Codex Handbook
app-server-transport/src/transport/remote_control/enroll.rs 872 lines
use super::auth::RemoteControlConnectionAuth;use super::pairing_unavailable_error;use super::protocol::EnrollRemoteServerRequest;use super::protocol::EnrollRemoteServerResponse;use super::protocol::RefreshRemoteServerRequest;use super::protocol::RemoteControlPairingStatusRequest;use super::protocol::RemoteControlPairingStatusResponse as BackendRemoteControlPairingStatusResponse;use super::protocol::RemoteControlTarget;use super::protocol::StartRemoteControlPairingRequest;use super::protocol::StartRemoteControlPairingResponse;use axum::http::HeaderMap;use codex_app_server_protocol::RemoteControlPairingStartResponse;use codex_app_server_protocol::RemoteControlPairingStatusResponse;use codex_login::default_client::build_reqwest_client;use codex_state::RemoteControlEnrollmentRecord;use codex_state::StateRuntime;use serde::Serialize;use serde::de::DeserializeOwned;use std::io;use std::io::ErrorKind;use time::OffsetDateTime;use time::format_description::well_known::Rfc3339;use tracing::info;use tracing::warn;const REMOTE_CONTROL_ENROLL_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(30);const REMOTE_CONTROL_PAIRING_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(30);const REMOTE_CONTROL_RESPONSE_BODY_MAX_BYTES: usize = 4096;const REMOTE_CONTROL_SERVER_TOKEN_REFRESH_SKEW_SECS: i64 = 30;const REQUEST_ID_HEADER: &str = "x-request-id";const OAI_REQUEST_ID_HEADER: &str = "x-oai-request-id";const CF_RAY_HEADER: &str = "cf-ray";pub(super) const REMOTE_CONTROL_ACCOUNT_ID_HEADER: &str = "chatgpt-account-id";pub(super) const REMOTE_CONTROL_INSTALLATION_ID_HEADER: &str = "x-codex-installation-id";#[derive(Debug, Clone, PartialEq, Eq)]pub(super) struct RemoteControlEnrollment {    pub(super) remote_control_target: RemoteControlTarget,    pub(super) account_id: String,    pub(super) environment_id: String,    pub(super) server_id: String,    pub(super) server_name: String,    pub(super) remote_control_token: Option<String>,    pub(super) expires_at: Option<OffsetDateTime>,}impl RemoteControlEnrollment {    pub(super) async fn start_pairing(        &self,        request: StartRemoteControlPairingRequest,    ) -> io::Result<RemoteControlPairingStartResponse> {        if self.should_refresh_server_token() {            return Err(pairing_unavailable_error());        }        let remote_control_token = self            .remote_control_token            .as_deref()            .ok_or_else(pairing_unavailable_error)?;        let response = build_reqwest_client()            .post(&self.remote_control_target.pair_url)            .timeout(REMOTE_CONTROL_PAIRING_TIMEOUT)            .bearer_auth(remote_control_token)            .json(&request)            .send()            .await            .map_err(|err| {                io::Error::other(format!(                    "failed to start remote control pairing at `{}`: {err}",                    self.remote_control_target.pair_url                ))            })?;        let headers = response.headers().clone();        let status = response.status();        let body = response.bytes().await.map_err(|err| {            io::Error::other(format!(                "failed to read remote control pairing response from `{}`: {err}",                self.remote_control_target.pair_url            ))        })?;        let body_preview = preview_remote_control_response_body(&body);        if !status.is_success() {            let error_kind = match status.as_u16() {                401 | 403 => ErrorKind::PermissionDenied,                404 => ErrorKind::NotFound,                _ => ErrorKind::Other,            };            return Err(io::Error::new(                error_kind,                format!(                    "remote control pairing failed at `{}`: HTTP {status}, {}, body: {body_preview}",                    self.remote_control_target.pair_url,                    format_headers(&headers)                ),            ));        }        let pairing = serde_json::from_slice::<StartRemoteControlPairingResponse>(&body).map_err(            |err| {                io::Error::other(format!(                    "failed to parse remote control pairing response from `{}`: HTTP {status}, {}, body: {body_preview}, decode error: {err}",                    self.remote_control_target.pair_url,                    format_headers(&headers)                ))            },        )?;        let StartRemoteControlPairingResponse {            pairing_code,            manual_pairing_code,            server_id,            environment_id,            expires_at,        } = pairing;        if server_id != self.server_id || environment_id != self.environment_id {            return Err(io::Error::other(format!