login: harden custom CA handling and isolate env-based tests

Enterprise TLS inspection proxies use custom roots, so OAuth token exchanges
fail when we only trust system CAs. This change switches PEM parsing to
rustls-pki-types (multi-cert bundles included) and surfaces clearer, user-
facing errors that explain how to fix invalid or empty CA files via
CODEX_CA_CERTIFICATE/SSL_CERT_FILE.

To avoid cross-test races with process-wide env vars, CA path selection now
uses a small EnvSource abstraction in unit tests, and environment-dependent
behavior is verified via an assert_cmd-driven login_ca_probe helper binary.
This keeps normal tests isolated while still validating env precedence and
error messaging.

Also updates login dev-deps (assert_cmd/pretty_assertions), removes serial_test,
and re-exports build_login_http_client for the probe helper.

Author: joshka-oai

codex-rs/Cargo.lock

@@ -177,6 +177,7 @@ regex = "1.12.2"
 regex-lite = "0.1.7"
 reqwest = "0.12"
 rmcp = { version = "0.10.0", default-features = false }
+rustls-pki-types = "1.13.0"
 schemars = "0.8.22"
 seccompiler = "0.5.0"
 sentry = "0.34.0"

codex-rs/Cargo.toml

@@ -14,6 +14,7 @@ codex-core = { workspace = true }
 codex-app-server-protocol = { workspace = true }
 rand = { workspace = true }
 reqwest = { workspace = true, features = ["json", "blocking"] }
+rustls-pki-types = { workspace = true }
 serde = { workspace = true, features = ["derive"] }
 serde_json = { workspace = true }
 sha2 = { workspace = true }
@@ -32,7 +33,8 @@ webbrowser = { workspace = true }
 
 [dev-dependencies]
 anyhow = { workspace = true }
+assert_cmd = { workspace = true }
 core_test_support = { workspace = true }
+pretty_assertions = { workspace = true }
 tempfile = { workspace = true }
 wiremock = { workspace = true }
-serial_test = { workspace = true }

codex-rs/login/Cargo.toml

@@ -0,0 +1,23 @@
+//! Helper binary for exercising custom CA environment handling in tests.
+//!
+//! The login flows honor `CODEX_CA_CERTIFICATE` and `SSL_CERT_FILE`, but those
+//! environment variables are process-global and unsafe to mutate in parallel
+//! test execution. This probe keeps the behavior under test while letting
+//! integration tests (`tests/ca_env.rs`) set env vars per-process, proving:
+//! - env precedence is respected,
+//! - multi-cert PEM bundles load,
+//! - error messages guide users when CA files are invalid.
+
+use std::process;
+
+fn main() {
+    match codex_login::build_login_http_client() {
+        Ok(_) => {
+            println!("ok");
+        }
+        Err(error) => {
+            eprintln!("{error}");
+            process::exit(1);
+        }
+    }
+}

codex-rs/login/src/bin/login_ca_probe.rs

@@ -6,6 +6,7 @@ pub use device_code_auth::run_device_code_login;
 pub use server::LoginServer;
 pub use server::ServerOptions;
 pub use server::ShutdownHandle;
+pub use server::build_login_http_client;
 pub use server::run_login_server;
 
 // Re-export commonly used auth types and helpers from codex-core for compatibility