Skip to content

exec-server: default remote transport to Noise#26245

Merged
viyatb-oai merged 109 commits into
mainfrom
codex/viyatb/noise-cli-entrypoint
Jun 16, 2026
Merged

exec-server: default remote transport to Noise#26245
viyatb-oai merged 109 commits into
mainfrom
codex/viyatb/noise-cli-entrypoint

Conversation

@viyatb-oai

@viyatb-oai viyatb-oai commented Jun 3, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Why

The transport in openai/codex#26242 needs to be used by every remote orchestrator-to-executor connection before JSON-RPC traffic starts.

Changes

  • Generates one executor Noise identity when remote exec-server starts and registers its public key.
  • Creates a harness identity for each physical remote environment connection.
  • Fetches a fresh registry bundle before connecting and validates the authenticated harness key before completing the executor handshake.
  • Multiplexes encrypted logical streams over the existing executor WebSocket.
  • Adds bounded stream, handshake-failure, and reassembly state.
  • Adds safe lifecycle diagnostics without logging keys, authorizations, plaintext, or ciphertext.
  • Covers reconnects, replay rejection, validation failure, framing limits, and encrypted JSON-RPC tool traffic.

Stack

  1. openai/codex#26242: Noise channel and relay transport
  2. openai/codex#26245: remote registration and runtime activation

Verification

  • just test -p codex-exec-server
  • just fix -p codex-exec-server
  • just bazel-lock-check
  • cargo shear

This was referenced Jun 3, 2026
Closed
Closed
Merged
Merged
Merged
Closed
Closed
Closed
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/noise-cli-entrypoint branch 2 times, most recently from d9dcdd7 to bf36de0 Compare June 3, 2026 20:52
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/noise-e2e-coverage branch from 3155e3d to 75fd2a0 Compare June 3, 2026 20:52
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/noise-cli-entrypoint branch from bf36de0 to 933e101 Compare June 4, 2026 00:41
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/noise-e2e-coverage branch from 75fd2a0 to 1c43ca0 Compare June 4, 2026 00:41
@viyatb-oai viyatb-oai mentioned this pull request Jun 4, 2026
Closed
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/noise-cli-entrypoint branch from 933e101 to e8dc0ef Compare June 4, 2026 00:47
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/noise-e2e-coverage branch from 1c43ca0 to ce56344 Compare June 4, 2026 00:47
viyatb-oai added 2 commits June 9, 2026 15:17
@viyatb-oai
feat: add Noise channel foundation
df0bd43 
Co-authored-by: Codex noreply@openai.com
@viyatb-oai
refactor: keep Noise foundation independently usable
fd62a24 
Co-authored-by: Codex noreply@openai.com
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/noise-e2e-coverage branch from ce56344 to a742187 Compare June 9, 2026 22:21
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/noise-cli-entrypoint branch from 68f52ab to 8a59e51 Compare June 9, 2026 22:21
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/noise-e2e-coverage branch from a742187 to 64fdb40 Compare June 9, 2026 22:45
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/noise-cli-entrypoint branch from 8a59e51 to 38c303e Compare June 9, 2026 22:45
@viyatb-oai
fix: use BLAKE3 intrinsics for Windows Bazel
1ec9593 
Co-authored-by: Codex noreply@openai.com
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/noise-e2e-coverage branch from 64fdb40 to d5c0763 Compare June 9, 2026 23:20
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/noise-cli-entrypoint branch from 38c303e to 4d7004b Compare June 9, 2026 23:20
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/noise-e2e-coverage branch from d5c0763 to e99601b Compare June 9, 2026 23:38
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/noise-cli-entrypoint branch from 4d7004b to 265d057 Compare June 9, 2026 23:38
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/noise-e2e-coverage branch from e99601b to 7e49c03 Compare June 9, 2026 23:52
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/noise-cli-entrypoint branch from 265d057 to 4c9687b Compare June 9, 2026 23:52
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/noise-e2e-coverage branch from 7e49c03 to 040d711 Compare June 10, 2026 00:12
@viyatb-oai
style(exec-server): group relay limits
f8e2d6a 
Co-authored-by: Codex noreply@openai.com
@viyatb-oai
fix(exec-server): clean up rejected Noise streams
ace36bb 
Co-authored-by: Codex noreply@openai.com
@viyatb-oai
fix(exec-server): reuse Noise registration on reconnect
c51c634 
Co-authored-by: Codex noreply@openai.com
@viyatb-oai

viyatb-oai commented Jun 12, 2026

Copy link
Copy Markdown
Collaborator Author

@codex review

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Jun 12, 2026
View reviewed changes