(                "remote control pairing returned mismatched enrollment: expected server_id={}, environment_id={}; got server_id={}, environment_id={}",                self.server_id, self.environment_id, server_id, environment_id            )));        }        let expires_at = OffsetDateTime::parse(&expires_at, &Rfc3339)            .map_err(|err| {                io::Error::new(                    ErrorKind::InvalidData,                    format!(                        "failed to parse remote control pairing response from `{}`: HTTP {status}, {}, body: {body_preview}, expires_at parse error: {err}",                        self.remote_control_target.pair_url,                        format_headers(&headers)                    ),                )            })?            .unix_timestamp();        Ok(RemoteControlPairingStartResponse {            pairing_code,            manual_pairing_code,            environment_id,            expires_at,        })    }    pub(super) async fn pairing_status(        &self,        request: RemoteControlPairingStatusRequest,    ) -> io::Result<RemoteControlPairingStatusResponse> {        if self.should_refresh_server_token() {            return Err(pairing_unavailable_error());        }        let remote_control_token = self            .remote_control_token            .as_deref()            .ok_or_else(pairing_unavailable_error)?;        let response = build_reqwest_client()            .post(&self.remote_control_target.pair_status_url)            .timeout(REMOTE_CONTROL_PAIRING_TIMEOUT)            .bearer_auth(remote_control_token)            .json(&request)            .send()            .await            .map_err(|err| {                io::Error::other(format!(                    "failed to check remote control pairing status at `{}`: {err}",                    self.remote_control_target.pair_status_url                ))            })?;        let headers = response.headers().clone();        let status = response.status();        let body = response.bytes().await.map_err(|err| {            io::Error::other(format!(                "failed to read remote control pairing status response from `{}`: {err}",                self.remote_control_target.pair_status_url            ))        })?;        let body_preview = preview_remote_control_response_body(&body);        if !status.is_success() {            let error_kind = match status.as_u16() {                401 | 403 => ErrorKind::PermissionDenied,                404 | 410 => ErrorKind::InvalidInput,                _ => ErrorKind::Other,            };            return Err(io::Error::new(                error_kind,                format!(                    "remote control pairing status failed at `{}`: HTTP {status}, {}, body: {body_preview}",                    self.remote_control_target.pair_status_url,                    format_headers(&headers)                ),            ));        }        let response = serde_json::from_slice::<BackendRemoteControlPairingStatusResponse>(&body)            .map_err(|err| {                io::Error::other(format!(                    "failed to parse remote control pairing status response from `{}`: HTTP {status}, {}, body: {body_preview}, decode error: {err}",                    self.remote_control_target.pair_status_url,                    format_headers(&headers)                ))            })?;        Ok(RemoteControlPairingStatusResponse {            claimed: response.claimed,        })    }    pub(super) fn should_refresh_server_token(&self) -> bool {        self.remote_control_token.is_none()            || self.expires_at.is_none_or(|expires_at| {                expires_at.unix_timestamp()                    <= OffsetDateTime::now_utc().unix_timestamp()                        + REMOTE_CONTROL_SERVER_TOKEN_REFRESH_SKEW_SECS            })    }    pub(super) fn clear_server_token(&mut self) {        self.remote_control_token = None;        self.expires_at = None;    }}pub(super) async fn load_persisted_remote_control_enrollment(    state_db: Option<&StateRuntime>,    remote_control_target: &RemoteControlTarget,    account_id: &str,    app_server_client_name: Option<&str>,) -> io::Result<Option<RemoteControlEnrollment>> {    let Some(state_db) = state_db else {        return Err(io::Error::new(            ErrorKind::NotFound,            format!(                "remote control enrollment cache unavailable because sqlite state db is disabled: websocket_url={}, account_id={}, app_server_client_name={:?