diff --git a/MODULE.bazel.lock b/MODULE.bazel.lock index f541a2c7bf3..1f01549db5a 100644 --- a/MODULE.bazel.lock +++ b/MODULE.bazel.lock @@ -608,6 +608,7 @@ "addr2line_0.25.1": "{\"dependencies\":[{\"name\":\"alloc\",\"optional\":true,\"package\":\"rustc-std-workspace-alloc\",\"req\":\"^1.0.0\"},{\"kind\":\"dev\",\"name\":\"backtrace\",\"req\":\"^0.3.13\"},{\"features\":[\"wrap_help\"],\"name\":\"clap\",\"optional\":true,\"req\":\"^4.3.21\"},{\"name\":\"core\",\"optional\":true,\"package\":\"rustc-std-workspace-core\",\"req\":\"^1.0.0\"},{\"default_features\":false,\"features\":[\"alloc\"],\"name\":\"cpp_demangle\",\"optional\":true,\"req\":\"^0.4\"},{\"kind\":\"dev\",\"name\":\"criterion\",\"req\":\"^0.7.0\"},{\"default_features\":false,\"name\":\"fallible-iterator\",\"optional\":true,\"req\":\"^0.3.0\"},{\"kind\":\"dev\",\"name\":\"findshlibs\",\"req\":\"^0.10\"},{\"default_features\":false,\"features\":[\"read\"],\"name\":\"gimli\",\"req\":\"^0.32.0\"},{\"kind\":\"dev\",\"name\":\"libtest-mimic\",\"req\":\"^0.8.1\"},{\"name\":\"memmap2\",\"optional\":true,\"req\":\"^0.9.4\"},{\"default_features\":false,\"features\":[\"read\",\"compression\"],\"name\":\"object\",\"optional\":true,\"req\":\"^0.37.0\"},{\"name\":\"rustc-demangle\",\"optional\":true,\"req\":\"^0.1\"},{\"default_features\":false,\"name\":\"smallvec\",\"optional\":true,\"req\":\"^1\"},{\"name\":\"typed-arena\",\"optional\":true,\"req\":\"^2\"}],\"features\":{\"all\":[\"bin\",\"wasm\"],\"bin\":[\"loader\",\"rustc-demangle\",\"cpp_demangle\",\"fallible-iterator\",\"smallvec\",\"dep:clap\"],\"cargo-all\":[],\"default\":[\"rustc-demangle\",\"cpp_demangle\",\"loader\",\"fallible-iterator\",\"smallvec\"],\"loader\":[\"std\",\"dep:object\",\"dep:memmap2\",\"dep:typed-arena\"],\"rustc-dep-of-std\":[\"core\",\"alloc\",\"gimli/rustc-dep-of-std\"],\"std\":[\"gimli/std\"],\"wasm\":[\"object/wasm\"]}}", "adler2_2.0.1": "{\"dependencies\":[{\"name\":\"core\",\"optional\":true,\"package\":\"rustc-std-workspace-core\",\"req\":\"^1.0.0\"}],\"features\":{\"default\":[\"std\"],\"rustc-dep-of-std\":[\"core\"],\"std\":[]}}", "aead_0.5.2": "{\"dependencies\":[{\"default_features\":false,\"name\":\"arrayvec\",\"optional\":true,\"req\":\"^0.7\"},{\"name\":\"blobby\",\"optional\":true,\"req\":\"^0.3\"},{\"default_features\":false,\"name\":\"bytes\",\"optional\":true,\"req\":\"^1\"},{\"name\":\"crypto-common\",\"req\":\"^0.1.4\"},{\"default_features\":false,\"name\":\"generic-array\",\"req\":\"^0.14\"},{\"default_features\":false,\"name\":\"heapless\",\"optional\":true,\"req\":\"^0.7\"}],\"features\":{\"alloc\":[],\"default\":[\"rand_core\"],\"dev\":[\"blobby\"],\"getrandom\":[\"crypto-common/getrandom\",\"rand_core\"],\"rand_core\":[\"crypto-common/rand_core\"],\"std\":[\"alloc\",\"crypto-common/std\"],\"stream\":[]}}", + "aes-gcm_0.10.3": "{\"dependencies\":[{\"default_features\":false,\"name\":\"aead\",\"req\":\"^0.5\"},{\"default_features\":false,\"features\":[\"dev\"],\"kind\":\"dev\",\"name\":\"aead\",\"req\":\"^0.5\"},{\"name\":\"aes\",\"optional\":true,\"req\":\"^0.8\"},{\"name\":\"cipher\",\"req\":\"^0.4\"},{\"name\":\"ctr\",\"req\":\"^0.9\"},{\"default_features\":false,\"name\":\"ghash\",\"req\":\"^0.5\"},{\"kind\":\"dev\",\"name\":\"hex-literal\",\"req\":\"^0.3\"},{\"default_features\":false,\"name\":\"subtle\",\"req\":\"^2\"},{\"default_features\":false,\"name\":\"zeroize\",\"optional\":true,\"req\":\"^1\"}],\"features\":{\"alloc\":[\"aead/alloc\"],\"arrayvec\":[\"aead/arrayvec\"],\"default\":[\"aes\",\"alloc\",\"getrandom\"],\"getrandom\":[\"aead/getrandom\",\"rand_core\"],\"heapless\":[\"aead/heapless\"],\"rand_core\":[\"aead/rand_core\"],\"std\":[\"aead/std\",\"alloc\"],\"stream\":[\"aead/stream\"]}}", "aes_0.8.4": "{\"dependencies\":[{\"name\":\"cfg-if\",\"req\":\"^1\"},{\"name\":\"cipher\",\"req\":\"^0.4.2\"},{\"features\":[\"dev\"],\"kind\":\"dev\",\"name\":\"cipher\",\"req\":\"^0.4.2\"},{\"name\":\"cpufeatures\",\"req\":\"^0.2\",\"target\":\"cfg(any(target_arch = \\\"aarch64\\\", target_arch = \\\"x86_64\\\", target_arch = \\\"x86\\\"))\"},{\"kind\":\"dev\",\"name\":\"hex-literal\",\"req\":\"^0.3\"},{\"default_features\":false,\"features\":[\"aarch64\"],\"name\":\"zeroize\",\"optional\":true,\"req\":\"^1.5.6\",\"target\":\"cfg(all(aes_armv8, target_arch = \\\"aarch64\\\"))\"},{\"default_features\":false,\"name\":\"zeroize\",\"optional\":true,\"req\":\"^1.6.0\",\"target\":\"cfg(not(all(aes_armv8, target_arch = \\\"aarch64\\\")))\"}],\"features\":{\"hazmat\":[]}}", "age-core_0.11.0": "{\"dependencies\":[{\"name\":\"base64\",\"req\":\"^0.21\"},{\"default_features\":false,\"features\":[\"alloc\"],\"name\":\"chacha20poly1305\",\"req\":\"^0.10\"},{\"name\":\"cookie-factory\",\"req\":\"^0.3.1\"},{\"name\":\"hkdf\",\"req\":\"^0.12\"},{\"name\":\"io_tee\",\"req\":\"^0.1.1\"},{\"default_features\":false,\"features\":[\"alloc\"],\"name\":\"nom\",\"req\":\"^7\"},{\"name\":\"rand\",\"req\":\"^0.8\"},{\"name\":\"secrecy\",\"req\":\"^0.10\"},{\"name\":\"sha2\",\"req\":\"^0.10\"},{\"name\":\"tempfile\",\"optional\":true,\"req\":\"^3.2.0\"}],\"features\":{\"plugin\":[\"tempfile\"],\"unstable\":[]}}", "age_0.11.2": "{\"dependencies\":[{\"name\":\"aes\",\"optional\":true,\"req\":\"^0.8\"},{\"name\":\"aes-gcm\",\"optional\":true,\"req\":\"^0.10\"},{\"name\":\"age-core\",\"req\":\"^0.11.0\"},{\"name\":\"base64\",\"req\":\"^0.21\"},{\"name\":\"bcrypt-pbkdf\",\"optional\":true,\"req\":\"^0.10\"},{\"name\":\"bech32\",\"req\":\"^0.9\"},{\"name\":\"cbc\",\"optional\":true,\"req\":\"^0.1\"},{\"default_features\":false,\"features\":[\"alloc\"],\"name\":\"chacha20poly1305\",\"req\":\"^0.10\"},{\"features\":[\"alloc\"],\"name\":\"cipher\",\"optional\":true,\"req\":\"^0.4.3\"},{\"default_features\":false,\"name\":\"console\",\"optional\":true,\"req\":\"^0.15\"},{\"name\":\"cookie-factory\",\"req\":\"^0.3.1\"},{\"kind\":\"dev\",\"name\":\"criterion\",\"req\":\"^0.5\"},{\"kind\":\"dev\",\"name\":\"criterion-cycles-per-byte\",\"req\":\"^0.6\",\"target\":\"cfg(any(target_arch = \\\"x86\\\", target_arch = \\\"x86_64\\\"))\"},{\"name\":\"ctr\",\"optional\":true,\"req\":\"^0.9\"},{\"name\":\"curve25519-dalek\",\"optional\":true,\"req\":\"^4\"},{\"name\":\"futures\",\"optional\":true,\"req\":\"^0.3\"},{\"kind\":\"dev\",\"name\":\"futures-test\",\"req\":\"^0.3\"},{\"kind\":\"dev\",\"name\":\"hex\",\"req\":\"^0.4\"},{\"name\":\"hmac\",\"req\":\"^0.12\"},{\"features\":[\"fluent-system\"],\"name\":\"i18n-embed\",\"req\":\"^0.15\"},{\"features\":[\"fluent-system\",\"desktop-requester\"],\"kind\":\"dev\",\"name\":\"i18n-embed\",\"req\":\"^0.15\"},{\"name\":\"i18n-embed-fl\",\"req\":\"^0.9\"},{\"name\":\"is-terminal\",\"optional\":true,\"req\":\"^0.4\"},{\"name\":\"lazy_static\",\"req\":\"^1\"},{\"name\":\"memchr\",\"optional\":true,\"req\":\"^2.5\"},{\"default_features\":false,\"features\":[\"alloc\"],\"name\":\"nom\",\"req\":\"^7\"},{\"name\":\"num-traits\",\"optional\":true,\"req\":\"^0.2\"},{\"name\":\"pin-project\",\"req\":\"^1\"},{\"name\":\"pinentry\",\"optional\":true,\"req\":\"^0.6\"},{\"features\":[\"criterion\",\"flamegraph\"],\"kind\":\"dev\",\"name\":\"pprof\",\"req\":\"^0.13\",\"target\":\"cfg(unix)\"},{\"kind\":\"dev\",\"name\":\"proptest\",\"req\":\"^1\"},{\"name\":\"rand\",\"req\":\"^0.8\"},{\"name\":\"rpassword\",\"optional\":true,\"req\":\"^7\"},{\"default_features\":false,\"name\":\"rsa\",\"optional\":true,\"req\":\"^0.9\"},{\"name\":\"rust-embed\",\"req\":\"^8\"},{\"default_features\":false,\"name\":\"scrypt\",\"req\":\"^0.11\"},{\"name\":\"sha2\",\"req\":\"^0.10\"},{\"name\":\"subtle\",\"req\":\"^2\"},{\"kind\":\"dev\",\"name\":\"test-case\",\"req\":\"^3\"},{\"features\":[\"macros\",\"rt-multi-thread\"],\"kind\":\"dev\",\"name\":\"tokio\",\"req\":\"^1\"},{\"features\":[\"Window\",\"Performance\"],\"name\":\"web-sys\",\"optional\":true,\"req\":\"^0.3\"},{\"name\":\"which\",\"optional\":true,\"req\":\"^4\",\"target\":\"cfg(any(unix, windows))\"},{\"name\":\"wsl\",\"optional\":true,\"req\":\"^0.1\",\"target\":\"cfg(any(unix, windows))\"},{\"features\":[\"static_secrets\"],\"name\":\"x25519-dalek\",\"req\":\"^2\"},{\"name\":\"zeroize\",\"req\":\"^1\"}],\"features\":{\"armor\":[],\"async\":[\"futures\",\"memchr\"],\"cli-common\":[\"console\",\"is-terminal\",\"pinentry\",\"rpassword\"],\"default\":[],\"plugin\":[\"age-core/plugin\",\"which\",\"wsl\"],\"ssh\":[\"aes\",\"aes-gcm\",\"bcrypt-pbkdf\",\"cbc\",\"cipher\",\"ctr\",\"curve25519-dalek\",\"num-traits\",\"rsa\"],\"unstable\":[\"age-core/unstable\"]}}", @@ -756,6 +757,7 @@ "clap_derive_4.6.0": "{\"dependencies\":[{\"name\":\"anstyle\",\"optional\":true,\"req\":\"^1.0.13\"},{\"name\":\"heck\",\"req\":\"^0.5.0\"},{\"name\":\"proc-macro2\",\"req\":\"^1.0.106\"},{\"default_features\":false,\"name\":\"pulldown-cmark\",\"optional\":true,\"req\":\"^0.13.1\"},{\"name\":\"quote\",\"req\":\"^1.0.45\"},{\"features\":[\"full\"],\"name\":\"syn\",\"req\":\"^2.0.117\"}],\"features\":{\"debug\":[],\"default\":[],\"deprecated\":[],\"raw-deprecated\":[\"deprecated\"],\"unstable-markdown\":[\"dep:pulldown-cmark\",\"dep:anstyle\"],\"unstable-v5\":[\"deprecated\"]}}", "clap_lex_1.0.0": "{\"dependencies\":[{\"kind\":\"dev\",\"name\":\"automod\",\"req\":\"^1.0.14\"}],\"features\":{}}", "clap_lex_1.1.0": "{\"dependencies\":[{\"kind\":\"dev\",\"name\":\"automod\",\"req\":\"^1.0.16\"}],\"features\":{}}", + "clatter_2.2.0": "{\"dependencies\":[{\"default_features\":false,\"features\":[\"aes\"],\"name\":\"aes-gcm\",\"optional\":true,\"req\":\"^0.10.3\"},{\"default_features\":false,\"features\":[\"zeroize\"],\"name\":\"arrayvec\",\"req\":\"^0.7.6\"},{\"default_features\":false,\"name\":\"blake2\",\"optional\":true,\"req\":\"^0.10.6\"},{\"default_features\":false,\"features\":[\"rand_core\"],\"name\":\"chacha20poly1305\",\"optional\":true,\"req\":\"^0.10.1\"},{\"default_features\":false,\"name\":\"displaydoc\",\"req\":\"^0.2.5\"},{\"name\":\"getrandom\",\"optional\":true,\"req\":\"^0.3.3\"},{\"default_features\":false,\"features\":[\"zeroize\"],\"name\":\"ml-kem\",\"optional\":true,\"req\":\"^0.2.1\"},{\"default_features\":false,\"name\":\"pqcrypto-mlkem\",\"optional\":true,\"req\":\"^0.1.1\"},{\"default_features\":false,\"name\":\"pqcrypto-traits\",\"optional\":true,\"req\":\"^0.3.5\"},{\"kind\":\"dev\",\"name\":\"rand\",\"req\":\"^0.8.5\"},{\"name\":\"rand_core\",\"req\":\"^0.6\"},{\"default_features\":false,\"name\":\"sha2\",\"optional\":true,\"req\":\"^0.10.9\"},{\"default_features\":false,\"name\":\"thiserror-no-std\",\"req\":\"^2.0.2\"},{\"default_features\":false,\"features\":[\"static_secrets\",\"zeroize\"],\"name\":\"x25519-dalek\",\"optional\":true,\"req\":\"^2.0.1\"},{\"default_features\":false,\"features\":[\"zeroize_derive\"],\"name\":\"zeroize\",\"req\":\"^1.8.1\"}],\"features\":{\"alloc\":[],\"core\":[\"use-aes-gcm\",\"use-chacha20poly1305\",\"use-sha\",\"use-blake2\",\"use-25519\",\"use-rust-crypto-ml-kem\"],\"default\":[\"std\",\"use-aes-gcm\",\"use-chacha20poly1305\",\"use-sha\",\"use-blake2\",\"use-25519\",\"use-pqclean-ml-kem\",\"use-rust-crypto-ml-kem\"],\"getrandom\":[\"dep:getrandom\"],\"std\":[\"alloc\",\"sha2/std\",\"blake2/std\",\"aes-gcm/std\",\"chacha20poly1305/std\",\"ml-kem/std\",\"zeroize/std\",\"getrandom\"],\"use-25519\":[\"x25519-dalek\"],\"use-aes-gcm\":[\"aes-gcm\"],\"use-blake2\":[\"blake2\"],\"use-chacha20poly1305\":[\"chacha20poly1305\"],\"use-pqclean-ml-kem\":[\"pqcrypto-mlkem\",\"pqcrypto-traits\",\"getrandom\"],\"use-rust-crypto-ml-kem\":[\"ml-kem\"],\"use-sha\":[\"sha2\"]}}", "clipboard-win_5.4.1": "{\"dependencies\":[{\"name\":\"error-code\",\"req\":\"^3\",\"target\":\"cfg(windows)\"},{\"name\":\"windows-win\",\"optional\":true,\"req\":\"^3\",\"target\":\"cfg(windows)\"}],\"features\":{\"monitor\":[\"windows-win\"],\"std\":[\"error-code/std\"]}}", "clru_0.6.3": "{\"dependencies\":[{\"name\":\"hashbrown\",\"req\":\"^0.16\"}],\"features\":{}}", "cmake_0.1.57": "{\"dependencies\":[{\"name\":\"cc\",\"req\":\"^1.2.46\"}],\"features\":{}}", @@ -814,6 +816,7 @@ "ctor-proc-macro_0.0.7": "{\"dependencies\":[],\"features\":{\"default\":[]}}", "ctor_0.1.26": "{\"dependencies\":[{\"kind\":\"dev\",\"name\":\"libc-print\",\"req\":\"^0.1.20\"},{\"name\":\"quote\",\"req\":\"^1.0.20\"},{\"default_features\":false,\"features\":[\"full\",\"parsing\",\"printing\",\"proc-macro\"],\"name\":\"syn\",\"req\":\"^1.0.98\"}],\"features\":{}}", "ctor_0.6.3": "{\"dependencies\":[{\"name\":\"ctor-proc-macro\",\"optional\":true,\"req\":\"=0.0.7\"},{\"default_features\":false,\"name\":\"dtor\",\"optional\":true,\"req\":\"^0.1.0\"},{\"kind\":\"dev\",\"name\":\"libc-print\",\"req\":\"^0.1.20\"}],\"features\":{\"__no_warn_on_missing_unsafe\":[\"dtor?/__no_warn_on_missing_unsafe\"],\"default\":[\"dtor\",\"proc_macro\",\"__no_warn_on_missing_unsafe\"],\"dtor\":[\"dep:dtor\"],\"proc_macro\":[\"dep:ctor-proc-macro\",\"dtor?/proc_macro\"],\"used_linker\":[\"dtor?/used_linker\"]}}", + "ctr_0.9.2": "{\"dependencies\":[{\"kind\":\"dev\",\"name\":\"aes\",\"req\":\"^0.8\"},{\"name\":\"cipher\",\"req\":\"^0.4.2\"},{\"features\":[\"dev\"],\"kind\":\"dev\",\"name\":\"cipher\",\"req\":\"^0.4.2\"},{\"kind\":\"dev\",\"name\":\"hex-literal\",\"req\":\"^0.3.3\"},{\"kind\":\"dev\",\"name\":\"kuznyechik\",\"req\":\"^0.8\"},{\"kind\":\"dev\",\"name\":\"magma\",\"req\":\"^0.8\"}],\"features\":{\"alloc\":[\"cipher/alloc\"],\"block-padding\":[\"cipher/block-padding\"],\"std\":[\"cipher/std\",\"alloc\"],\"zeroize\":[\"cipher/zeroize\"]}}", "ctutils_0.4.2": "{\"dependencies\":[{\"name\":\"cmov\",\"req\":\"^0.5.3\"},{\"kind\":\"dev\",\"name\":\"proptest\",\"req\":\"^1.11\"},{\"default_features\":false,\"name\":\"subtle\",\"optional\":true,\"req\":\"^2\"}],\"features\":{\"alloc\":[],\"subtle\":[\"dep:subtle\"]}}", "curve25519-dalek-derive_0.1.1": "{\"dependencies\":[{\"name\":\"proc-macro2\",\"req\":\"^1.0.66\"},{\"name\":\"quote\",\"req\":\"^1.0.31\"},{\"features\":[\"full\"],\"name\":\"syn\",\"req\":\"^2.0.27\"}],\"features\":{}}", "curve25519-dalek_4.1.3": "{\"dependencies\":[{\"kind\":\"dev\",\"name\":\"bincode\",\"req\":\"^1\"},{\"name\":\"cfg-if\",\"req\":\"^1\"},{\"name\":\"cpufeatures\",\"req\":\"^0.2.6\",\"target\":\"cfg(target_arch = \\\"x86_64\\\")\"},{\"features\":[\"html_reports\"],\"kind\":\"dev\",\"name\":\"criterion\",\"req\":\"^0.5\"},{\"name\":\"curve25519-dalek-derive\",\"req\":\"^0.1\",\"target\":\"cfg(all(not(curve25519_dalek_backend = \\\"fiat\\\"), not(curve25519_dalek_backend = \\\"serial\\\"), target_arch = \\\"x86_64\\\"))\"},{\"default_features\":false,\"name\":\"digest\",\"optional\":true,\"req\":\"^0.10\"},{\"default_features\":false,\"name\":\"ff\",\"optional\":true,\"req\":\"^0.13\"},{\"default_features\":false,\"name\":\"fiat-crypto\",\"req\":\"^0.2.1\",\"target\":\"cfg(curve25519_dalek_backend = \\\"fiat\\\")\"},{\"default_features\":false,\"name\":\"group\",\"optional\":true,\"req\":\"^0.13\"},{\"kind\":\"dev\",\"name\":\"hex\",\"req\":\"^0.4.2\"},{\"kind\":\"dev\",\"name\":\"rand\",\"req\":\"^0.8\"},{\"default_features\":false,\"name\":\"rand_core\",\"optional\":true,\"req\":\"^0.6.4\"},{\"default_features\":false,\"features\":[\"getrandom\"],\"kind\":\"dev\",\"name\":\"rand_core\",\"req\":\"^0.6\"},{\"kind\":\"build\",\"name\":\"rustc_version\",\"req\":\"^0.4.0\"},{\"default_features\":false,\"features\":[\"derive\"],\"name\":\"serde\",\"optional\":true,\"req\":\"^1.0\"},{\"default_features\":false,\"kind\":\"dev\",\"name\":\"sha2\",\"req\":\"^0.10\"},{\"default_features\":false,\"name\":\"subtle\",\"req\":\"^2.3.0\"},{\"default_features\":false,\"name\":\"zeroize\",\"optional\":true,\"req\":\"^1\"}],\"features\":{\"alloc\":[\"zeroize?/alloc\"],\"default\":[\"alloc\",\"precomputed-tables\",\"zeroize\"],\"group\":[\"dep:group\",\"rand_core\"],\"group-bits\":[\"group\",\"ff/bits\"],\"legacy_compatibility\":[],\"precomputed-tables\":[]}}", @@ -963,6 +966,7 @@ "getrandom_0.2.17": "{\"dependencies\":[{\"name\":\"cfg-if\",\"req\":\"^1\"},{\"name\":\"compiler_builtins\",\"optional\":true,\"req\":\"^0.1\"},{\"name\":\"core\",\"optional\":true,\"package\":\"rustc-std-workspace-core\",\"req\":\"^1.0\"},{\"name\":\"js-sys\",\"optional\":true,\"req\":\"^0.3\",\"target\":\"cfg(all(any(target_arch = \\\"wasm32\\\", target_arch = \\\"wasm64\\\"), target_os = \\\"unknown\\\"))\"},{\"default_features\":false,\"name\":\"libc\",\"req\":\"^0.2.154\",\"target\":\"cfg(unix)\"},{\"default_features\":false,\"name\":\"wasi\",\"req\":\"^0.11\",\"target\":\"cfg(target_os = \\\"wasi\\\")\"},{\"default_features\":false,\"name\":\"wasm-bindgen\",\"optional\":true,\"req\":\"^0.2.62\",\"target\":\"cfg(all(any(target_arch = \\\"wasm32\\\", target_arch = \\\"wasm64\\\"), target_os = \\\"unknown\\\"))\"},{\"kind\":\"dev\",\"name\":\"wasm-bindgen-test\",\"req\":\"^0.3.18\",\"target\":\"cfg(all(any(target_arch = \\\"wasm32\\\", target_arch = \\\"wasm64\\\"), target_os = \\\"unknown\\\"))\"}],\"features\":{\"custom\":[],\"js\":[\"wasm-bindgen\",\"js-sys\"],\"linux_disable_fallback\":[],\"rdrand\":[],\"rustc-dep-of-std\":[\"compiler_builtins\",\"core\",\"libc/rustc-dep-of-std\",\"wasi/rustc-dep-of-std\"],\"std\":[],\"test-in-browser\":[]}}", "getrandom_0.3.4": "{\"dependencies\":[{\"name\":\"cfg-if\",\"req\":\"^1\"},{\"default_features\":false,\"name\":\"js-sys\",\"optional\":true,\"req\":\"^0.3.77\",\"target\":\"cfg(all(target_arch = \\\"wasm32\\\", any(target_os = \\\"unknown\\\", target_os = \\\"none\\\"), target_feature = \\\"atomics\\\"))\"},{\"default_features\":false,\"name\":\"libc\",\"req\":\"^0.2.154\",\"target\":\"cfg(all(any(target_os = \\\"linux\\\", target_os = \\\"android\\\"), not(any(all(target_os = \\\"linux\\\", target_env = \\\"\\\"), getrandom_backend = \\\"custom\\\", getrandom_backend = \\\"linux_raw\\\", getrandom_backend = \\\"rdrand\\\", getrandom_backend = \\\"rndr\\\"))))\"},{\"default_features\":false,\"name\":\"libc\",\"req\":\"^0.2.154\",\"target\":\"cfg(any(target_os = \\\"dragonfly\\\", target_os = \\\"freebsd\\\", target_os = \\\"hurd\\\", target_os = \\\"illumos\\\", target_os = \\\"cygwin\\\", all(target_os = \\\"horizon\\\", target_arch = \\\"arm\\\")))\"},{\"default_features\":false,\"name\":\"libc\",\"req\":\"^0.2.154\",\"target\":\"cfg(any(target_os = \\\"haiku\\\", target_os = \\\"redox\\\", target_os = \\\"nto\\\", target_os = \\\"aix\\\"))\"},{\"default_features\":false,\"name\":\"libc\",\"req\":\"^0.2.154\",\"target\":\"cfg(any(target_os = \\\"ios\\\", target_os = \\\"visionos\\\", target_os = \\\"watchos\\\", target_os = \\\"tvos\\\"))\"},{\"default_features\":false,\"name\":\"libc\",\"req\":\"^0.2.154\",\"target\":\"cfg(any(target_os = \\\"macos\\\", target_os = \\\"openbsd\\\", target_os = \\\"vita\\\", target_os = \\\"emscripten\\\"))\"},{\"default_features\":false,\"name\":\"libc\",\"req\":\"^0.2.154\",\"target\":\"cfg(target_os = \\\"netbsd\\\")\"},{\"default_features\":false,\"name\":\"libc\",\"req\":\"^0.2.154\",\"target\":\"cfg(target_os = \\\"solaris\\\")\"},{\"default_features\":false,\"name\":\"libc\",\"req\":\"^0.2.154\",\"target\":\"cfg(target_os = \\\"vxworks\\\")\"},{\"default_features\":false,\"name\":\"r-efi\",\"req\":\"^5.1\",\"target\":\"cfg(all(target_os = \\\"uefi\\\", getrandom_backend = \\\"efi_rng\\\"))\"},{\"default_features\":false,\"name\":\"wasip2\",\"req\":\"^1\",\"target\":\"cfg(all(target_arch = \\\"wasm32\\\", target_os = \\\"wasi\\\", target_env = \\\"p2\\\"))\"},{\"default_features\":false,\"name\":\"wasm-bindgen\",\"optional\":true,\"req\":\"^0.2.98\",\"target\":\"cfg(all(target_arch = \\\"wasm32\\\", any(target_os = \\\"unknown\\\", target_os = \\\"none\\\")))\"},{\"kind\":\"dev\",\"name\":\"wasm-bindgen-test\",\"req\":\"^0.3\",\"target\":\"cfg(all(target_arch = \\\"wasm32\\\", any(target_os = \\\"unknown\\\", target_os = \\\"none\\\")))\"}],\"features\":{\"std\":[],\"wasm_js\":[\"dep:wasm-bindgen\",\"dep:js-sys\"]}}", "getrandom_0.4.2": "{\"dependencies\":[{\"name\":\"cfg-if\",\"req\":\"^1\"},{\"default_features\":false,\"name\":\"js-sys\",\"optional\":true,\"req\":\"^0.3.77\",\"target\":\"cfg(all(target_arch = \\\"wasm32\\\", any(target_os = \\\"unknown\\\", target_os = \\\"none\\\"), target_feature = \\\"atomics\\\"))\"},{\"default_features\":false,\"name\":\"libc\",\"req\":\"^0.2.154\",\"target\":\"cfg(all(any(target_os = \\\"linux\\\", target_os = \\\"android\\\"), not(any(all(target_os = \\\"linux\\\", target_env = \\\"\\\"), getrandom_backend = \\\"custom\\\", getrandom_backend = \\\"linux_raw\\\", getrandom_backend = \\\"rdrand\\\", getrandom_backend = \\\"rndr\\\"))))\"},{\"default_features\":false,\"name\":\"libc\",\"req\":\"^0.2.154\",\"target\":\"cfg(any(target_os = \\\"dragonfly\\\", target_os = \\\"freebsd\\\", target_os = \\\"hurd\\\", target_os = \\\"illumos\\\", target_os = \\\"cygwin\\\", all(target_os = \\\"horizon\\\", target_arch = \\\"arm\\\")))\"},{\"default_features\":false,\"name\":\"libc\",\"req\":\"^0.2.154\",\"target\":\"cfg(any(target_os = \\\"haiku\\\", target_os = \\\"redox\\\", target_os = \\\"nto\\\", target_os = \\\"aix\\\"))\"},{\"default_features\":false,\"name\":\"libc\",\"req\":\"^0.2.154\",\"target\":\"cfg(any(target_os = \\\"ios\\\", target_os = \\\"visionos\\\", target_os = \\\"watchos\\\", target_os = \\\"tvos\\\"))\"},{\"default_features\":false,\"name\":\"libc\",\"req\":\"^0.2.154\",\"target\":\"cfg(any(target_os = \\\"macos\\\", target_os = \\\"openbsd\\\", target_os = \\\"vita\\\", target_os = \\\"emscripten\\\"))\"},{\"default_features\":false,\"name\":\"libc\",\"req\":\"^0.2.154\",\"target\":\"cfg(target_os = \\\"netbsd\\\")\"},{\"default_features\":false,\"name\":\"libc\",\"req\":\"^0.2.154\",\"target\":\"cfg(target_os = \\\"solaris\\\")\"},{\"default_features\":false,\"name\":\"libc\",\"req\":\"^0.2.154\",\"target\":\"cfg(target_os = \\\"vxworks\\\")\"},{\"default_features\":false,\"name\":\"r-efi\",\"req\":\"^6\",\"target\":\"cfg(all(target_os = \\\"uefi\\\", getrandom_backend = \\\"efi_rng\\\"))\"},{\"name\":\"rand_core\",\"optional\":true,\"req\":\"^0.10.0\"},{\"default_features\":false,\"name\":\"wasip2\",\"req\":\"^1\",\"target\":\"cfg(all(target_arch = \\\"wasm32\\\", target_os = \\\"wasi\\\", target_env = \\\"p2\\\"))\"},{\"name\":\"wasip3\",\"req\":\"^0.4\",\"target\":\"cfg(all(target_arch = \\\"wasm32\\\", target_os = \\\"wasi\\\", target_env = \\\"p3\\\"))\"},{\"default_features\":false,\"name\":\"wasm-bindgen\",\"optional\":true,\"req\":\"^0.2.98\",\"target\":\"cfg(all(target_arch = \\\"wasm32\\\", any(target_os = \\\"unknown\\\", target_os = \\\"none\\\")))\"},{\"kind\":\"dev\",\"name\":\"wasm-bindgen-test\",\"req\":\"^0.3\",\"target\":\"cfg(all(target_arch = \\\"wasm32\\\", any(target_os = \\\"unknown\\\", target_os = \\\"none\\\")))\"}],\"features\":{\"std\":[],\"sys_rng\":[\"dep:rand_core\"],\"wasm_js\":[\"dep:wasm-bindgen\",\"dep:js-sys\"]}}", + "ghash_0.5.1": "{\"dependencies\":[{\"kind\":\"dev\",\"name\":\"hex-literal\",\"req\":\"^0.3\"},{\"name\":\"opaque-debug\",\"req\":\"^0.3\"},{\"name\":\"polyval\",\"req\":\"^0.6.2\"},{\"default_features\":false,\"name\":\"zeroize\",\"optional\":true,\"req\":\"^1\"}],\"features\":{\"std\":[\"polyval/std\"]}}", "gif_0.14.1": "{\"dependencies\":[{\"name\":\"color_quant\",\"optional\":true,\"req\":\"^1.1\"},{\"kind\":\"dev\",\"name\":\"criterion\",\"req\":\"^0.7.0\"},{\"kind\":\"dev\",\"name\":\"glob\",\"req\":\"^0.3\"},{\"kind\":\"dev\",\"name\":\"png\",\"req\":\"^0.18.0\"},{\"kind\":\"dev\",\"name\":\"rayon\",\"req\":\"^1.10.0\"},{\"name\":\"weezl\",\"req\":\"^0.1.10\"}],\"features\":{\"color_quant\":[\"dep:color_quant\"],\"default\":[\"raii_no_panic\",\"std\",\"color_quant\"],\"raii_no_panic\":[],\"std\":[]}}", "gimli_0.32.3": "{\"dependencies\":[{\"name\":\"alloc\",\"optional\":true,\"package\":\"rustc-std-workspace-alloc\",\"req\":\"^1.0.0\"},{\"name\":\"core\",\"optional\":true,\"package\":\"rustc-std-workspace-core\",\"req\":\"^1.0.0\"},{\"default_features\":false,\"name\":\"fallible-iterator\",\"optional\":true,\"req\":\"^0.3.0\"},{\"name\":\"indexmap\",\"optional\":true,\"req\":\"^2.0.0\"},{\"default_features\":false,\"name\":\"stable_deref_trait\",\"optional\":true,\"req\":\"^1.1.0\"},{\"kind\":\"dev\",\"name\":\"test-assembler\",\"req\":\"^0.1.3\"}],\"features\":{\"default\":[\"read-all\",\"write\"],\"endian-reader\":[\"read\",\"dep:stable_deref_trait\"],\"fallible-iterator\":[\"dep:fallible-iterator\"],\"read\":[\"read-core\"],\"read-all\":[\"read\",\"std\",\"fallible-iterator\",\"endian-reader\"],\"read-core\":[],\"rustc-dep-of-std\":[\"dep:core\",\"dep:alloc\"],\"std\":[\"fallible-iterator?/std\",\"stable_deref_trait?/std\"],\"write\":[\"dep:indexmap\"]}}", "gio-sys_0.21.5": "{\"dependencies\":[{\"name\":\"glib-sys\",\"req\":\"^0.21\"},{\"name\":\"gobject-sys\",\"req\":\"^0.21\"},{\"name\":\"libc\",\"req\":\"^0.2\"},{\"kind\":\"dev\",\"name\":\"shell-words\",\"req\":\"^1.0.0\"},{\"kind\":\"build\",\"name\":\"system-deps\",\"req\":\"^7\"},{\"kind\":\"dev\",\"name\":\"tempfile\",\"req\":\"^3\"},{\"features\":[\"Win32_Networking_WinSock\"],\"name\":\"windows-sys\",\"req\":\">=0.52, <=0.61\",\"target\":\"cfg(windows)\"}],\"features\":{\"v2_58\":[],\"v2_60\":[\"v2_58\"],\"v2_62\":[\"v2_60\"],\"v2_64\":[\"v2_62\"],\"v2_66\":[\"v2_64\"],\"v2_68\":[\"v2_66\"],\"v2_70\":[\"v2_68\"],\"v2_72\":[\"v2_70\"],\"v2_74\":[\"v2_72\"],\"v2_76\":[\"v2_74\"],\"v2_78\":[\"v2_76\"],\"v2_80\":[\"v2_78\"],\"v2_82\":[\"v2_80\"],\"v2_84\":[\"v2_82\"],\"v2_86\":[\"v2_84\"]}}", @@ -1338,6 +1342,7 @@ "png_0.18.0": "{\"dependencies\":[{\"kind\":\"dev\",\"name\":\"approx\",\"req\":\"^0.5.1\"},{\"name\":\"bitflags\",\"req\":\"^2.0\"},{\"kind\":\"dev\",\"name\":\"byteorder\",\"req\":\"^1.5.0\"},{\"features\":[\"derive\"],\"kind\":\"dev\",\"name\":\"clap\",\"req\":\"^4.0\"},{\"name\":\"crc32fast\",\"req\":\"^1.2.0\"},{\"default_features\":false,\"features\":[\"cargo_bench_support\"],\"kind\":\"dev\",\"name\":\"criterion\",\"req\":\"^0.7.0\"},{\"kind\":\"dev\",\"name\":\"criterion\",\"req\":\"^0.7.0\",\"target\":\"cfg(not(target_arch = \\\"wasm32\\\"))\"},{\"name\":\"fdeflate\",\"req\":\"^0.3.3\"},{\"name\":\"flate2\",\"req\":\"^1.0.35\"},{\"kind\":\"dev\",\"name\":\"glob\",\"req\":\"^0.3\"},{\"features\":[\"simd\"],\"name\":\"miniz_oxide\",\"req\":\"^0.8\"},{\"kind\":\"dev\",\"name\":\"rand\",\"req\":\"^0.9.2\"}],\"features\":{\"benchmarks\":[],\"unstable\":[\"crc32fast/nightly\"],\"zlib-rs\":[\"flate2/zlib-rs\"]}}", "polling_3.11.0": "{\"dependencies\":[{\"name\":\"cfg-if\",\"req\":\"^1\"},{\"name\":\"concurrent-queue\",\"req\":\"^2.2.0\",\"target\":\"cfg(windows)\"},{\"kind\":\"dev\",\"name\":\"easy-parallel\",\"req\":\"^3.1.0\"},{\"kind\":\"dev\",\"name\":\"fastrand\",\"req\":\"^2.0.0\"},{\"name\":\"hermit-abi\",\"req\":\"^0.5.0\",\"target\":\"cfg(target_os = \\\"hermit\\\")\"},{\"kind\":\"dev\",\"name\":\"libc\",\"req\":\"^0.2\",\"target\":\"cfg(unix)\"},{\"name\":\"pin-project-lite\",\"req\":\"^0.2.9\",\"target\":\"cfg(windows)\"},{\"default_features\":false,\"features\":[\"event\",\"fs\",\"pipe\",\"process\",\"std\",\"time\"],\"name\":\"rustix\",\"req\":\"^1.0.5\",\"target\":\"cfg(any(unix, target_os = \\\"fuchsia\\\", target_os = \\\"vxworks\\\"))\"},{\"kind\":\"dev\",\"name\":\"signal-hook\",\"req\":\"^0.3.17\",\"target\":\"cfg(all(unix, not(target_os=\\\"vita\\\")))\"},{\"kind\":\"dev\",\"name\":\"socket2\",\"req\":\"^0.6.0\"},{\"default_features\":false,\"name\":\"tracing\",\"optional\":true,\"req\":\"^0.1.37\"},{\"features\":[\"Wdk_Foundation\",\"Wdk_Storage_FileSystem\",\"Win32_Foundation\",\"Win32_Networking_WinSock\",\"Win32_Security\",\"Win32_Storage_FileSystem\",\"Win32_System_IO\",\"Win32_System_LibraryLoader\",\"Win32_System_Threading\",\"Win32_System_WindowsProgramming\"],\"name\":\"windows-sys\",\"req\":\"^0.61\",\"target\":\"cfg(windows)\"}],\"features\":{}}", "poly1305_0.8.0": "{\"dependencies\":[{\"name\":\"cpufeatures\",\"req\":\"^0.2\",\"target\":\"cfg(any(target_arch = \\\"x86_64\\\", target_arch = \\\"x86\\\"))\"},{\"kind\":\"dev\",\"name\":\"hex-literal\",\"req\":\"^0.3\"},{\"name\":\"opaque-debug\",\"req\":\"^0.3\"},{\"default_features\":false,\"name\":\"universal-hash\",\"req\":\"^0.5\"},{\"default_features\":false,\"name\":\"zeroize\",\"optional\":true,\"req\":\"^1\"}],\"features\":{\"std\":[\"universal-hash/std\"]}}", + "polyval_0.6.2": "{\"dependencies\":[{\"name\":\"cfg-if\",\"req\":\"^1\"},{\"name\":\"cpufeatures\",\"req\":\"^0.2\",\"target\":\"cfg(any(target_arch = \\\"aarch64\\\", target_arch = \\\"x86_64\\\", target_arch = \\\"x86\\\"))\"},{\"kind\":\"dev\",\"name\":\"hex-literal\",\"req\":\"^0.3\"},{\"name\":\"opaque-debug\",\"req\":\"^0.3\"},{\"default_features\":false,\"name\":\"universal-hash\",\"req\":\"^0.5\"},{\"default_features\":false,\"name\":\"zeroize\",\"optional\":true,\"req\":\"^1\"}],\"features\":{\"std\":[\"universal-hash/std\"]}}", "portable-atomic-util_0.2.5": "{\"dependencies\":[{\"kind\":\"dev\",\"name\":\"build-context\",\"req\":\"^0.1\"},{\"default_features\":false,\"features\":[\"require-cas\"],\"name\":\"portable-atomic\",\"req\":\"^1.5.1\"}],\"features\":{\"alloc\":[],\"default\":[],\"std\":[\"alloc\"]}}", "portable-atomic-util_0.2.6": "{\"dependencies\":[{\"kind\":\"dev\",\"name\":\"build-context\",\"req\":\"^0.1\"},{\"default_features\":false,\"features\":[\"require-cas\"],\"name\":\"portable-atomic\",\"req\":\"^1.5.1\"}],\"features\":{\"alloc\":[],\"default\":[],\"std\":[\"alloc\"]}}", "portable-atomic_1.13.1": "{\"dependencies\":[{\"kind\":\"dev\",\"name\":\"build-context\",\"req\":\"^0.1\"},{\"kind\":\"dev\",\"name\":\"crabgrind\",\"req\":\"^0.1\",\"target\":\"cfg(valgrind)\"},{\"name\":\"critical-section\",\"optional\":true,\"req\":\"^1\"},{\"kind\":\"dev\",\"name\":\"crossbeam-utils\",\"req\":\"=0.8.16\"},{\"kind\":\"dev\",\"name\":\"fastrand\",\"req\":\"^2\"},{\"kind\":\"dev\",\"name\":\"libc\",\"req\":\"=0.2.163\",\"target\":\"cfg(unix)\"},{\"kind\":\"dev\",\"name\":\"paste\",\"req\":\"^1\"},{\"default_features\":false,\"kind\":\"dev\",\"name\":\"quickcheck\",\"req\":\"^1\"},{\"kind\":\"dev\",\"name\":\"rustversion\",\"req\":\"^1\"},{\"default_features\":false,\"name\":\"serde\",\"optional\":true,\"req\":\"^1.0.60\"},{\"kind\":\"dev\",\"name\":\"sptr\",\"req\":\"^0.3\"},{\"kind\":\"dev\",\"name\":\"static_assertions\",\"req\":\"^1\"},{\"features\":[\"Win32_Foundation\",\"Win32_System_Threading\"],\"kind\":\"dev\",\"name\":\"windows-sys\",\"req\":\"^0.61\",\"target\":\"cfg(windows)\"}],\"features\":{\"default\":[\"fallback\"],\"disable-fiq\":[],\"fallback\":[],\"float\":[],\"force-amo\":[],\"require-cas\":[],\"s-mode\":[],\"std\":[],\"unsafe-assume-privileged\":[],\"unsafe-assume-single-core\":[]}}", @@ -1604,8 +1609,10 @@ "tester_0.9.1": "{\"dependencies\":[{\"name\":\"cfg-if\",\"req\":\"^1.0.0\"},{\"name\":\"getopts\",\"req\":\"^0.2\"},{\"default_features\":false,\"name\":\"libc\",\"req\":\"^0.2\",\"target\":\"cfg(unix)\"},{\"name\":\"num_cpus\",\"req\":\"^1.13.0\"},{\"name\":\"term\",\"req\":\"^0.7\"}],\"features\":{\"asm_black_box\":[],\"capture\":[]}}", "textwrap_0.11.0": "{\"dependencies\":[{\"features\":[\"embed_all\"],\"name\":\"hyphenation\",\"optional\":true,\"req\":\"^0.7.1\"},{\"kind\":\"dev\",\"name\":\"lipsum\",\"req\":\"^0.6\"},{\"kind\":\"dev\",\"name\":\"rand\",\"req\":\"^0.6\"},{\"kind\":\"dev\",\"name\":\"rand_xorshift\",\"req\":\"^0.1\"},{\"name\":\"term_size\",\"optional\":true,\"req\":\"^0.3.0\"},{\"name\":\"unicode-width\",\"req\":\"^0.1.3\"},{\"kind\":\"dev\",\"name\":\"version-sync\",\"req\":\"^0.6\"}],\"features\":{}}", "textwrap_0.16.2": "{\"dependencies\":[{\"features\":[\"embed_en-us\"],\"name\":\"hyphenation\",\"optional\":true,\"req\":\"^0.8.4\"},{\"name\":\"smawk\",\"optional\":true,\"req\":\"^0.3.2\"},{\"name\":\"terminal_size\",\"optional\":true,\"req\":\"^0.4.0\"},{\"kind\":\"dev\",\"name\":\"termion\",\"req\":\"^4.0.2\",\"target\":\"cfg(unix)\"},{\"kind\":\"dev\",\"name\":\"unic-emoji-char\",\"req\":\"^0.9.0\"},{\"name\":\"unicode-linebreak\",\"optional\":true,\"req\":\"^0.1.5\"},{\"name\":\"unicode-width\",\"optional\":true,\"req\":\"^0.2.0\"},{\"kind\":\"dev\",\"name\":\"version-sync\",\"req\":\"^0.9.5\"}],\"features\":{\"default\":[\"unicode-linebreak\",\"unicode-width\",\"smawk\"]}}", + "thiserror-impl-no-std_2.0.2": "{\"dependencies\":[{\"name\":\"proc-macro2\",\"req\":\"^1.0\"},{\"name\":\"quote\",\"req\":\"^1.0\"},{\"name\":\"syn\",\"req\":\"^1.0.45\"}],\"features\":{\"std\":[]}}", "thiserror-impl_1.0.69": "{\"dependencies\":[{\"name\":\"proc-macro2\",\"req\":\"^1.0.74\"},{\"name\":\"quote\",\"req\":\"^1.0.35\"},{\"name\":\"syn\",\"req\":\"^2.0.87\"}],\"features\":{}}", "thiserror-impl_2.0.18": "{\"dependencies\":[{\"name\":\"proc-macro2\",\"req\":\"^1.0.74\"},{\"name\":\"quote\",\"req\":\"^1.0.35\"},{\"name\":\"syn\",\"req\":\"^2.0.87\"}],\"features\":{}}", + "thiserror-no-std_2.0.2": "{\"dependencies\":[{\"kind\":\"dev\",\"name\":\"anyhow\",\"req\":\"^1.0\"},{\"kind\":\"dev\",\"name\":\"ref-cast\",\"req\":\"^1.0\"},{\"kind\":\"dev\",\"name\":\"rustversion\",\"req\":\"^1.0\"},{\"name\":\"thiserror-impl-no-std\",\"req\":\"=2.0.2\"},{\"features\":[\"diff\"],\"kind\":\"dev\",\"name\":\"trybuild\",\"req\":\"^1.0.49\"}],\"features\":{\"std\":[\"thiserror-impl-no-std/std\"]}}", "thiserror_1.0.69": "{\"dependencies\":[{\"kind\":\"dev\",\"name\":\"anyhow\",\"req\":\"^1.0.73\"},{\"kind\":\"dev\",\"name\":\"ref-cast\",\"req\":\"^1.0.18\"},{\"kind\":\"dev\",\"name\":\"rustversion\",\"req\":\"^1.0.13\"},{\"name\":\"thiserror-impl\",\"req\":\"=1.0.69\"},{\"features\":[\"diff\"],\"kind\":\"dev\",\"name\":\"trybuild\",\"req\":\"^1.0.81\"}],\"features\":{}}", "thiserror_2.0.18": "{\"dependencies\":[{\"kind\":\"dev\",\"name\":\"anyhow\",\"req\":\"^1.0.73\"},{\"kind\":\"dev\",\"name\":\"ref-cast\",\"req\":\"^1.0.18\"},{\"kind\":\"dev\",\"name\":\"rustversion\",\"req\":\"^1.0.13\"},{\"name\":\"thiserror-impl\",\"req\":\"=2.0.18\"},{\"features\":[\"diff\"],\"kind\":\"dev\",\"name\":\"trybuild\",\"req\":\"^1.0.108\"}],\"features\":{\"default\":[\"std\"],\"std\":[]}}", "thread_local_1.1.9": "{\"dependencies\":[{\"name\":\"cfg-if\",\"req\":\"^1.0.0\"},{\"kind\":\"dev\",\"name\":\"criterion\",\"req\":\"^0.5.1\"}],\"features\":{\"nightly\":[]}}", diff --git a/codex-rs/Cargo.lock b/codex-rs/Cargo.lock index 2183d91b640..766bc5e2338 100644 --- a/codex-rs/Cargo.lock +++ b/codex-rs/Cargo.lock @@ -196,6 +196,20 @@ dependencies = [ "cpufeatures 0.2.17", ] +[[package]] +name = "aes-gcm" +version = "0.10.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "831010a0f742e1209b3bcea8fab6a8e149051ba6099432c8cb2cc117dec3ead1" +dependencies = [ + "aead", + "aes", + "cipher", + "ctr", + "ghash", + "subtle", +] + [[package]] name = "age" version = "0.11.2" @@ -468,6 +482,9 @@ name = "arrayvec" version = "0.7.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7c02d123df017efcdfbd739ef81735b36c5ba83ec3c59c80a9d7ecc718f92e50" +dependencies = [ + "zeroize", +] [[package]] name = "ascii" @@ -1748,6 +1765,23 @@ version = "1.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3a822ea5bc7590f9d40f1ba12c0dc3c2760f3482c6984db1573ad11031420831" +[[package]] +name = "clatter" +version = "2.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6fed49fa357a85c377c0f920e86100f5326111b09ad69f6de684e324e3ad8097" +dependencies = [ + "aes-gcm", + "arrayvec", + "displaydoc", + "getrandom 0.3.4", + "rand_core 0.6.4", + "sha2 0.10.9", + "thiserror-no-std", + "x25519-dalek", + "zeroize", +] + [[package]] name = "clipboard-win" version = "5.4.1" @@ -2778,9 +2812,11 @@ dependencies = [ "anyhow", "arc-swap", "async-trait", + "aws-lc-rs", "axum", "base64 0.22.1", "bytes", + "clatter", "codex-api", "codex-app-server-protocol", "codex-client", @@ -2808,6 +2844,7 @@ dependencies = [ "tokio-util", "toml 0.9.11+spec-1.1.0", "tracing", + "url", "uuid", "wiremock", ] @@ -4784,6 +4821,15 @@ version = "0.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "52560adf09603e58c9a7ee1fe1dcb95a16927b17c127f0ac02d6e768a0e25bc1" +[[package]] +name = "ctr" +version = "0.9.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0369ee1ad671834580515889b80f2ea915f23b8be8d0daa4bbaf2ac5c7590835" +dependencies = [ + "cipher", +] + [[package]] name = "ctutils" version = "0.4.2" @@ -6215,6 +6261,16 @@ dependencies = [ "wasip3", ] +[[package]] +name = "ghash" +version = "0.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f0d8a4362ccb29cb0b265253fb0a2728f592895ee6854fd9bc13f2ffda266ff1" +dependencies = [ + "opaque-debug", + "polyval", +] + [[package]] name = "gif" version = "0.14.1" @@ -10091,6 +10147,18 @@ dependencies = [ "universal-hash", ] +[[package]] +name = "polyval" +version = "0.6.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9d1fe60d06143b2430aa532c94cfe9e29783047f06c0d7fd359a9a51b729fa25" +dependencies = [ + "cfg-if", + "cpufeatures 0.2.17", + "opaque-debug", + "universal-hash", +] + [[package]] name = "portable-atomic" version = "1.13.1" @@ -11477,7 +11545,7 @@ dependencies = [ "security-framework 3.5.1", "security-framework-sys", "webpki-root-certs", - "windows-sys 0.52.0", + "windows-sys 0.61.2", ] [[package]] @@ -13151,6 +13219,26 @@ dependencies = [ "syn 2.0.114", ] +[[package]] +name = "thiserror-impl-no-std" +version = "2.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "58e6318948b519ba6dc2b442a6d0b904ebfb8d411a3ad3e07843615a72249758" +dependencies = [ + "proc-macro2", + "quote", + "syn 1.0.109", +] + +[[package]] +name = "thiserror-no-std" +version = "2.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a3ad459d94dd517257cc96add8a43190ee620011bb6e6cdc82dafd97dfafafea" +dependencies = [ + "thiserror-impl-no-std", +] + [[package]] name = "thread_local" version = "1.1.9" diff --git a/codex-rs/Cargo.toml b/codex-rs/Cargo.toml index 59d161958d3..828ad69dbd1 100644 --- a/codex-rs/Cargo.toml +++ b/codex-rs/Cargo.toml @@ -261,6 +261,7 @@ async-stream = "0.3.6" async-trait = "0.1.89" aws-config = "1" aws-credential-types = "1" +aws-lc-rs = { version = "=1.16.2", default-features = false, features = ["non-fips"] } aws-sigv4 = "1" aws-types = "1" axum = { version = "0.8", default-features = false } @@ -271,6 +272,13 @@ chardetng = "0.1.17" chrono = "0.4.43" clap = "4" clap_complete = "4" +clatter = { version = "2.2.0", default-features = false, features = [ + "alloc", + "getrandom", + "use-25519", + "use-aes-gcm", + "use-sha", +] } color-eyre = "0.6.3" constant_time_eq = "0.3.1" crossbeam-channel = "0.5.15" diff --git a/codex-rs/exec-server/Cargo.toml b/codex-rs/exec-server/Cargo.toml index d842094a162..7ed185baaf2 100644 --- a/codex-rs/exec-server/Cargo.toml +++ b/codex-rs/exec-server/Cargo.toml @@ -13,9 +13,11 @@ workspace = true [dependencies] arc-swap = { workspace = true } async-trait = { workspace = true } +aws-lc-rs = { workspace = true } axum = { workspace = true, features = ["http1", "tokio", "ws"] } base64 = { workspace = true } bytes = { workspace = true } +clatter = { workspace = true } codex-app-server-protocol = { workspace = true } codex-api = { workspace = true } codex-client = { workspace = true } diff --git a/codex-rs/exec-server/src/aws_lc_ml_kem.rs b/codex-rs/exec-server/src/aws_lc_ml_kem.rs new file mode 100644 index 00000000000..c177dd1233b --- /dev/null +++ b/codex-rs/exec-server/src/aws_lc_ml_kem.rs @@ -0,0 +1,90 @@ +use aws_lc_rs::kem::Ciphertext; +use aws_lc_rs::kem::DecapsulationKey; +use