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c51c634ba8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread codex-rs/exec-server/src/remote.rs
Comment thread codex-rs/exec-server/src/relay.rs
@viyatb-oai
fix(exec-server): count early Noise data failures
a4aed38 
Co-authored-by: Codex noreply@openai.com
@viyatb-oai
style(exec-server): annotate stream instance id
2d3f9be 
Co-authored-by: Codex noreply@openai.com
@apanasenko-oai

apanasenko-oai commented Jun 15, 2026

Copy link
Copy Markdown
Collaborator

@codex

@viyatb-oai
chore: restack Noise runtime on current main
7987321 
Co-authored-by: Codex noreply@openai.com
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Jun 15, 2026
View reviewed changes

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2d3f9be4d2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread codex-rs/exec-server/src/relay.rs
Comment thread codex-rs/cli/Cargo.toml
Comment thread codex-rs/exec-server/README.md
apanasenko-oai
apanasenko-oai approved these changes Jun 15, 2026
View reviewed changes
Comment thread codex-rs/exec-server/src/relay.rs Outdated
viyatb-oai added a commit that referenced this pull request Jun 15, 2026
@viyatb-oai @codex
exec-server: add Noise relay transport (#26242)
428cd44 
## Why

Rendezvous forwards traffic between the orchestrator and exec-server.
The endpoints need to authenticate each other and encrypt that traffic
without trusting Rendezvous with plaintext or endpoint keys.

## Changes

- Adds a hybrid Noise IK channel through Clatter using X25519,
ML-KEM-768, AES-256-GCM, and SHA-256.
- Binds each handshake to `environment_id`, `executor_registration_id`,
and `stream_id`.
- Pins the registry-provided executor key and carries the harness
authorization inside the encrypted handshake.
- Orders relay frames before consuming Noise nonces and fragments large
JSON-RPC messages into bounded records.
- Bounds handshake payloads, frames, streams, and message reassembly.

Runtime activation is in
[#26245](#26245).

## Stack

1. **[#26242](#26242:
Noise channel and relay transport
2. [#26245](#26245):
remote registration and runtime activation

## Verification

- `just test -p codex-exec-server`
- Oversized initiator payload regression coverage
- `just fix -p codex-exec-server`
- `just bazel-lock-check`
- `cargo shear`

---------

Co-authored-by: Codex <noreply@openai.com>
Base automatically changed from codex/viyatb/noise-relay-state to main June 15, 2026 23:39
@viyatb-oai
Merge remote-tracking branch 'origin/main' into codex/viyatb/noise-cl…
b9f2d75 
…i-entrypoint

# Conflicts:
#	codex-rs/exec-server/src/noise_channel.rs
#	codex-rs/exec-server/src/noise_channel_tests.rs
#	codex-rs/exec-server/src/noise_relay/harness.rs
#	codex-rs/exec-server/src/noise_relay/mod.rs
#	codex-rs/exec-server/src/relay.rs
@viyatb-oai
fix: initialize response message metadata
59b780c 
Co-authored-by: Codex noreply@openai.com
@viyatb-oai viyatb-oai requested a review from a team as a code owner June 16, 2026 00:09
@viyatb-oai viyatb-oai enabled auto-merge (squash) June 16, 2026 00:15
@viyatb-oai viyatb-oai disabled auto-merge June 16, 2026 00:20
@viyatb-oai viyatb-oai merged commit 6e50b22 into main Jun 16, 2026
31 checks passed
@viyatb-oai viyatb-oai deleted the codex/viyatb/noise-cli-entrypoint branch June 16, 2026 00:39
@github-actions github-actions Bot locked and limited conversation to collaborators Jun 16, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@apanasenko-oai apanasenko-oai apanasenko-oai approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@viyatb-oai @apanasenko-oai