feat: introduce responses-api-proxy

Author: bolinfest

codex-rs/Cargo.lock

@@ -18,6 +18,7 @@ members = [
     "ollama",
     "protocol",
     "protocol-ts",
+    "responses-api-proxy",
     "tui",
     "utils/readiness",
 ]
@@ -49,6 +50,7 @@ codex-mcp-server = { path = "mcp-server" }
 codex-ollama = { path = "ollama" }
 codex-protocol = { path = "protocol" }
 codex-protocol-ts = { path = "protocol-ts" }
+codex-responses-api-proxy = { path = "responses-api-proxy" }
 codex-tui = { path = "tui" }
 codex-utils-readiness = { path = "utils/readiness" }
 core_test_support = { path = "core/tests/common" }

codex-rs/Cargo.toml

@@ -28,6 +28,7 @@ codex-mcp-server = { workspace = true }
 codex-protocol = { workspace = true }
 codex-protocol-ts = { workspace = true }
 codex-tui = { workspace = true }
+codex-responses-api-proxy = { workspace = true }
 ctor = { workspace = true }
 owo-colors = { workspace = true }
 serde_json = { workspace = true }

codex-rs/cli/Cargo.toml

@@ -15,6 +15,7 @@ use codex_cli::login::run_logout;
 use codex_cli::proto;
 use codex_common::CliConfigOverrides;
 use codex_exec::Cli as ExecCli;
+use codex_responses_api_proxy::Args as ResponsesApiProxyArgs;
 use codex_tui::AppExitInfo;
 use codex_tui::Cli as TuiCli;
 use owo_colors::OwoColorize;
@@ -87,6 +88,10 @@ enum Subcommand {
     /// Internal: generate TypeScript protocol bindings.
     #[clap(hide = true)]
     GenerateTs(GenerateTsCommand),
+
+    /// Internal: run the responses API proxy.
+    #[clap(hide = true)]
+    ResponsesApiProxy(ResponsesApiProxyArgs),
 }
 
 #[derive(Debug, Parser)]
@@ -234,7 +239,7 @@ fn main() -> anyhow::Result<()> {
 async fn cli_main(pre_main_args: PreMainArgs) -> anyhow::Result<()> {
     let PreMainArgs {
         codex_linux_sandbox_exe,
-        openai_api_key: _,
+        openai_api_key,
     } = pre_main_args;
 
     let MultitoolCli {
@@ -347,6 +352,11 @@ async fn cli_main(pre_main_args: PreMainArgs) -> anyhow::Result<()> {
         Some(Subcommand::GenerateTs(gen_cli)) => {
             codex_protocol_ts::generate_ts(&gen_cli.out_dir, gen_cli.prettier.as_deref())?;
         }
+        Some(Subcommand::ResponsesApiProxy(args)) => {
+            let api_key =
+                openai_api_key.ok_or_else(|| anyhow::anyhow!("OPENAI_API_KEY must be set"))?;
+            codex_responses_api_proxy::run_main(api_key, args)?;
+        }
     }
 
     Ok(())

codex-rs/cli/src/main.rs

@@ -0,0 +1,25 @@
+[package]
+edition = "2024"
+name = "codex-responses-api-proxy"
+version = { workspace = true }
+
+[lib]
+name = "codex_responses_api_proxy"
+path = "src/lib.rs"
+
+[[bin]]
+name = "responses-api-proxy"
+path = "src/main.rs"
+
+[lints]
+workspace = true
+
+[dependencies]
+anyhow = { workspace = true }
+clap = { workspace = true, features = ["derive"] }
+codex-arg0 = { workspace = true }
+libc = { workspace = true }
+reqwest = { workspace = true, features = ["blocking", "json", "rustls-tls"] }
+serde = { workspace = true, features = ["derive"] }
+serde_json = { workspace = true }
+tiny_http = { workspace = true }

codex-rs/responses-api-proxy/Cargo.toml

@@ -0,0 +1,29 @@
+# codex-responses-api-proxy
+
+A minimal HTTP proxy that only forwards POST requests to `/v1/responses` to the OpenAI API, injecting the `Authorization: Bearer $OPENAI_API_KEY` header. Everything else is rejected with `403 Forbidden`.
+
+**IMPORTANT:** This is designed to be used with `CODEX_SECURE_MODE=1` so that an unprivileged user cannot inspect or tamper with this process. Though if `--http-shutdown` is specified, an unprivileged user _can_ shutdown the server.
+
+## Behavior
+
+- Reads `OPENAI_API_KEY` from the environment at startup. On Unix platforms, it attempts to `mlock(2)` the memory holding the key so it is not swapped to disk.
+- Immediately removes `OPENAI_API_KEY` from the process environment after reading it to avoid leaving the key in unprotected env storage. The shared `arg0_dispatch_or_else()` helper handles this before Tokio spins up.
+- Listens on the provided port or an ephemeral port if `--port` is not specified.
+- Accepts exactly `POST /v1/responses` (no query string). The request body is forwarded to `https://api.openai.com/v1/responses` with `Authorization: Bearer <key>` set. All original request headers (except any incoming `Authorization`) are forwarded upstream. For other requests, it responds with `403`.
+- Optionally writes a single-line JSON file with startup info, currently `{ "port": <u16> }`.
+- Optional `--http-shutdown` enables `GET /shutdown` to terminate the process with exit code 0. This allows one user (e.g., root) to start the proxy and another unprivileged user on the host to shut it down.
+
+## CLI
+
+```
+responses-api-proxy [--port <PORT>] [--startup-info <FILE>] [--http-shutdown]
+```
+
+- `--port <PORT>`: Port to bind on `127.0.0.1`. If omitted, an ephemeral port is chosen.
+- `--startup-info <FILE>`: If set, the proxy writes a single line of JSON with `{ "port": <PORT> }` once listening.
+- `--http-shutdown`: If set, enables `GET /shutdown` to exit the process with code `0`.
+
+## Notes
+
+- Only `POST /v1/responses` is permitted. No query strings are allowed.
+- All request headers are forwarded to the upstream call (aside from overriding `Authorization`). Response status and content-type are mirrored from upstream.