Skip to content

Cache cloud requirements #11305

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
gt-oai merged 1 commit into from
Feb 11, 2026
Merged

Cache cloud requirements #11305

gt-oai merged 1 commit into from
Feb 11, 2026
+666 −29

Conversation

@gt-oai
Copy link
Contributor

@gt-oai gt-oai commented Feb 10, 2026
edited
Loading

We're loading these from the web on every startup. This puts them in a local file with a 1hr TTL.

We sign the downloaded requirements with a key compiled into the Codex CLI to prevent unsophisticated tampering (determined circumvention is outside of our threat model: after all, one could just compile Codex without any of these checks).

If any of the following are true, we ignore the local cache and re-fetch from Cloud:

  • The signature is invalid for the payload (== requirements, sign time, ttl, user identity)
  • The identity does not match the auth'd user's identity
  • The TTL has expired
  • We cannot parse requirements.toml from the payload

@gt-oai gt-oai force-pushed the gt/cache-cloud-reqs branch from d8fe534 to c53815f Compare February 10, 2026 12:19
@gt-oai gt-oai marked this pull request as ready for review February 10, 2026 13:48
@gt-oai gt-oai force-pushed the gt/cache-cloud-reqs branch from c53815f to 10227ae Compare February 10, 2026 13:54
gverma-openai
gverma-openai reviewed Feb 10, 2026
View reviewed changes
codex-rs/cloud-requirements/src/lib.rs Outdated
enum CacheLoadStatus {
#[error("Skipping cloud requirements cache read because auth identity is incomplete")]
AuthIdentityIncomplete,
#[error("cloud requirements cache file not found")]
Copy link
Contributor

@gverma-openai gverma-openai Feb 10, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: first word is not capitalized in some errors and is in other error strings.

Copy link
Contributor Author

@gt-oai gt-oai Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

gverma-openai
gverma-openai reviewed Feb 10, 2026
View reviewed changes
codex-rs/cloud-requirements/src/lib.rs
let account_id = account_id.as_deref();

self.fetch_with_retries(&auth).await
match self.load_cache(chatgpt_user_id, account_id).await {
Copy link
Contributor

@gverma-openai gverma-openai Feb 10, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If load_cache fails, do we fallback to network fetch (with the regular retries treatment)?

Copy link
Contributor Author

@gt-oai gt-oai Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes we fall back (line 273)

@gt-oai gt-oai force-pushed the gt/cache-cloud-reqs branch from 10227ae to 1d3cb36 Compare February 11, 2026 12:27
@gt-oai gt-oai force-pushed the gt/cache-cloud-reqs branch from 1d3cb36 to b8c577e Compare February 11, 2026 13:07
@gt-oai gt-oai enabled auto-merge (squash) February 11, 2026 13:15
@gt-oai gt-oai merged commit 886d937 into main Feb 11, 2026
51 of 53 checks passed
@gt-oai gt-oai deleted the gt/cache-cloud-reqs branch February 11, 2026 14:06
@github-actions github-actions bot locked and limited conversation to collaborators Feb 11, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@gverma-openai gverma-openai gverma-openai approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gt-oai @gverma-openai