From b2a03ea571f18f38ccc3cd3543036ffd18af443f Mon Sep 17 00:00:00 2001
From: Xiao-Yong Jin <jinxiaoyong@gmail.com>
Date: Fri, 14 Nov 2025 12:05:57 -0600
Subject: [PATCH 1/2] Fix FreeBSD/OpenBSD builds: target-specific keyring
 features and BSD hardening

- Disable keyring default-features at workspace root
- Scope keyring native backends via target cfgs in core, keyring-store, rmcp-client
  - linux: linux-native-async-persistent
  - macOS: apple-native
  - windows: windows-native
  - freebsd/openbsd: sync-secret-service
- Add pre_main_hardening_bsd (RLIMIT_CORE=0, clear LD_*)
- Simplify process-hardening deps to unconditional libc
- Keep non-Linux platforms free of linux-only features to avoid build failures
---
 codex-rs/Cargo.toml                   |  2 +-
 codex-rs/core/Cargo.toml              | 15 +++++++++------
 codex-rs/keyring-store/Cargo.toml     | 19 +++++++++++++------
 codex-rs/process-hardening/Cargo.toml |  7 -------
 codex-rs/process-hardening/src/lib.rs | 26 +++++++++++++++++++++++++-
 codex-rs/rmcp-client/Cargo.toml       | 18 ++++++++++++------
 6 files changed, 60 insertions(+), 27 deletions(-)

diff --git a/codex-rs/Cargo.toml b/codex-rs/Cargo.toml
index 80bae6550a..d8b8f4ebda 100644
--- a/codex-rs/Cargo.toml
+++ b/codex-rs/Cargo.toml
@@ -129,7 +129,7 @@ image = { version = "^0.25.8", default-features = false }
 indexmap = "2.12.0"
 insta = "1.43.2"
 itertools = "0.14.0"
-keyring = "3.6"
+keyring = { version = "3.6", default-features = false }
 landlock = "0.4.1"
 lazy_static = "1"
 libc = "0.2.175"
diff --git a/codex-rs/core/Cargo.toml b/codex-rs/core/Cargo.toml
index ab732c910c..4d8f43778c 100644
--- a/codex-rs/core/Cargo.toml
+++ b/codex-rs/core/Cargo.toml
@@ -40,12 +40,7 @@ eventsource-stream = { workspace = true }
 futures = { workspace = true }
 http = { workspace = true }
 indexmap = { workspace = true }
-keyring = { workspace = true, features = [
-    "apple-native",
-    "crypto-rust",
-    "linux-native-async-persistent",
-    "windows-native",
-] }
+keyring = { workspace = true, features = ["crypto-rust"] }
 libc = { workspace = true }
 mcp-types = { workspace = true }
 os_info = { workspace = true }
@@ -90,9 +85,11 @@ wildmatch = { workspace = true }
 [target.'cfg(target_os = "linux")'.dependencies]
 landlock = { workspace = true }
 seccompiler = { workspace = true }
+keyring = { workspace = true, features = ["linux-native-async-persistent"] }
 
 [target.'cfg(target_os = "macos")'.dependencies]
 core-foundation = "0.9"
+keyring = { workspace = true, features = ["apple-native"] }
 
 # Build OpenSSL from source for musl builds.
 [target.x86_64-unknown-linux-musl.dependencies]
@@ -102,6 +99,12 @@ openssl-sys = { workspace = true, features = ["vendored"] }
 [target.aarch64-unknown-linux-musl.dependencies]
 openssl-sys = { workspace = true, features = ["vendored"] }
 
+[target.'cfg(target_os = "windows")'.dependencies]
+keyring = { workspace = true, features = ["windows-native"] }
+
+[target.'cfg(any(target_os = "freebsd", target_os = "openbsd"))'.dependencies]
+keyring = { workspace = true, features = ["sync-secret-service"] }
+
 [dev-dependencies]
 assert_cmd = { workspace = true }
 assert_matches = { workspace = true }
diff --git a/codex-rs/keyring-store/Cargo.toml b/codex-rs/keyring-store/Cargo.toml
index f662e5d4ff..32645a3f6a 100644
--- a/codex-rs/keyring-store/Cargo.toml
+++ b/codex-rs/keyring-store/Cargo.toml
@@ -7,10 +7,17 @@ version = { workspace = true }
 workspace = true
 