aws_lc_rs::kem::EncapsulationKey; +use aws_lc_rs::kem::ML_KEM_768; +use clatter::KeyPair; +use clatter::bytearray::ByteArray; +use clatter::bytearray::HeapArray; +use clatter::bytearray::SensitiveByteArray; +use clatter::error::KemError; +use clatter::error::KemResult; +use clatter::traits::CryptoComponent; +use clatter::traits::Kem; +use clatter::traits::Rng; + +pub(super) const PUBLIC_KEY_LEN: usize = 1184; +const SECRET_KEY_LEN: usize = 2400; +const CIPHERTEXT_LEN: usize = 1088; +const SHARED_SECRET_LEN: usize = 32; + +/// ML-KEM-768 implementation backed by AWS-LC through `aws-lc-rs`. +#[derive(Clone)] +pub(super) struct AwsLcMlKem768; + +impl CryptoComponent for AwsLcMlKem768 { + fn name() -> &'static str { + "MLKEM768" + } +} + +impl Kem for AwsLcMlKem768 { + type SecretKey = SensitiveByteArray>; + type PubKey = HeapArray; + type Ct = HeapArray; + type Ss = SensitiveByteArray<[u8; SHARED_SECRET_LEN]>; + + fn genkey_rng(_rng: &mut R) -> KemResult> { + // AWS-LC owns ML-KEM key-generation randomness internally, so + // Clatter's injectable RNG cannot be plumbed through this provider. + let decapsulation_key = + DecapsulationKey::generate(&ML_KEM_768).map_err(|_| KemError::KeyGeneration)?; + let encapsulation_key = decapsulation_key + .encapsulation_key() + .map_err(|_| KemError::KeyGeneration)?; + let public = encapsulation_key + .key_bytes() + .map_err(|_| KemError::KeyGeneration)?; + let secret = decapsulation_key + .key_bytes() + .map_err(|_| KemError::KeyGeneration)?; + + Ok(KeyPair { + public: Self::PubKey::from_slice(public.as_ref()), + secret: Self::SecretKey::from_slice(secret.as_ref()), + }) + } + + fn encapsulate(pk: &[u8], _rng: &mut R) -> KemResult<(Self::Ct, Self::Ss)> { + let encapsulation_key = + EncapsulationKey::new(&ML_KEM_768, pk).map_err(|_| KemError::Input)?; + let (ciphertext, shared_secret) = encapsulation_key + .encapsulate() + .map_err(|_| KemError::Encapsulation)?; + + Ok(( + Self::Ct::from_slice(ciphertext.as_ref()), + Self::Ss::from_slice(shared_secret.as_ref()), + )) + } + + fn decapsulate(ct: &[u8], sk: &[u8]) -> KemResult { + // Reject the length before constructing AWS-LC's ciphertext wrapper. + // This keeps malformed wire input classified as an input error rather + // than relying on provider-specific decapsulation behavior. + if ct.len() != CIPHERTEXT_LEN { + return Err(KemError::Input); + } + + let decapsulation_key = + DecapsulationKey::new(&ML_KEM_768, sk).map_err(|_| KemError::Input)?; + let shared_secret = decapsulation_key + .decapsulate(Ciphertext::from(ct)) + .map_err(|_| KemError::Decapsulation)?; + + Ok(Self::Ss::from_slice(shared_secret.as_ref())) + } +} + +#[cfg(test)] +#[path = "aws_lc_ml_kem_tests.rs"] +mod tests; diff --git a/codex-rs/exec-server/src/aws_lc_ml_kem_tests.rs b/codex-rs/exec-server/src/aws_lc_ml_kem_tests.rs new file mode 100644 index 00000000000..281baf404f5 --- /dev/null +++ b/codex-rs/exec-server/src/aws_lc_ml_kem_tests.rs @@ -0,0 +1,31 @@ +use clatter::bytearray::ByteArray; +use clatter::traits::Kem; +use pretty_assertions::assert_eq; + +use super::AwsLcMlKem768; + +#[test] +fn kem_roundtrip() { + let keypair = AwsLcMlKem768::genkey().expect("generate keypair"); + let mut rng = clatter::crypto::rng::DefaultRng; + let (ciphertext, encapsulated_secret) = + AwsLcMlKem768::encapsulate(keypair.public.as_slice(), &mut rng).expect("encapsulate"); + let decapsulated_secret = + AwsLcMlKem768::decapsulate(ciphertext.as_slice(), keypair.secret.as_slice()) + .expect("decapsulate"); + + assert_eq!( + encapsulated_secret.as_slice(), + decapsulated_secret.as_slice() + ); +} + +#[test] +fn decapsulate_rejects_wrong_ciphertext_length() { + let keypair = AwsLcMlKem768::genkey().expect("generate keypair"); + + let error = AwsLcMlKem768::decapsulate(&[], keypair.secret.as_slice()) + .expect_err("empty ciphertext should be rejected"); + + assert!(matches!(error, clatter::error::KemError::Input)); +} diff --git a/codex-rs/exec-server/src/lib.rs b/codex-rs/exec-server/src/lib.rs index dea039c2883..b774452441d 100644 --- a/codex-rs/exec-server/src/lib.rs +++ b/codex-rs/exec-server/src/lib.rs @@ -1,3 +1,4 @@ +mod aws_lc_ml_kem; mod client; mod client_api; mod client_transport; @@ -11,6 +12,7 @@ mod fs_helper_main; mod fs_sandbox; mod local_file_system; mod local_process; +mod noise_channel; mod process; mod process_id; mod protocol; @@ -51,6 +53,9 @@ pub use fs_helper::CODEX_FS_HELPER_ARG1; pub use fs_helper_main::main as run_fs_helper_main; pub use local_file_system::LOCAL_FS; pub use local_file_system::LocalFileSystem; +pub use noise_channel::NoiseChannelError; +pub use noise_channel::NoiseChannelIdentity; +pub use noise_channel::NoiseChannelPublicKey; pub use process::ExecBackend; pub use process::ExecProcess; pub use process::ExecProcessEvent; diff --git a/codex-rs/exec-server/src/noise_channel.rs b/codex-rs/exec-server/src/noise_channel.rs new file mode 100644 index 00000000000..036129b1fdd --- /dev/null +++ b/codex-rs/exec-server/src/noise_channel.rs @@ -0,0 +1,379 @@ +//! Narrow, misuse-resistant wrapper around the Clatter primitives used by the +//! remote exec-server relay. +//! +//! The harness is the Noise hybrid-IK initiator and pins the registry-provided +//! exec-server static public key. The exec-server is the responder; after it +//! reads the first IK message, Noise exposes the authenticated harness static +//! public key for registry authorization. Application data is allowed only +//! after both the cryptographic handshake and that external authorization pass. + +use base64::Engine; +use base64::engine::general_purpose::STANDARD; +use clatter::HybridHandshake; +use clatter::HybridHandshakeParams; +use clatter::KeyPair; +use clatter::bytearray::ByteArray; +use clatter::constants::MAX_MESSAGE_LEN; +use clatter::crypto::cipher::AesGcm; +use clatter::crypto::dh::X25519; +use clatter::crypto::hash::Sha256; +use clatter::handshakepattern::noise_hybrid_ik; +use clatter::traits::Cipher; +use clatter::traits::Dh; +use clatter::traits::Handshaker; +use clatter::traits::Kem; +use clatter::transportstate::TransportState; +use serde::Deserialize; +use serde::Serialize; + +use crate::aws_lc_ml_kem::AwsLcMlKem768; +use crate::aws_lc_ml_kem::PUBLIC_KEY_LEN as MLKEM768_PUBLIC_KEY_LEN; + +pub const NOISE_CHANNEL_SUITE: &str = "Noise_hybridIK_X25519+MLKEM768_AESGCM_SHA256"; + +const X25519_PUBLIC_KEY_LEN: usize = 32; +const MAX_TRANSPORT_RECORDS_PER_DIRECTION: u64 = u32::MAX as u64; +const PROLOGUE_DOMAIN: &[u8] = b"codex-exec-server-relay-noise/v1"; + +type Handshake = HybridHandshake; +type Transport = TransportState; +type DhKeyPair = KeyPair<::PubKey, ::PrivateKey>; +type KemKeyPair = KeyPair<::PubKey, ::SecretKey>; + +/// Public key material for the exec-server Noise-over-relay suite. +/// +/// The suite field is part of the serialized contract. A key from a different +/// suite must not be interpreted as compatible merely because one component has +/// a familiar byte length. +#[derive(Clone, Eq, PartialEq, Serialize, Deserialize)] +#[serde(deny_unknown_fields)] +pub struct NoiseChannelPublicKey { + suite: String, + x25519_public_key: String, + mlkem768_public_key: String, +} + +impl std::fmt::Debug for NoiseChannelPublicKey { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { + f.debug_struct("NoiseChannelPublicKey") + .field("suite", &self.suite) + .field("x25519_public_key", &"") + .field("mlkem768_public_key", &"") + .finish() + } +} + +impl NoiseChannelPublicKey { + /// Validate suite selection, encoding, and exact key lengths. + pub fn validate(&self) -> Result<(), NoiseChannelError> { + let _ = self.decode()?; + Ok(()) + } + + fn from_keypairs(dh: &DhKeyPair, kem: &KemKeyPair) -> Self { + Self { + suite: NOISE_CHANNEL_SUITE.to_string(), + x25519_public_key: STANDARD.encode(dh.public), + mlkem768_public_key: STANDARD.encode(kem.public.as_slice()), + } + } + + fn from_raw(dh: &::PubKey, kem: &::PubKey) -> Self { + Self { + suite: NOISE_CHANNEL_SUITE.to_string(), + x25519_public_key: STANDARD.encode(dh), + mlkem768_public_key: STANDARD.encode(kem.as_slice()), + } + } + + fn decode( + &self, + ) -> Result<(::PubKey, ::PubKey), NoiseChannelError> { + if self.suite != NOISE_CHANNEL_SUITE { + return Err(NoiseChannelError::InvalidPublicKey( + "unsupported Noise channel suite", + )); + } + let dh = STANDARD + .decode(&self.x25519_public_key) + .map_err(|_| NoiseChannelError::InvalidPublicKey("invalid X25519 public key"))?; + let dh: [u8; X25519_PUBLIC_KEY_LEN] = dh + .try_into() + .map_err(|_| NoiseChannelError::InvalidPublicKey("invalid X25519 public key length"))?; + let kem = STANDARD + .decode(&self.mlkem768_public_key) + .map_err(|_| NoiseChannelError::InvalidPublicKey("invalid ML-KEM-768 public key"))?; + if kem.len() != MLKEM768_PUBLIC_KEY_LEN { + return Err(NoiseChannelError::InvalidPublicKey( + "invalid ML-KEM-768 public key length", + )); + } + + Ok(( + dh, + ::PubKey::from_slice(kem.as_slice()), + )) + } +} + +/// Endpoint-local static identity for the exec-server Noise-over-relay suite. +/// +/// Private components never cross the process boundary. Cloning is used only to +/// construct Clatter handshake state for reconnects within the same process. +#[derive(Clone)] +pub struct NoiseChannelIdentity { + dh: DhKeyPair, + kem: KemKeyPair, +} + +impl std::fmt::Debug for NoiseChannelIdentity { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { + f.debug_struct("NoiseChannelIdentity") + .field("public_key", &self.public_key()) + .finish_non_exhaustive() + } +} + +impl NoiseChannelIdentity { + /// Generate independent classical and post-quantum static keypairs. + pub fn generate() -> Result { + let dh = X25519::genkey() + .map_err(|error| NoiseChannelError::KeyGeneration(error.to_string()))?; + let kem = AwsLcMlKem768::genkey() + .map_err(|error| NoiseChannelError::KeyGeneration(error.to_string()))?; + Ok(Self { dh, kem }) + } + + /// Return the distributable public half of this endpoint identity. + pub fn public_key(&self) -> NoiseChannelPublicKey { + NoiseChannelPublicKey::from_keypairs(&self.dh, &self.kem) + } +} + +pub(crate) struct InitiatorHandshake { + handshake: Handshake, +} + +impl InitiatorHandshake { + /// Start hybrid IK while pinning the expected responder static key. + /// + /// `payload` is encrypted by the first IK message. The relay uses it for + /// the short-lived registry authorization naming this harness public key. + pub(crate) fn start( + identity: &NoiseChannelIdentity, + responder_public_key: &NoiseChannelPublicKey, + prologue: &[u8], + payload: &[u8], + ) -> Result<(Self, Vec), NoiseChannelError> { + let (responder_dh, responder_kem) = responder_public_key.decode()?; + + // IK authenticates both static identities. Supplying both responder + // components here is what makes a misrouted or impersonating + // exec-server fail before any JSON-RPC plaintext is released. + let params = HybridHandshakeParams::new(noise_hybrid_ik(), true) + .with_prologue(prologue) + .with_s(identity.dh.clone()) + .with_s_kem(identity.kem.clone()) + .with_rs(responder_dh) + .with_rs_kem(responder_kem); + let mut handshake = Handshake::new(params)?; + let mut output = [0u8; MAX_MESSAGE_LEN]; + let output_len = handshake.write_message(payload, &mut output)?; + Ok((Self { handshake }, output[..output_len].to_vec())) + } + + /// Consume the responder message and enter transport mode. + /// + /// The responder message carries no application payload in v1. Rejecting + /// one keeps future protocol additions from becoming an implicit channel. + pub(crate) fn finish(mut self, response: &[u8]) -> Result { + ensure_noise_frame_len(response.len(), "handshake response is too large")?; + let mut payload = [0u8; MAX_MESSAGE_LEN]; + let payload_len = self.handshake.read_message(response, &mut payload)?; + if payload_len != 0 { + return Err(NoiseChannelError::InvalidMessage( + "handshake response payload must be empty", + )); + } + Ok(NoiseTransport { + transport: self.handshake.finalize()?, + }) + } +} + +pub(crate) struct PendingResponderHandshake { + handshake: Handshake, + initiator_public_key: NoiseChannelPublicKey, + payload: Vec, +} + +impl PendingResponderHandshake { + /// Authenticate and parse the first IK message without completing it. + /// + /// This split is intentional: callers must authorize `initiator_public_key` + /// with the registry before calling [`Self::complete`]. + pub(crate) fn read_request( + identity: &NoiseChannelIdentity, + prologue: &[u8], + request: &[u8], + ) -> Result { + ensure_noise_frame_len(request.len(), "handshake request is too large")?; + let params = HybridHandshakeParams::new(noise_hybrid_ik(), false) + .with_prologue(prologue) + .with_s(identity.dh.clone()) + .with_s_kem(identity.kem.clone()); + let mut handshake = Handshake::new(params)?; + let mut payload = [0u8; MAX_MESSAGE_LEN]; + let payload_len = handshake.read_message(request, &mut payload)?; + // Clatter exposes the initiator static key only after the first IK + // message authenticates and decrypts successfully. + let remote = handshake + .get_remote_static() + .ok_or(NoiseChannelError::InvalidMessage( + "handshake request is missing initiator static key", + ))?; + Ok(Self { + handshake, + initiator_public_key: NoiseChannelPublicKey::from_raw(remote.dh(), remote.kem()), + payload: payload[..payload_len].to_vec(), + }) + } + + pub(crate) fn initiator_public_key(&self) -> &NoiseChannelPublicKey { + &self.initiator_public_key + } + + /// Move the authenticated first-message payload out of pending state. + /// + /// The v1 payload is a short-lived registry authorization and is not + /// needed to complete the handshake. Moving it avoids retaining a second + /// copy while external authorization is in flight. + pub(crate) fn take_payload(&mut self) -> Vec { + std::mem::take(&mut self.payload) + } + + /// Finish the responder handshake after external harness authorization. + pub(crate) fn complete(mut self) -> Result<(NoiseTransport, Vec), NoiseChannelError> { + let mut response = [0u8; MAX_MESSAGE_LEN]; + let response_len = self.handshake.write_message(&[], &mut response)?; + Ok(( + NoiseTransport { + transport: self.handshake.finalize()?, + }, + response[..response_len].to_vec(), + )) + } +} + +pub(crate) struct NoiseTransport { + transport: Transport, +} + +impl NoiseTransport { + /// Encrypt exactly one ordered transport record. + /// + /// The caller owns relay sequence assignment and must never encrypt the + /// same logical record twice under different transport nonces. + pub(crate) fn encrypt(&mut self, plaintext: &[u8]) -> Result, NoiseChannelError> { + if self.transport.sending_nonce() >= MAX_TRANSPORT_RECORDS_PER_DIRECTION { + return Err(NoiseChannelError::InvalidState( + "transport record nonce exhausted", + )); + } + let frame_len = plaintext.len().checked_add(AesGcm::tag_len()).ok_or( + NoiseChannelError::InvalidMessage("transport plaintext is too large"), + )?; + ensure_noise_frame_len(frame_len, "transport plaintext is too large")?; + Ok(self.transport.send_vec(plaintext)?) + } + + /// Decrypt exactly the next ordered transport record. + /// + /// Clatter advances the receiving nonce during this call, so callers must + /// reorder and deduplicate relay frames before invoking it. + pub(crate) fn decrypt(&mut self, ciphertext: &[u8]) -> Result, NoiseChannelError> { + if self.transport.receiving_nonce() >= MAX_TRANSPORT_RECORDS_PER_DIRECTION { + return Err(NoiseChannelError::InvalidState( + "transport record nonce exhausted", + )); + } + if ciphertext.len() < AesGcm::tag_len() { + return Err(NoiseChannelError::InvalidMessage( + "transport ciphertext is too short", + )); + } + ensure_noise_frame_len(ciphertext.len(), "transport ciphertext is too large")?; + Ok(self.transport.receive_vec(ciphertext)?) + } +} + +/// Build the transcript prologue that binds cryptographic identity to routing. +/// +/// A handshake captured from one environment, exec-server registration, or +/// relay stream cannot be replayed into another because every participant must +/// construct the same prologue before the first Noise message is processed. +pub(crate) fn noise_channel_prologue( + environment_id: &str, + executor_registration_id: &str, + stream_id: &str, +) -> Result, NoiseChannelError> { + let mut prologue = Vec::new(); + append_prologue_part(&mut prologue, PROLOGUE_DOMAIN)?; + append_prologue_part(&mut prologue, environment_id.as_bytes())?; + append_prologue_part(&mut prologue, executor_registration_id.as_bytes())?; + append_prologue_part(&mut prologue, stream_id.as_bytes())?; + Ok(prologue) +} + +fn append_prologue_part(prologue: &mut Vec, part: &[u8]) -> Result<(), NoiseChannelError> { + // Length prefixes make component boundaries unambiguous. Raw concatenation + // would allow different identifier tuples to produce the same prologue. + let len = u32::try_from(part.len()).map_err(|_| { + NoiseChannelError::InvalidMessage("Noise channel prologue part is too large") + })?; + prologue.extend_from_slice(&len.to_be_bytes()); + prologue.extend_from_slice(part); + Ok(()) +} + +fn ensure_noise_frame_len( + frame_len: usize, + message: &'static str, +) -> Result<(), NoiseChannelError> { + if frame_len > MAX_MESSAGE_LEN { + return Err(NoiseChannelError::InvalidMessage(message)); + } + Ok(()) +} + +#[derive(Debug, thiserror::Error)] +pub enum NoiseChannelError { + #[error("Noise channel key generation failed: {0}")] + KeyGeneration(String), + #[error("invalid Noise channel public key: {0}")] + InvalidPublicKey(&'static str), + #[error("invalid Noise channel state: {0}")] + InvalidState(&'static str), + #[error("invalid Noise channel message: {0}")] + InvalidMessage(&'static str), + #[error("Noise channel handshake failed: {0}")] + Handshake(String), + #[error("Noise channel transport failed: {0}")] + Transport(String), +} + +impl From for NoiseChannelError { + fn from(error: clatter::error::HandshakeError) -> Self { + Self::Handshake(error.to_string()) + } +} + +impl From for NoiseChannelError { + fn from(error: clatter::error::TransportError) -> Self { + Self::Transport(error.to_string()) + } +} + +#[cfg(test)] +#[path = "noise_channel_tests.rs"] +mod tests; diff --git a/codex-rs/exec-server/src/noise_channel_tests.rs b/codex-rs/exec-server/src/noise_channel_tests.rs new file mode 100644 index 00000000000..5034420c2cb --- /dev/null +++ b/codex-rs/exec-server/src/noise_channel_tests.rs @@ -0,0 +1,252 @@ +use pretty_assertions::assert_eq; + +use super::InitiatorHandshake; +use super::MAX_TRANSPORT_RECORDS_PER_DIRECTION; +use super::NOISE_CHANNEL_SUITE; +use super::NoiseChannelError; +use super::NoiseChannelIdentity; +use super::NoiseChannelPublicKey; +use super::PendingResponderHandshake; +use super::noise_channel_prologue; + +#[test] +fn hybrid_ik_roundtrip_authenticates_both_endpoints() { + let initiator = NoiseChannelIdentity::generate().expect("generate initiator identity"); + let responder = NoiseChannelIdentity::generate().expect("generate responder identity"); + let prologue = + noise_channel_prologue("env-1", "registration-1", "stream-1").expect("build prologue"); + let authorization = b"harness-key-authorization"; + + let (initiator_handshake, request) = InitiatorHandshake::start( + &initiator, + &responder.public_key(), + &prologue, + authorization, + ) + .expect("start initiator handshake"); + let mut responder_handshake = + PendingResponderHandshake::read_request(&responder, &prologue, &request) + .expect("read responder handshake"); + + assert_eq!( + responder_handshake.initiator_public_key(), + &initiator.public_key() + ); + assert_eq!