}",                remote_control_target.websocket_url, account_id, app_server_client_name            ),        ));    };    let enrollment = match state_db        .get_remote_control_enrollment(            &remote_control_target.websocket_url,            account_id,            app_server_client_name,        )        .await    {        Ok(enrollment) => enrollment,        Err(err) => {            warn!(                "failed to load persisted remote control enrollment: websocket_url={}, account_id={}, app_server_client_name={:?}, err={err}",                remote_control_target.websocket_url, account_id, app_server_client_name            );            return Err(io::Error::other(err));        }    };    match enrollment {        Some(enrollment) => {            info!(                "reusing persisted remote control enrollment: websocket_url={}, account_id={}, app_server_client_name={:?}, server_id={}, environment_id={}",                remote_control_target.websocket_url,                account_id,                app_server_client_name,                enrollment.server_id,                enrollment.environment_id            );            Ok(Some(RemoteControlEnrollment {                remote_control_target: remote_control_target.clone(),                account_id: enrollment.account_id,                environment_id: enrollment.environment_id,                server_id: enrollment.server_id,                server_name: enrollment.server_name,                remote_control_token: None,                expires_at: None,            }))        }        None => {            info!(                "no persisted remote control enrollment found: websocket_url={}, account_id={}, app_server_client_name={:?}",                remote_control_target.websocket_url, account_id, app_server_client_name            );            Ok(None)        }    }}pub(super) async fn update_persisted_remote_control_enrollment(    state_db: Option<&StateRuntime>,    remote_control_target: &RemoteControlTarget,    account_id: &str,    app_server_client_name: Option<&str>,    enrollment: Option<&RemoteControlEnrollment>,    remote_control_enabled: Option<bool>,) -> io::Result<()> {    let Some(state_db) = state_db else {        return Err(io::Error::new(            ErrorKind::NotFound,            format!(                "remote control enrollment persistence unavailable because sqlite state db is disabled: websocket_url={}, account_id={}, app_server_client_name={:?}, has_enrollment={}",                remote_control_target.websocket_url,                account_id,                app_server_client_name,                enrollment.is_some()            ),        ));    };    if let &Some(enrollment) = &enrollment        && enrollment.account_id != account_id    {        return Err(io::Error::other(format!(            "enrollment account_id does not match expected account_id `{account_id}`"        )));    }    if let Some(enrollment) = enrollment {        state_db            .upsert_remote_control_enrollment(&RemoteControlEnrollmentRecord {                websocket_url: remote_control_target.websocket_url.clone(),                account_id: account_id.to_string(),                app_server_client_name: app_server_client_name.map(str::to_string),                server_id: enrollment.server_id.clone(),                environment_id: enrollment.environment_id.clone(),                server_name: enrollment.server_name.clone(),                remote_control_enabled,            })            .await            .map_err(io::Error::other)?;        info!(            "persisted remote control enrollment: websocket_url={}, account_id={}, app_server_client_name={:?}, server_id={}, environment_id={}",            remote_control_target.websocket_url,            account_id,            app_server_client_name,            enrollment.server_id,            enrollment.environment_id        );        Ok(())    } else {        let rows_affected = state_db            .delete_remote_control_enrollment(                &remote_control_target.websocket_url,                account_id,                app_server_client_name,            )            .await            .map_err(io::Error::other)?;        info!(            "cleared persisted remote control enrollment: websocket_url={}, account_id={}, app_server_client_name={:?