exec-server: remote opt-in

codex-rs/cli/Cargo.toml

@@ -19,7 +19,7 @@ workspace = true
 
 [dependencies]
 anyhow = { workspace = true }
-clap = { workspace = true, features = ["derive"] }
+clap = { workspace = true, features = ["derive", "env"] }
 clap_complete = { workspace = true }
 codex-app-server = { workspace = true }
 codex-app-server-daemon = { workspace = true }

codex-rs/cli/src/main.rs

@@ -542,6 +542,14 @@ struct ExecServerCommand {
     /// Use Agent Identity auth from CODEX_ACCESS_TOKEN for remote registration.
     #[arg(long = "use-agent-identity-auth", requires = "remote")]
     use_agent_identity_auth: bool,
+
+    /// Opt into Noise-encrypted remote relay communication.
+    #[arg(
+        long = "enable-noise",
+        env = "CODEX_EXEC_SERVER_ENABLE_NOISE",
+        requires = "remote"
+    )]
+    enable_noise: bool,
 }
 
 #[derive(Debug, clap::Subcommand)]
@@ -1611,6 +1619,9 @@ async fn run_exec_server_command(
         if let Some(name) = cmd.name {
             remote_config.name = name;
         }
+        if cmd.enable_noise {
+            remote_config.relay_protocol = codex_exec_server::RemoteRelayProtocol::Noise;
+        }
         codex_exec_server::run_remote_environment(remote_config, runtime_paths).await?;
         Ok(())
     } else {
@@ -3222,6 +3233,30 @@ mod tests {
             .expect("exec-server should support root --strict-config");
     }
 
+    #[test]
+    fn exec_server_enable_noise_is_explicit_remote_opt_in() {
+        let cli = MultitoolCli::try_parse_from([
+            "codex",
+            "exec-server",
+            "--remote",
+            "https://registry.example",
+            "--environment-id",
+            "environment-1",
+            "--enable-noise",
+        ])
+        .expect("parse");
+
+        assert_matches!(
+            cli.subcommand,
+            Some(Subcommand::ExecServer(ExecServerCommand {
+                enable_noise: true,
+                ..
+            }))
+        );
+        MultitoolCli::try_parse_from(["codex", "exec-server", "--enable-noise"])
+            .expect_err("--enable-noise should require --remote");
+    }
+
     #[test]
     fn root_strict_config_is_rejected_for_unsupported_subcommands() {
         let cli = MultitoolCli::try_parse_from(["codex", "--strict-config", "mcp", "list"])

codex-rs/exec-server/README.md

@@ -22,10 +22,15 @@ the wire.
 The CLI entrypoint supports:
 
 - `ws://IP:PORT` (default)
-- `--remote URL --environment-id ID [--name NAME]`
+- `--remote URL --environment-id ID [--name NAME] [--enable-noise]`
 
 Remote mode registers the local exec-server with the environment registry,
 then reconnects to the service-provided rendezvous websocket as the environment.
+It uses the legacy relay contract by default for compatibility with existing
+registries and harnesses. `--enable-noise` explicitly opts into Noise-encrypted
+relay registration and requires both the registry and harness to support the
+Noise relay contract. Container entrypoints can make the same explicit choice
+by setting `CODEX_EXEC_SERVER_ENABLE_NOISE=true`.
 It uses the standard Codex ChatGPT sign-in state; run `codex login` first when
 remote registration needs authentication. Containerized callers that receive an
 Agent Identity JWT in `CODEX_ACCESS_TOKEN` can opt into that auth path with
@@ -45,7 +50,8 @@ codex exec-server \
 Wire framing:
 
 - local websocket: one JSON-RPC message per websocket frame
-- remote websocket: binary protobuf relay frames carrying JSON-RPC payloads
+- legacy remote websocket: binary protobuf relay frames carrying JSON-RPC payloads
+- Noise remote websocket: binary protobuf relay frames carrying encrypted payloads
 
 ## Remote Relay Message Format
 

codex-rs/exec-server/src/lib.rs

@@ -110,6 +110,7 @@ pub use protocol::WriteParams;
 pub use protocol::WriteResponse;
 pub use protocol::WriteStatus;
 pub use remote::RemoteEnvironmentConfig;
+pub use remote::RemoteRelayProtocol;
 pub use remote::run_remote_environment;
 pub use runtime_paths::ExecServerRuntimePaths;
 pub use server::DEFAULT_LISTEN_URL;