(responder_handshake.take_payload(), authorization); + + let (mut responder_transport, response) = responder_handshake + .complete() + .expect("complete responder handshake"); + let mut initiator_transport = initiator_handshake + .finish(&response) + .expect("complete initiator handshake"); + + let request_ciphertext = initiator_transport + .encrypt(b"request") + .expect("encrypt request"); + assert_ne!(request_ciphertext, b"request"); + assert_eq!( + responder_transport + .decrypt(&request_ciphertext) + .expect("decrypt request"), + b"request" + ); + + let response_ciphertext = responder_transport + .encrypt(b"response") + .expect("encrypt response"); + assert_ne!(response_ciphertext, b"response"); + assert_eq!( + initiator_transport + .decrypt(&response_ciphertext) + .expect("decrypt response"), + b"response" + ); +} + +#[test] +fn initiator_rejects_wrong_responder_key() { + let initiator = NoiseChannelIdentity::generate().expect("generate initiator identity"); + let expected_responder = NoiseChannelIdentity::generate().expect("generate expected identity"); + let actual_responder = NoiseChannelIdentity::generate().expect("generate actual identity"); + let prologue = + noise_channel_prologue("env-1", "registration-1", "stream-1").expect("build prologue"); + + let (_initiator_handshake, request) = InitiatorHandshake::start( + &initiator, + &expected_responder.public_key(), + &prologue, + b"authorization", + ) + .expect("start initiator handshake"); + + assert!( + PendingResponderHandshake::read_request(&actual_responder, &prologue, &request).is_err() + ); +} + +#[test] +fn responder_rejects_mismatched_prologue() { + let initiator = NoiseChannelIdentity::generate().expect("generate initiator identity"); + let responder = NoiseChannelIdentity::generate().expect("generate responder identity"); + let initiator_prologue = + noise_channel_prologue("env-1", "registration-1", "stream-1").expect("build prologue"); + let responder_prologue = + noise_channel_prologue("env-1", "registration-1", "stream-2").expect("build prologue"); + let (_initiator_handshake, request) = InitiatorHandshake::start( + &initiator, + &responder.public_key(), + &initiator_prologue, + b"authorization", + ) + .expect("start initiator handshake"); + + assert!( + PendingResponderHandshake::read_request(&responder, &responder_prologue, &request).is_err() + ); +} + +#[test] +fn prologue_encoding_is_stable_and_unambiguous() { + let prologue = + noise_channel_prologue("env-1", "registration-1", "stream-1").expect("build prologue"); + + assert_eq!( + prologue, + b"\x00\x00\x00\x20codex-exec-server-relay-noise/v1\ + \x00\x00\x00\x05env-1\ + \x00\x00\x00\x0eregistration-1\ + \x00\x00\x00\x08stream-1" + .to_vec() + ); +} + +#[test] +fn transport_rejects_tampered_ciphertext() { + let initiator = NoiseChannelIdentity::generate().expect("generate initiator identity"); + let responder = NoiseChannelIdentity::generate().expect("generate responder identity"); + let prologue = + noise_channel_prologue("env-1", "registration-1", "stream-1").expect("build prologue"); + let (initiator_handshake, request) = InitiatorHandshake::start( + &initiator, + &responder.public_key(), + &prologue, + b"authorization", + ) + .expect("start initiator handshake"); + let responder_handshake = + PendingResponderHandshake::read_request(&responder, &prologue, &request) + .expect("read responder handshake"); + let (mut responder_transport, response) = responder_handshake + .complete() + .expect("complete responder handshake"); + let mut initiator_transport = initiator_handshake + .finish(&response) + .expect("complete initiator handshake"); + let mut ciphertext = initiator_transport + .encrypt(b"request") + .expect("encrypt request"); + ciphertext[0] ^= 1; + + assert!(responder_transport.decrypt(&ciphertext).is_err()); +} + +#[test] +fn transport_rejects_exhausted_receiving_nonce_before_decryption() { + let initiator = NoiseChannelIdentity::generate().expect("generate initiator identity"); + let responder = NoiseChannelIdentity::generate().expect("generate responder identity"); + let prologue = + noise_channel_prologue("env-1", "registration-1", "stream-1").expect("build prologue"); + let (initiator_handshake, request) = InitiatorHandshake::start( + &initiator, + &responder.public_key(), + &prologue, + b"authorization", + ) + .expect("start initiator handshake"); + let responder_handshake = + PendingResponderHandshake::read_request(&responder, &prologue, &request) + .expect("read responder handshake"); + let (mut responder_transport, response) = responder_handshake + .complete() + .expect("complete responder handshake"); + let mut initiator_transport = initiator_handshake + .finish(&response) + .expect("complete initiator handshake"); + let ciphertext = initiator_transport + .encrypt(b"request") + .expect("encrypt request"); + responder_transport + .transport + .set_receiving_nonce(MAX_TRANSPORT_RECORDS_PER_DIRECTION); + + assert!(matches!( + responder_transport.decrypt(&ciphertext), + Err(NoiseChannelError::InvalidState( + "transport record nonce exhausted" + )) + )); +} + +#[test] +fn transport_rejects_replayed_ciphertext() { + let initiator = NoiseChannelIdentity::generate().expect("generate initiator identity"); + let responder = NoiseChannelIdentity::generate().expect("generate responder identity"); + let prologue = + noise_channel_prologue("env-1", "registration-1", "stream-1").expect("build prologue"); + let (initiator_handshake, request) = InitiatorHandshake::start( + &initiator, + &responder.public_key(), + &prologue, + b"authorization", + ) + .expect("start initiator handshake"); + let responder_handshake = + PendingResponderHandshake::read_request(&responder, &prologue, &request) + .expect("read responder handshake"); + let (mut responder_transport, response) = responder_handshake + .complete() + .expect("complete responder handshake"); + let mut initiator_transport = initiator_handshake + .finish(&response) + .expect("complete initiator handshake"); + let ciphertext = initiator_transport + .encrypt(b"request") + .expect("encrypt request"); + + assert_eq!( + responder_transport + .decrypt(&ciphertext) + .expect("decrypt request"), + b"request" + ); + assert!(matches!( + responder_transport.decrypt(&ciphertext), + Err(NoiseChannelError::Transport(_)) + )); +} + +#[test] +fn public_key_validation_rejects_unknown_suite() { + let key = NoiseChannelIdentity::generate() + .expect("generate identity") + .public_key(); + let json = serde_json::to_value(key).expect("serialize key"); + let mut object = json.as_object().expect("key object").clone(); + object.insert("suite".to_string(), serde_json::json!("unknown")); + let key: NoiseChannelPublicKey = + serde_json::from_value(serde_json::Value::Object(object)).expect("deserialize key"); + + assert!(key.validate().is_err()); +} + +#[test] +fn public_key_serializes_with_expected_suite() { + let key = NoiseChannelIdentity::generate() + .expect("generate identity") + .public_key(); + + let json = serde_json::to_value(key).expect("serialize key"); + + assert_eq!(json["suite"], NOISE_CHANNEL_SUITE); +} diff --git a/codex-rs/exec-server/src/proto/codex.exec_server.relay.v1.proto b/codex-rs/exec-server/src/proto/codex.exec_server.relay.v1.proto index 46527d80ccd..3de1bfbe997 100644 --- a/codex-rs/exec-server/src/proto/codex.exec_server.relay.v1.proto +++ b/codex-rs/exec-server/src/proto/codex.exec_server.relay.v1.proto @@ -14,6 +14,7 @@ message RelayMessageFrame { RelayResume resume = 7; RelayReset reset = 8; RelayHeartbeat heartbeat = 9; + RelayHandshake handshake = 10; } } @@ -35,3 +36,7 @@ message RelayReset { } message RelayHeartbeat {} + +message RelayHandshake { + bytes payload = 1; +} diff --git a/codex-rs/exec-server/src/proto/codex.exec_server.relay.v1.rs b/codex-rs/exec-server/src/proto/codex.exec_server.relay.v1.rs index 072a003dacf..f65e1329f53 100644 --- a/codex-rs/exec-server/src/proto/codex.exec_server.relay.v1.rs +++ b/codex-rs/exec-server/src/proto/codex.exec_server.relay.v1.rs @@ -9,7 +9,7 @@ pub struct RelayMessageFrame { pub ack: u32, #[prost(uint32, tag = "4")] pub ack_bits: u32, - #[prost(oneof = "relay_message_frame::Body", tags = "5, 6, 7, 8, 9")] + #[prost(oneof = "relay_message_frame::Body", tags = "5, 6, 7, 8, 9, 10")] pub body: ::core::option::Option, } pub mod relay_message_frame { @@ -25,6 +25,8 @@ pub mod relay_message_frame { Reset(super::RelayReset), #[prost(message, tag = "9")] Heartbeat(super::RelayHeartbeat), + #[prost(message, tag = "10")] + Handshake(super::RelayHandshake), } } #[derive(Clone, PartialEq, ::prost::Message)] @@ -52,3 +54,8 @@ pub struct RelayReset { } #[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)] pub struct RelayHeartbeat {} +#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)] +pub struct RelayHandshake { + #[prost(bytes = "vec", tag = "1")] + pub payload: ::prost::alloc::vec::Vec, +} diff --git a/codex-rs/exec-server/src/relay.rs b/codex-rs/exec-server/src/relay.rs index ae07d7652cb..04c5e5061ec 100644 --- a/codex-rs/exec-server/src/relay.rs +++ b/codex-rs/exec-server/src/relay.rs @@ -22,24 +22,29 @@ use crate::connection::JsonRpcConnection; use crate::connection::JsonRpcConnectionEvent; use crate::connection::JsonRpcTransport; use crate::relay_proto::RelayData; +use crate::relay_proto::RelayHandshake; use crate::relay_proto::RelayMessageFrame; +use crate::relay_proto::RelayReset; use crate::relay_proto::RelayResume; use crate::relay_proto::relay_message_frame; use crate::server::ConnectionProcessor; const RELAY_MESSAGE_FRAME_VERSION: u32 = 1; +const MAX_RELAY_RESET_REASON_BYTES: usize = 256; +const MAX_RELAY_STREAM_ID_BYTES: usize = 128; #[derive(Debug, Clone, Copy, Eq, PartialEq)] -enum RelayFrameBodyKind { +pub(crate) enum RelayFrameBodyKind { Data, Ack, Resume, Reset, Heartbeat, + Handshake, } impl RelayMessageFrame { - fn data(stream_id: String, seq: u32, payload: Vec) -> Self { + pub(crate) fn data(stream_id: String, seq: u32, payload: Vec) -> Self { Self { version: RELAY_MESSAGE_FRAME_VERSION, stream_id, @@ -54,7 +59,7 @@ impl RelayMessageFrame { } } - fn resume(stream_id: String) -> Self { + pub(crate) fn resume(stream_id: String) -> Self { Self { version: RELAY_MESSAGE_FRAME_VERSION, stream_id, @@ -66,18 +71,55 @@ impl RelayMessageFrame { } } - fn validate(&self) -> Result { + pub(crate) fn handshake(stream_id: String, payload: Vec) -> Self { + Self { + version: RELAY_MESSAGE_FRAME_VERSION, + stream_id, + ack: 0, + ack_bits: 0, + body: Some(relay_message_frame::Body::Handshake(RelayHandshake { + payload, + })), + } + } + + pub(crate) fn reset(stream_id: String, reason: String) -> Self { + Self { + version: RELAY_MESSAGE_FRAME_VERSION, + stream_id, + ack: 0, + ack_bits: 0, + body: Some(relay_message_frame::Body::Reset(RelayReset { reason })), + } + } + + /// Validate cleartext routing metadata before a frame reaches either the + /// direct JSON-RPC parser or the Noise relay state machine. + /// + /// The encrypted path intentionally leaves this metadata visible to + /// rendezvous, so it must be canonical and tightly bounded everywhere. + pub(crate) fn validate(&self) -> Result { if self.version != RELAY_MESSAGE_FRAME_VERSION { return Err(ExecServerError::Protocol(format!