}, rows_affected={rows_affected}",            remote_control_target.websocket_url, account_id, app_server_client_name        );        Ok(())    }}pub(crate) fn preview_remote_control_response_body(body: &[u8]) -> String {    let body = String::from_utf8_lossy(body);    let trimmed = body.trim();    if trimmed.is_empty() {        return "<empty>".to_string();    }    let redacted = redact_remote_control_response_body(trimmed);    if redacted.len() <= REMOTE_CONTROL_RESPONSE_BODY_MAX_BYTES {        return redacted;    }    let mut cut = REMOTE_CONTROL_RESPONSE_BODY_MAX_BYTES;    while !redacted.is_char_boundary(cut) {        cut = cut.saturating_sub(1);    }    let mut truncated = redacted[..cut].to_string();    truncated.push_str("...");    truncated}fn redact_remote_control_response_body(body: &str) -> String {    let Ok(mut body_json) = serde_json::from_str::<serde_json::Value>(body) else {        return body.to_string();    };    let Some(body_object) = body_json.as_object_mut() else {        return body.to_string();    };    for sensitive_field in [        "remote_control_token",        "pairing_code",        "manual_pairing_code",    ] {        if let Some(value) = body_object.get_mut(sensitive_field) {            *value = serde_json::Value::String("<redacted>".to_string());        }    }    body_json.to_string()}pub(crate) fn format_headers(headers: &HeaderMap) -> String {    let request_id_str = headers        .get(REQUEST_ID_HEADER)        .or_else(|| headers.get(OAI_REQUEST_ID_HEADER))        .map(|value| value.to_str().unwrap_or("<invalid utf-8>").to_owned())        .unwrap_or_else(|| "<none>".to_owned());    let cf_ray_str = headers        .get(CF_RAY_HEADER)        .map(|value| value.to_str().unwrap_or("<invalid utf-8>").to_owned())        .unwrap_or_else(|| "<none>".to_owned());    format!("request-id: {request_id_str}, cf-ray: {cf_ray_str}")}pub(super) async fn enroll_remote_control_server(    remote_control_target: &RemoteControlTarget,    auth: &RemoteControlConnectionAuth,    installation_id: &str,    server_name: &str,) -> io::Result<RemoteControlEnrollment> {    let enroll_url = &remote_control_target.enroll_url;    let request = EnrollRemoteServerRequest {        name: server_name.to_string(),        os: std::env::consts::OS,        arch: std::env::consts::ARCH,        app_server_version: env!("CARGO_PKG_VERSION"),        installation_id: installation_id.to_string(),    };    let enrollment_response = send_remote_control_server_request::<_, EnrollRemoteServerResponse>(        enroll_url,        auth,        installation_id,        &request,        "enroll",        "server enrollment",    )    .await?;    let mut enrollment = RemoteControlEnrollment {        remote_control_target: remote_control_target.clone(),        account_id: auth.account_id.clone(),        environment_id: enrollment_response.environment_id,        server_id: enrollment_response.server_id,        server_name: server_name.to_string(),        remote_control_token: None,        expires_at: None,    };    update_remote_control_server_token(        &mut enrollment,        enroll_url,        enrollment_response.remote_control_token,        enrollment_response.expires_at,    )?;    Ok(enrollment)}pub(super) async fn refresh_remote_control_server(    auth: &RemoteControlConnectionAuth,    installation_id: &str,    enrollment: &mut RemoteControlEnrollment,) -> io::Result<()> {    let refresh_url = enrollment.remote_control_target.refresh_url.clone();    let request = RefreshRemoteServerRequest {        server_id: enrollment.server_id.clone(),        installation_id: installation_id.to_string(),    };    let refreshed = send_remote_control_server_request::<_, EnrollRemoteServerResponse>(        &refresh_url,        auth,        installation_id,        &request,        "refresh",        "server refresh",    )    .await?;    if refreshed.server_id != enrollment.server_id        || refreshed.environment_id != enrollment.environment_id    {        return Err(io::Error::other(format!(            "remote control server refresh returned mismatched enrollment: expected server_id={}, environment_id={}; got server_id={}, environment_id={}",            enrollment.server_id,            enrollment.environment_id,            refreshed.server_id,            refreshed.environment_id        )));    }    update_remote_control_server_token(        enrollment,        &refresh_url,        refreshed.remote_control_token,        refreshed.expires_at,    )}async fn send_remote_control_server_request<Request, Response>(    url: &str,    auth: &RemoteControlConnectionAuth,    installation_id: &str,    request: &Request,    action: &str,    response_kind: &str,) -> io::Result<Response>where    Request: Serialize,    Response: DeserializeOwned,{    let client = build_reqwest_client();    let mut auth_headers = HeaderMap::new();    auth.auth_provider.add_auth_headers(&mut auth_headers);    let response = client        .post(url)        .timeout(REMOTE_CONTROL_ENROLL_TIMEOUT)        .headers(auth_headers)        .header(REMOTE_CONTROL_ACCOUNT_ID_HEADER, &auth.account_id)        .header(REMOTE_CONTROL_INSTALLATION_ID_HEADER, installation_id)        .json(request)        .send()        .await        .map_err(|err| {            io::Error::other(format!