From 6690d82dbd16b4e3f11aace766f1772044afe8ce Mon Sep 17 00:00:00 2001
From: Vineel Y <yalamfamily@gmail.com>
Date: Tue, 4 Nov 2025 08:21:10 -0800
Subject: [PATCH] fix(otel): enable TLS for OTLP gRPC over https endpoints

fix: enable TLS for HTTPS OpenTelemetry gRPC endpoints
---
 codex-rs/Cargo.lock                |  3 +++
 codex-rs/otel/Cargo.toml           |  2 ++
 codex-rs/otel/src/otel_provider.rs | 23 ++++++++++++++++++++---
 3 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/codex-rs/Cargo.lock b/codex-rs/Cargo.lock
index 4961486e65..6d91e7bcfb 100644
--- a/codex-rs/Cargo.lock
+++ b/codex-rs/Cargo.lock
@@ -5113,6 +5113,7 @@ version = "0.23.29"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2491382039b29b9b11ff08b76ff6c97cf287671dbb74f0be44bda389fffe9bd1"
 dependencies = [
+ "log",
  "once_cell",
  "ring",
  "rustls-pki-types",
@@ -6507,8 +6508,10 @@ dependencies = [
  "percent-encoding",
  "pin-project",
  "prost",
+ "rustls-native-certs",
  "socket2 0.5.10",
  "tokio",
+ "tokio-rustls",
  "tokio-stream",
  "tower",
  "tower-layer",
diff --git a/codex-rs/otel/Cargo.toml b/codex-rs/otel/Cargo.toml
index ea518c2e4f..bea5dce33d 100644
--- a/codex-rs/otel/Cargo.toml
+++ b/codex-rs/otel/Cargo.toml
@@ -29,6 +29,8 @@ opentelemetry-otlp = { workspace = true, features = [
     "http-json",
     "reqwest",
     "reqwest-rustls",
+    "tls",
+    "tls-roots",
 ], optional = true }
 opentelemetry-semantic-conventions = { workspace = true }
 opentelemetry_sdk = { workspace = true, features = [
diff --git a/codex-rs/otel/src/otel_provider.rs b/codex-rs/otel/src/otel_provider.rs
index 222322a2ea..11a04a04b4 100644
--- a/codex-rs/otel/src/otel_provider.rs
+++ b/codex-rs/otel/src/otel_provider.rs
@@ -15,6 +15,8 @@ use reqwest::header::HeaderName;
 use reqwest::header::HeaderValue;
 use std::error::Error;
 use tonic::metadata::MetadataMap;
+use tonic::transport::ClientTlsConfig;
+use tonic::transport::Endpoint;
 use tracing::debug;
 
 const ENV_ATTRIBUTE: &str = "env";
@@ -59,12 +61,27 @@ impl OtelProvider {
                     }
                 }
 
-                let exporter = LogExporter::builder()
+                let mut exporter_builder = LogExporter::builder()
                     .with_tonic()
                     .with_endpoint(endpoint)
-                    .with_metadata(MetadataMap::from_headers(header_map))
-                    .build()?;
+                    .with_metadata(MetadataMap::from_headers(header_map));
+
+                // 🔒 SECURITY FIX: Enable TLS for HTTPS endpoints
+                if endpoint.starts_with("https://") {
+                    let mut tls_config = ClientTlsConfig::new().with_native_roots();
+
+                    // Robust domain extraction using tonic's Endpoint parser
+                    if let Ok(parsed_endpoint) = Endpoint::from_shared(endpoint.clone()) {
+                        if let Some(uri) = parsed_endpoint.uri().host() {
+                            tls_config = tls_config.domain_name(uri);
+                        }
+                    }
+
+                    exporter_builder = exporter_builder.with_tls_config(tls_config);
+                    debug!("TLS enabled for HTTPS endpoint: {}", endpoint);
+                }
 
+                let exporter = exporter_builder.build()?;
                 builder = builder.with_batch_exporter(exporter);
             }
             OtelExporter::OtlpHttp {