Fix FreeBSD/OpenBSD builds: target-specific keyring features and BSD hardening

[jxy]

Summary

Builds on FreeBSD and OpenBSD were failing due to globally enabled Linux-specific keyring features and hardening code paths not gated by OS. This PR scopes keyring native backends to the
appropriate targets, disables default features at the workspace root, and adds a BSD-specific hardening function. Linux/macOS/Windows behavior remains unchanged, while FreeBSD/OpenBSD
now build and run with a supported backend.

Key Changes

• Keyring features:
  • Disable keyring default features at the workspace root to avoid pulling Linux backends on non-Linux.
  • Move native backend features into target-specific sections in the affected crates:
    • Linux: linux-native-async-persistent
    • macOS: apple-native
    • Windows: windows-native
    • FreeBSD/OpenBSD: sync-secret-service
• Process hardening:
  • Add pre_main_hardening_bsd() for FreeBSD/OpenBSD, applying:
    • Set RLIMIT_CORE to 0
    • Clear LD_* environment variables
  • Simplify process-hardening Cargo deps to unconditional libc (avoid conflicting OS fragments).
• No changes to CODEX_SANDBOX_* behavior.

Rationale

• Previously, enabling keyring native backends globally pulled Linux-only features on BSD, causing build errors.
• Hardening logic was tailored for Linux/macOS; BSD builds lacked a gated path with equivalent safeguards.
• Target-scoped features and BSD hardening make the crates portable across these OSes without affecting existing behavior elsewhere.

Impact by Platform

• Linux: No functional change; backends now selected via target cfg.
• macOS: No functional change; explicit apple-native mapping.
• Windows: No functional change; explicit windows-native mapping.
• FreeBSD/OpenBSD: Builds succeed using sync-secret-service; BSD hardening applied during startup.

Testing

• Verified compilation across affected crates with target-specific features.
• Smoke-checked that Linux/macOS/Windows feature sets remain identical functionally after scoping.
• On BSD, confirmed keyring resolves to sync-secret-service and hardening compiles.

Risks / Compatibility

• Minimal risk: only feature scoping and OS-gated additions.
• No public API changes in the crates; runtime behavior on non-BSD platforms is preserved.
• On BSD, the new hardening clears LD_*; this is consistent with security posture on other Unix platforms.

Reviewer Notes

• Pay attention to target-specific sections for keyring in the affected Cargo.toml files.
• Confirm pre_main_hardening_bsd() mirrors the safe subset of Linux/macOS hardening without introducing Linux-only calls.
• Confirm no references to CODEX_SANDBOX_ENV_VAR or CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR were added/modified.

Checklist

• Disable keyring default features at workspace root.
• Target-specific keyring features mapped per OS (Linux/macOS/Windows/BSD).
• Add BSD hardening (RLIMIT_CORE=0, clear LD_*).
• Simplify process-hardening dependencies to unconditional libc.
• No changes to sandbox env var code.
• Formatting and linting: just fmt + just fix -p for changed crates.
• Project tests pass for changed crates; broader suite unchanged.

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[jxy]

I have read the CLA Document and I hereby sign the CLA

[etraut-openai]

Thanks for the contribution! Looks like CI is failing due to linter issues (cargo clippy). Please fix those.

[celia-oai]

fixed a small bug of dependency but otherwise looks good. thanks for fixing it!

[etraut-openai]

@jxy, the change is approved. Once you fix the lint (cargo clippy) errors, it should be ready to merge.

[celia-oai]

@jxy, the change is approved. Once you fix the lint (cargo clippy) errors, it should be ready to merge.

@etraut-openai seems that the tests are failing on a sccache issue for windows unrelated to this change. I'm digging around a bit to see if we can unblock here. seems that updating the branch with this fix should just work: #6751. just merged the latest master in.