 [dependencies]
-keyring = { workspace = true, features = [
-    "apple-native",
-    "crypto-rust",
-    "linux-native-async-persistent",
-    "windows-native",
-] }
+keyring = { workspace = true, features = ["crypto-rust"] }
+
+[target.'cfg(target_os = "linux")'.dependencies]
+keyring = { workspace = true, features = ["linux-native-async-persistent"] }
+
+[target.'cfg(target_os = "macos")'.dependencies]
+keyring = { workspace = true, features = ["apple-native"] }
+
+[target.'cfg(target_os = "windows")'.dependencies]
+keyring = { workspace = true, features = ["windows-native"] }
+
+[target.'cfg(any(target_os = "freebsd", target_os = "openbsd"))'.dependencies]
+keyring = { workspace = true, features = ["sync-secret-service"] }
 tracing = { workspace = true }
diff --git a/codex-rs/process-hardening/Cargo.toml b/codex-rs/process-hardening/Cargo.toml
index 7294b6e268..2ba4b0d5ca 100644
--- a/codex-rs/process-hardening/Cargo.toml
+++ b/codex-rs/process-hardening/Cargo.toml
@@ -11,11 +11,4 @@ path = "src/lib.rs"
 workspace = true
 
 [dependencies]
-[target.'cfg(target_os = "linux")'.dependencies]
-libc = { workspace = true }
-
-[target.'cfg(target_os = "android")'.dependencies]
-libc = { workspace = true }
-
-[target.'cfg(target_os = "macos")'.dependencies]
 libc = { workspace = true }
diff --git a/codex-rs/process-hardening/src/lib.rs b/codex-rs/process-hardening/src/lib.rs
index a787b4097d..59cd75f528 100644
--- a/codex-rs/process-hardening/src/lib.rs
+++ b/codex-rs/process-hardening/src/lib.rs
@@ -10,6 +10,10 @@ pub fn pre_main_hardening() {
     #[cfg(target_os = "macos")]
     pre_main_hardening_macos();
 
+    // On FreeBSD and OpenBSD, apply similar hardening to Linux/macOS:
+    #[cfg(any(target_os = "freebsd", target_os = "openbsd"))]
+    pre_main_hardening_bsd();
+
     #[cfg(windows)]
     pre_main_hardening_windows();
 }
@@ -20,7 +24,6 @@ const PRCTL_FAILED_EXIT_CODE: i32 = 5;
 #[cfg(target_os = "macos")]
 const PTRACE_DENY_ATTACH_FAILED_EXIT_CODE: i32 = 6;
 
-#[cfg(any(target_os = "linux", target_os = "android", target_os = "macos"))]
 const SET_RLIMIT_CORE_FAILED_EXIT_CODE: i32 = 7;
 
 #[cfg(any(target_os = "linux", target_os = "android"))]
@@ -57,6 +60,27 @@ pub(crate) fn pre_main_hardening_linux() {
     }
 }
 