( "unsupported relay message frame version {}", self.version ))); } - if self.stream_id.trim().is_empty() { + if self.stream_id.is_empty() { return Err(ExecServerError::Protocol( "relay message frame is missing stream_id".to_string(), )); } + if self.stream_id.trim() != self.stream_id { + return Err(ExecServerError::Protocol( + "relay message frame stream_id is not canonical".to_string(), + )); + } + if self.stream_id.len() > MAX_RELAY_STREAM_ID_BYTES { + return Err(ExecServerError::Protocol( + "relay message frame stream_id is too long".to_string(), + )); + } match self.body.as_ref() { Some(relay_message_frame::Body::Data(data)) => { if data.segment_index != 0 || data.segment_count != 1 || data.payload.is_empty() { @@ -90,35 +132,64 @@ impl RelayMessageFrame { Some(relay_message_frame::Body::AckFrame(_)) => Ok(RelayFrameBodyKind::Ack), Some(relay_message_frame::Body::Resume(_)) => Ok(RelayFrameBodyKind::Resume), Some(relay_message_frame::Body::Reset(reset)) => { - if reset.reason.is_empty() { + if reset.reason.is_empty() || reset.reason.len() > MAX_RELAY_RESET_REASON_BYTES { return Err(ExecServerError::Protocol( - "relay reset message frame is missing reason".to_string(), + "relay reset message frame has invalid reason".to_string(), )); } Ok(RelayFrameBodyKind::Reset) } Some(relay_message_frame::Body::Heartbeat(_)) => Ok(RelayFrameBodyKind::Heartbeat), + Some(relay_message_frame::Body::Handshake(handshake)) => { + if handshake.payload.is_empty() { + return Err(ExecServerError::Protocol( + "relay handshake message frame is missing payload".to_string(), + )); + } + Ok(RelayFrameBodyKind::Handshake) + } None => Err(ExecServerError::Protocol( "relay message frame is missing body".to_string(), )), } } - fn into_jsonrpc_message(self) -> Result { + pub(crate) fn into_data(self) -> Result { let kind = self.validate()?; if kind != RelayFrameBodyKind::Data { return Err(ExecServerError::Protocol( "expected relay data message frame".to_string(), )); } - let payload = match self.body { - Some(relay_message_frame::Body::Data(data)) => data.payload, - _ => Vec::new(), - }; + match self.body { + Some(relay_message_frame::Body::Data(data)) => Ok(data), + _ => Err(ExecServerError::Protocol( + "expected relay data message frame".to_string(), + )), + } + } + + fn into_jsonrpc_message(self) -> Result { + let payload = self.into_data()?.payload; serde_json::from_slice(&payload).map_err(ExecServerError::Json) } - fn into_reset_reason(self) -> Option { + pub(crate) fn into_handshake_payload(self) -> Result, ExecServerError> { + let kind = self.validate()?; + if kind != RelayFrameBodyKind::Handshake { + return Err(ExecServerError::Protocol( + "expected relay handshake message frame".to_string(), + )); + } + match self.body { + Some(relay_message_frame::Body::Handshake(handshake)) => Ok(handshake.payload), + _ => Err(ExecServerError::Protocol( + "expected relay handshake message frame".to_string(), + )), + } + } + + pub(crate) fn into_reset_reason(self) -> Option { match self.body { Some(relay_message_frame::Body::Reset(reset)) if !reset.reason.is_empty() => { Some(reset.reason) @@ -128,16 +199,18 @@ impl RelayMessageFrame { } } -fn encode_relay_message_frame(frame: &RelayMessageFrame) -> Vec { +pub(crate) fn encode_relay_message_frame(frame: &RelayMessageFrame) -> Vec { frame.encode_to_vec() } -fn decode_relay_message_frame(payload: &[u8]) -> Result { +pub(crate) fn decode_relay_message_frame( + payload: &[u8], +) -> Result { RelayMessageFrame::decode(payload) .map_err(|err| ExecServerError::Protocol(format!("invalid relay message frame: {err}"))) } -fn jsonrpc_payload(message: &JSONRPCMessage) -> Result, ExecServerError> { +pub(crate) fn jsonrpc_payload(message: &JSONRPCMessage) -> Result, ExecServerError> { serde_json::to_vec(message).map_err(ExecServerError::Json) } @@ -253,7 +326,8 @@ where } RelayFrameBodyKind::Ack | RelayFrameBodyKind::Resume - | RelayFrameBodyKind::Heartbeat => {} + | RelayFrameBodyKind::Heartbeat + | RelayFrameBodyKind::Handshake => {} } } Some(Ok(Message::Close(_))) | None => { @@ -294,10 +368,22 @@ where incoming_rx, disconnected_rx, task_handles: vec![websocket_task], - transport: JsonRpcTransport::Plain, + transport: JsonRpcTransport::External, } } +/// Runs the backwards-compatible, cleartext multiplexed relay protocol. +/// +/// The physical websocket carries protobuf [`RelayMessageFrame`] values. Each +/// frame's `stream_id` selects an independent logical JSON-RPC connection, so a +/// single registered exec-server can serve multiple orchestrator sessions. +/// This runner intentionally preserves the protocol used before Noise relay +/// support was introduced. Callers must select the separate secure runner when +/// Noise protection was explicitly negotiated during registration. +/// +/// Relay framing is not an authentication boundary. Every frame is validated +/// before its routing metadata or payload is used, and malformed frames are +/// dropped without affecting the other virtual streams on the connection. pub(crate) async fn run_multiplexed_environment( stream: WebSocketStream, processor: ConnectionProcessor, @@ -310,6 +396,9 @@ pub(crate) async fn run_multiplexed_environment( let mut streams: HashMap = HashMap::new(); loop { + // Serialize all logical-stream writes through this task so only one + // owner writes to the physical websocket. Reads remain in the same + // select loop, which also keeps disconnect handling deterministic. let frame = tokio::select! { maybe_encoded = physical_outgoing_rx.recv() => { let Some(encoded) = maybe_encoded else { @@ -361,6 +450,11 @@ pub(crate) async fn run_multiplexed_environment( continue; } }; + + // A logical connection is created lazily on its first data + // frame. The connection processor owns the JSON-RPC lifecycle; + // this task only translates between relay and connection + // events. let stream = streams.entry(stream_id.clone()).or_insert_with(|| { spawn_virtual_stream( stream_id.clone(), @@ -382,24 +476,34 @@ pub(crate) async fn run_multiplexed_environment( stream.disconnect(frame.into_reset_reason()).await; } } + // These control frames are meaningful to other relay protocol + // variants. The legacy protocol has no resume or handshake state, + // so ignoring them preserves its existing wire behavior. RelayFrameBodyKind::Ack | RelayFrameBodyKind::Resume - | RelayFrameBodyKind::Heartbeat => {} + | RelayFrameBodyKind::Heartbeat + | RelayFrameBodyKind::Handshake => {} } } + // A physical disconnect ends every virtual connection. Notify each + // processor explicitly so requests do not remain live after the relay + // websocket has disappeared. for (_stream_id, stream) in streams { stream.disconnect(/*reason*/ None).await; } drop(physical_outgoing_tx); } +/// The exec-server-facing half of one logical connection on the shared relay. struct VirtualStream { incoming_tx: mpsc::Sender, disconnected_tx: watch::Sender, } impl VirtualStream { + /// Marks the logical connection disconnected and supplies the peer's reset + /// reason, when one was provided. async fn disconnect(self, reason: Option) { let _ = self.disconnected_tx.send(true); let _ = self @@ -409,6 +513,8 @@ impl VirtualStream { } } +/// Creates a logical JSON-RPC connection and forwards its outgoing messages +/// back to the physical relay writer as legacy cleartext data frames. fn spawn_virtual_stream( stream_id: String, processor: ConnectionProcessor, @@ -446,7 +552,7 @@ fn spawn_virtual_stream( incoming_rx, disconnected_rx, task_handles: vec![writer_task], - transport: JsonRpcTransport::Plain, + transport: JsonRpcTransport::External, }; tokio::spawn(async move { processor.run_connection(connection).await; @@ -476,6 +582,7 @@ mod tests { use futures::task::AtomicWaker; use tokio::net::TcpListener; use tokio::time::timeout; + use tokio_tungstenite::WebSocketStream; use tokio_tungstenite::accept_async; use tokio_tungstenite::connect_async; use tokio_tungstenite::tungstenite::Message; diff --git a/codex-rs/exec-server/src/relay_proto.rs b/codex-rs/exec-server/src/relay_proto.rs index b8a938b8c73..da7cb5296d4 100644 --- a/codex-rs/exec-server/src/relay_proto.rs +++ b/codex-rs/exec-server/src/relay_proto.rs @@ -2,6 +2,8 @@ mod generated; pub(crate) use generated::RelayData; +pub(crate) use generated::RelayHandshake; pub(crate) use generated::RelayMessageFrame; +pub(crate) use generated::RelayReset; pub(crate) use generated::RelayResume; pub(crate) use generated::relay_message_frame;