(                "failed to {action} remote control server at `{url}`: {err}"            ))        })?;    let headers = response.headers().clone();    let status = response.status();    let body = response.bytes().await.map_err(|err| {        io::Error::other(format!(            "failed to read remote control {response_kind} response from `{url}`: {err}"        ))    })?;    let body_preview = preview_remote_control_response_body(&body);    if !status.is_success() {        let headers_str = format_headers(&headers);        let error_kind = match status.as_u16() {            401 | 403 => ErrorKind::PermissionDenied,            404 => ErrorKind::NotFound,            _ => ErrorKind::Other,        };        return Err(io::Error::new(            error_kind,            format!(                "remote control {response_kind} failed at `{url}`: HTTP {status}, {headers_str}, body: {body_preview}"            ),        ));    }    serde_json::from_slice::<Response>(&body).map_err(|err| {        let headers_str = format_headers(&headers);        io::Error::other(format!(            "failed to parse remote control {response_kind} response from `{url}`: HTTP {status}, {headers_str}, body: {body_preview}, decode error: {err}"        ))    })}fn update_remote_control_server_token(    enrollment: &mut RemoteControlEnrollment,    url: &str,    token: String,    expires_at: String,) -> io::Result<()> {    let expires_at = OffsetDateTime::parse(&expires_at, &Rfc3339).map_err(|err| {        io::Error::other(format!(            "failed to parse remote control server token expiry from `{url}`: {err}"        ))    })?;    enrollment.remote_control_token = Some(token);    enrollment.expires_at = Some(expires_at);    Ok(())}#[cfg(test)]mod tests {    use super::*;    use crate::transport::remote_control::protocol::normalize_remote_control_url;    use codex_state::StateRuntime;    use pretty_assertions::assert_eq;    use serde_json::json;    use std::sync::Arc;    use tempfile::TempDir;    use tokio::io::AsyncBufReadExt;    use tokio::io::AsyncWriteExt;    use tokio::io::BufReader;    use tokio::net::TcpListener;    use tokio::net::TcpStream;    use tokio::time::Duration;    use tokio::time::timeout;    async fn remote_control_state_runtime(codex_home: &TempDir) -> Arc<StateRuntime> {        StateRuntime::init(codex_home.path().to_path_buf(), "test-provider".to_string())            .await            .expect("state runtime should initialize")    }    #[test]    fn remote_control_enrollment_refreshes_server_token_before_expiry() {        let expires_soon = RemoteControlEnrollment {            remote_control_target: normalize_remote_control_url("http://localhost/backend-api/")                .expect("target should normalize"),            account_id: "account-a".to_string(),            environment_id: "env_first".to_string(),            server_id: "srv_e_first".to_string(),            server_name: "first-server".to_string(),            remote_control_token: Some("expires-soon".to_string()),            expires_at: Some(OffsetDateTime::now_utc() + time::Duration::seconds(29)),        };        let expires_later = RemoteControlEnrollment {            expires_at: Some(OffsetDateTime::now_utc() + time::Duration::seconds(31)),            remote_control_token: Some("expires-later".to_string()),            ..expires_soon.clone()        };        assert!(expires_soon.should_refresh_server_token());        assert!(!expires_later.should_refresh_server_token());    }    #[test]    fn preview_remote_control_response_body_redacts_server_token() {        assert_eq!(            serde_json::from_str::<serde_json::Value>(&preview_remote_control_response_body(                br#"{"server_id":"srv_e_test","remote_control_token":"secret","pairing_code":"pairing-code","manual_pairing_code":"ABCD-EFGH"}"#            ))            .expect("redacted response preview should stay valid json"),            json!