+#[cfg(any(target_os = "freebsd", target_os = "openbsd"))]
+pub(crate) fn pre_main_hardening_bsd() {
+    // FreeBSD/OpenBSD: set RLIMIT_CORE to 0 and clear LD_* env vars
+    set_core_file_size_limit_to_zero();
+
+    let ld_keys: Vec<String> = std::env::vars()
+        .filter_map(|(key, _)| {
+            if key.starts_with("LD_") {
+                Some(key)
+            } else {
+                None
+            }
+        })
+        .collect();
+    for key in ld_keys {
+        unsafe {
+            std::env::remove_var(key);
+        }
+    }
+}
+
 #[cfg(target_os = "macos")]
 pub(crate) fn pre_main_hardening_macos() {
     // Prevent debuggers from attaching to this process.
diff --git a/codex-rs/rmcp-client/Cargo.toml b/codex-rs/rmcp-client/Cargo.toml
index e9f832e655..92591a09e7 100644
--- a/codex-rs/rmcp-client/Cargo.toml
+++ b/codex-rs/rmcp-client/Cargo.toml
@@ -16,12 +16,7 @@ codex-keyring-store = { workspace = true }
 codex-protocol = { workspace = true }
 dirs = { workspace = true }
 futures = { workspace = true, default-features = false, features = ["std"] }
-keyring = { workspace = true, features = [
-    "apple-native",
-    "crypto-rust",
-    "linux-native-async-persistent",
-    "windows-native",
-] }
+keyring = { workspace = true, features = ["crypto-rust"] }
 mcp-types = { path = "../mcp-types" }
 oauth2 = "5"
 reqwest = { version = "0.12", default-features = false, features = [
@@ -62,3 +57,14 @@ escargot = { workspace = true }
 pretty_assertions = { workspace = true }
 serial_test = { workspace = true }
 tempfile = { workspace = true }
+[target.'cfg(target_os = "linux")'.dependencies]
+keyring = { workspace = true, features = ["linux-native-async-persistent"] }
+
+[target.'cfg(target_os = "macos")'.dependencies]
+keyring = { workspace = true, features = ["apple-native"] }
+
+[target.'cfg(target_os = "windows")'.dependencies]
+keyring = { workspace = true, features = ["windows-native"] }
+
+[target.'cfg(any(target_os = "freebsd", target_os = "openbsd"))'.dependencies]
+keyring = { workspace = true, features = ["sync-secret-service"] }

From 22a083c9b04baa0195d98d589b7533cc824afe29 Mon Sep 17 00:00:00 2001
From: celia-oai <celia@openai.com>
Date: Sun, 16 Nov 2025 16:28:49 -0800
Subject: [PATCH 2/2] fix

---
 codex-rs/keyring-store/Cargo.toml     | 2 +-
 codex-rs/process-hardening/src/lib.rs | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/codex-rs/keyring-store/Cargo.toml b/codex-rs/keyring-store/Cargo.toml
index 32645a3f6a..932693de50 100644
--- a/codex-rs/keyring-store/Cargo.toml
+++ b/codex-rs/keyring-store/Cargo.toml
@@ -8,6 +8,7 @@ workspace = true
 
 [dependencies]
 keyring = { workspace = true, features = ["crypto-rust"] }
+tracing = { workspace = true }
 
 [target.'cfg(target_os = "linux")'.dependencies]
 keyring = { workspace = true, features = ["linux-native-async-persistent"] }
@@ -20,4 +21,3 @@ keyring = { workspace = true, features = ["windows-native"] }
 
 [target.'cfg(any(target_os = "freebsd", target_os = "openbsd"))'.dependencies]
 keyring = { workspace = true, features = ["sync-secret-service"] }
-tracing = { workspace = true }
diff --git a/codex-rs/process-hardening/src/lib.rs b/codex-rs/process-hardening/src/lib.rs
index 59cd75f528..0a624fb387 100644
--- a/codex-rs/process-hardening/src/lib.rs
+++ b/codex-rs/process-hardening/src/lib.rs
@@ -24,6 +24,13 @@ const PRCTL_FAILED_EXIT_CODE: i32 = 5;
 #[cfg(target_os = "macos")]
 const PTRACE_DENY_ATTACH_FAILED_EXIT_CODE: i32 = 6;
 
+#[cfg(any(
+    target_os = "linux",
+    target_os = "android",
+    target_os = "macos",
+    target_os = "freebsd",
+    target_os = "openbsd"
+))]
 const SET_RLIMIT_CORE_FAILED_EXIT_CODE: i32 = 7;
 
 #[cfg(any(target_os = "linux", target_os = "android"))]