Skip to content

feat: core infrastructure improvements and production hardening#28

Merged
bb-connor merged 7 commits intomainfrom
codex/core-infrastructure
Feb 4, 2026
Merged

feat: core infrastructure improvements and production hardening#28
bb-connor merged 7 commits intomainfrom
codex/core-infrastructure

Conversation

@bb-connor
Copy link
Copy Markdown
Collaborator

@bb-connor bb-connor commented Feb 4, 2026

Summary

  • Add remote policy extends with URL-based inheritance support
  • Implement TLS support for hushd with certificate configuration
  • Add Prometheus metrics endpoint for production observability
  • Introduce custom guard registration and runtime execution
  • Enhance audit logging with structured schema improvements
  • Add prompt security module for Python SDK
  • Improve policy event handling and validation tooling
  • Update documentation and rulesets for consistency

Test plan

  • Run TLS integration tests
  • Verify remote extends fetches and merges policies correctly
  • Test metrics endpoint exposes expected values
  • Validate custom guard registration and execution
  • Test prompt security module in Python SDK

🤖 Generated with Claude Code

@bb-connor @claude
feat: add core infrastructure improvements and production hardening
84e734f 
Implement foundational infrastructure features:
- Remote policy extends with URL-based inheritance
- TLS support for hushd with certificate configuration
- Prometheus metrics endpoint for observability
- Custom guard registration and runtime
- Enhanced audit logging with structured schema
- Prompt security module for Python SDK
- Policy event improvements and validation tooling
- Comprehensive documentation and ruleset updates

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@bb-connor
Copy link
Copy Markdown
Collaborator Author

bb-connor commented Feb 4, 2026

@codex

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Feb 4, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 84e734f960

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

crates/hushd/src/remote_extends.rs Outdated
Comment on lines +144 to +147
let resp = client
.get(url)
.send()
.map_err(|e| Error::ConfigError(format!("Failed to fetch remote policy: {}", e)))?;
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Enforce allowlist after redirects

The allowlist check happens before the request, but reqwest::blocking::Client follows redirects by default. If an allowlisted host returns a 3xx to a non-allowlisted host, send() will follow and fetch from that new host without re-validating the allowlist, which bypasses the origin restrictions (and can enable SSRF/policy sourcing from unapproved origins). Consider disabling redirects or checking resp.url() against the allowlist after send().

Useful? React with 👍 / 👎.

@bb-connor
Merge remote-tracking branch 'origin/main' into codex/core-infrastruc…
294195d 
…ture

# Conflicts:
#	crates/clawdstrike/src/engine.rs
#	crates/hush-cli/src/policy_event.rs
@bb-connor
fix: harden remote extends and resolve CI breakage
25b04c5
@bb-connor
Merge remote-tracking branch 'origin/main' into codex/core-infrastruc…
02220bb 
…ture

# Conflicts:
#	crates/hush-cli/src/main.rs
#	crates/hushd/Cargo.toml
#	crates/hushd/src/api/check.rs
#	crates/hushd/src/api/metrics.rs
#	crates/hushd/src/api/policy.rs
#	crates/hushd/src/config.rs
#	crates/hushd/src/lib.rs
#	crates/hushd/src/metrics.rs
#	crates/hushd/src/state.rs
#	deploy/README.md
#	deploy/config.yaml
@bb-connor
chore: rustfmt
4dd2ef0
@bb-connor
fix: gate macOS sandbox tests
e648a4b
@bb-connor
fix: make hush run sandbox compile on Linux
422f33d
@bb-connor bb-connor merged commit bf31291 into main Feb 4, 2026
22 checks passed
@bb-connor bb-connor deleted the codex/core-infrastructure branch February 4, 2026 14:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bb-connor