({                "server_id": "srv_e_test",                "remote_control_token": "<redacted>",                "pairing_code": "<redacted>",                "manual_pairing_code": "<redacted>",            })        );    }    #[tokio::test]    async fn persisted_remote_control_enrollment_round_trips_by_target_and_account() {        let codex_home = TempDir::new().expect("temp dir should create");        let state_db = remote_control_state_runtime(&codex_home).await;        let first_target = normalize_remote_control_url("https://chatgpt.com/remote/control")            .expect("first target should parse");        let second_target =            normalize_remote_control_url("https://api.chatgpt-staging.com/other/control")                .expect("second target should parse");        let first_enrollment = RemoteControlEnrollment {            remote_control_target: first_target.clone(),            account_id: "account-a".to_string(),            environment_id: "env_first".to_string(),            server_id: "srv_e_first".to_string(),            server_name: "first-server".to_string(),            remote_control_token: None,            expires_at: None,        };        let second_enrollment = RemoteControlEnrollment {            remote_control_target: second_target.clone(),            account_id: "account-a".to_string(),            environment_id: "env_second".to_string(),            server_id: "srv_e_second".to_string(),            server_name: "second-server".to_string(),            remote_control_token: None,            expires_at: None,        };        update_persisted_remote_control_enrollment(            Some(state_db.as_ref()),            &first_target,            "account-a",            Some("desktop-client"),            Some(&first_enrollment),            /*remote_control_enabled*/ None,        )        .await        .expect("first enrollment should persist");        update_persisted_remote_control_enrollment(            Some(state_db.as_ref()),            &second_target,            "account-a",            Some("desktop-client"),            Some(&second_enrollment),            /*remote_control_enabled*/ None,        )        .await        .expect("second enrollment should persist");        assert_eq!(            load_persisted_remote_control_enrollment(                Some(state_db.as_ref()),                &first_target,                "account-a",                Some("desktop-client"),            )            .await            .expect("first enrollment should load"),            Some(first_enrollment.clone())        );        assert_eq!(            load_persisted_remote_control_enrollment(                Some(state_db.as_ref()),                &first_target,                "account-b",                Some("desktop-client"),            )            .await            .expect("missing account should load"),            None        );        assert_eq!(            load_persisted_remote_control_enrollment(                Some(state_db.as_ref()),                &second_target,                "account-a",                Some("desktop-client"),            )            .await            .expect("second enrollment should load"),            Some(second_enrollment)        );    }    #[tokio::test]    async fn clearing_persisted_remote_control_enrollment_removes_only_matching_entry() {        let codex_home = TempDir::new().expect("temp dir should create");        let state_db = remote_control_state_runtime(&codex_home).await;        let first_target = normalize_remote_control_url("https://chatgpt.com/remote/control")            .expect("first target should parse");        let second_target =            normalize_remote_control_url("https://api.chatgpt-staging.com/other/control")                .expect("second target should parse");        let first_enrollment = RemoteControlEnrollment {            remote_control_target: first_target.clone(),            account_id: "account-a".to_string(),            environment_id: "env_first".to_string(),            server_id: "srv_e_first".to_string(),            server_name: "first-server".to_string(),            remote_control_token: None,            expires_at: None,        };        let second_enrollment = RemoteControlEnrollment {            remote_control_target: second_target.clone(),            account_id: "account-a".to_string(),            environment_id: "env_second".to_string(),            server_id: "srv_e_second".to_string(),            server_name: "second-server".to_string(),            remote_control_token: None,            expires_at: None,        };        update_persisted_remote_control_enrollment(            Some(state_db.as_ref()),            &first_target,            "account-a",            /*app_server_client_name*/ None,            Some(&first_enrollment),            /*remote_control_enabled*/ None,        )        .await        .expect("first enrollment should persist");        update_persisted_remote_control_enrollment(            Some(state_db.as_ref()),            &second_target,            "account-a",            /*app_server_client_name*/ None,            Some(&second_enrollment),            /*remote_control_enabled*/ None,        )        .await        .expect("second enrollment should persist");        update_persisted_remote_control_enrollment(            Some(state_db.as_ref()),            &first_target,            "account-a",            /*app_server_client_name*/ None,            /*enrollment*/ None,            /*remote_control_enabled*/ None,        )        .await        .expect("matching enrollment should clear");        assert_eq!(            load_persisted_remote_control_enrollment(                Some(state_db.as_ref()),                &first_target,                "account-a",                /*app_server_client_name*/ None,            )            .await            .expect("cleared enrollment should load"),            None        );        assert_eq!(            load_persisted_remote_control_enrollment(                Some(state_db.as_ref()),                &second_target,                "account-a",                /*app_server_client_name*/ None,            )            .await            .expect("remaining enrollment should load"),            Some(second_enrollment)        );    }    #[tokio::test]    async fn enroll_remote_control_server_parse_failure_includes_response_body() {        let listener = TcpListener::bind("127.0.0.1:0")            .await            .expect("listener should bind");        let remote_control_url = format!(            "http://127.0.0.1:{}/backend-api/",            listener                .local_addr()                .expect("listener should have a local addr")                .port()        );        let remote_control_target =            normalize_remote_control_url(&remote_control_url).expect("target should parse");        let enroll_url = remote_control_target.enroll_url.clone();        let response_body = json!({            "server_id": "srv_e_test",            "environment_id": "env_test",        });        let expected_body = response_body.to_string();        let server_task = tokio::spawn(async move {            let stream = accept_http_request(&listener).await;            respond_with_json(stream, response_body).await;        });        let err = enroll_remote_control_server(            &remote_control_target,            &RemoteControlConnectionAuth {                auth_provider: codex_model_provider::unauthenticated_auth_provider(),                account_id: "account_id".to_string(),            },            "11111111-1111-4111-8111-111111111111",            "test-server",        )        .await        .expect_err("invalid response should fail to parse");        server_task.await.expect("server task should succeed");        assert_eq!(            err.to_string(),            format!(                "failed to parse remote control server enrollment response from `{enroll_url}`: HTTP 200 OK, request-id: <none>, cf-ray: <none>, body: {expected_body}, decode error: missing field `remote_control_token` at line 1 column {}",                expected_body.len()            )        );    }    async fn accept_http_request(listener: &TcpListener) -> TcpStream {        let (stream, _) = timeout(Duration::from_secs(5), listener.accept())            .await            .expect("HTTP request should arrive in time")            .expect("listener accept should succeed");        let mut reader = BufReader::new(stream);        let mut request_line = String::new();        reader            .read_line(&mut request_line)            .await            .expect("request line should read");        loop {            let mut line = String::new();            reader                .read_line(&mut line)                .await                .expect("header line should read");            if line == "\r\n" {                break;            }        }        reader.into_inner()    }    async fn respond_with_json(mut stream: TcpStream, body: serde_json::Value) {        let body = body.to_string();        let response = format!(            "HTTP/1.1 200 OK\r\ncontent-type: application/json\r\ncontent-length: {}\r\nconnection: close\r\n\r\n{body}",            body.len()        );        stream            .write_all(response.as_bytes())            .await            .expect("response should write");        stream.flush().await.expect("response should flush");    }}