OpenTelemetry events (#2103)

### Title

## otel

Codex can emit [OpenTelemetry](https://opentelemetry.io/) **log events**
that
describe each run: outbound API requests, streamed responses, user
input,
tool-approval decisions, and the result of every tool invocation. Export
is
**disabled by default** so local runs remain self-contained. Opt in by
adding an
`[otel]` table and choosing an exporter.

```toml
[otel]
environment = "staging"   # defaults to "dev"
exporter = "none"          # defaults to "none"; set to otlp-http or otlp-grpc to send events
log_user_prompt = false    # defaults to false; redact prompt text unless explicitly enabled
```

Codex tags every exported event with `service.name = "codex-cli"`, the
CLI
version, and an `env` attribute so downstream collectors can distinguish
dev/staging/prod traffic. Only telemetry produced inside the
`codex_otel`
crate—the events listed below—is forwarded to the exporter.

### Event catalog

Every event shares a common set of metadata fields: `event.timestamp`,
`conversation.id`, `app.version`, `auth_mode` (when available),
`user.account_id` (when available), `terminal.type`, `model`, and
`slug`.

With OTEL enabled Codex emits the following event types (in addition to
the
metadata above):

- `codex.api_request`
  - `cf_ray` (optional)
  - `attempt`
  - `duration_ms`
  - `http.response.status_code` (optional)
  - `error.message` (failures)
- `codex.sse_event`
  - `event.kind`
  - `duration_ms`
  - `error.message` (failures)
  - `input_token_count` (completion only)
  - `output_token_count` (completion only)
  - `cached_token_count` (completion only, optional)
  - `reasoning_token_count` (completion only, optional)
  - `tool_token_count` (completion only)
- `codex.user_prompt`
  - `prompt_length`
  - `prompt` (redacted unless `log_user_prompt = true`)
- `codex.tool_decision`
  - `tool_name`
  - `call_id`
- `decision` (`approved`, `approved_for_session`, `denied`, or `abort`)
  - `source` (`config` or `user`)
- `codex.tool_result`
  - `tool_name`
  - `call_id`
  - `arguments`
  - `duration_ms` (execution time for the tool)
  - `success` (`"true"` or `"false"`)
  - `output`

### Choosing an exporter

Set `otel.exporter` to control where events go:

- `none` – leaves instrumentation active but skips exporting. This is
the
  default.
- `otlp-http` – posts OTLP log records to an OTLP/HTTP collector.
Specify the
  endpoint, protocol, and headers your collector expects:

  ```toml
  [otel]
  exporter = { otlp-http = {
    endpoint = "https://otel.example.com/v1/logs",
    protocol = "binary",
    headers = { "x-otlp-api-key" = "${OTLP_TOKEN}" }
  }}
  ```

- `otlp-grpc` – streams OTLP log records over gRPC. Provide the endpoint
and any
  metadata headers:

  ```toml
  [otel]
  exporter = { otlp-grpc = {
    endpoint = "https://otel.example.com:4317",
    headers = { "x-otlp-meta" = "abc123" }
  }}
  ```

If the exporter is `none` nothing is written anywhere; otherwise you
must run or point to your
own collector. All exporters run on a background batch worker that is
flushed on
shutdown.

If you build Codex from source the OTEL crate is still behind an `otel`
feature
flag; the official prebuilt binaries ship with the feature enabled. When
the
feature is disabled the telemetry hooks become no-ops so the CLI
continues to
function without the extra dependencies.

---------

Co-authored-by: Anton Panasenko <apanasenko@openai.com>

codex-rs/core/src/safety.rs

@@ -15,9 +15,14 @@ use crate::protocol::SandboxPolicy;
 
 #[derive(Debug, PartialEq)]
 pub enum SafetyCheck {
-    AutoApprove { sandbox_type: SandboxType },
+    AutoApprove {
+        sandbox_type: SandboxType,
+        user_explicitly_approved: bool,
+    },
     AskUser,
-    Reject { reason: String },
+    Reject {
+        reason: String,
+    },
 }
 
 pub fn assess_patch_safety(
@@ -54,12 +59,16 @@ pub fn assess_patch_safety(
         // fall back to asking the user because the patch may touch arbitrary
         // paths outside the project.
         match get_platform_sandbox() {
-            Some(sandbox_type) => SafetyCheck::AutoApprove { sandbox_type },
+            Some(sandbox_type) => SafetyCheck::AutoApprove {
+                sandbox_type,
+                user_explicitly_approved: false,
+            },
             None if sandbox_policy == &SandboxPolicy::DangerFullAccess => {
                 // If the user has explicitly requested DangerFullAccess, then
                 // we can auto-approve even without a sandbox.
                 SafetyCheck::AutoApprove {
                     sandbox_type: SandboxType::None,
+                    user_explicitly_approved: false,
                 }
             }
             None => SafetyCheck::AskUser,
@@ -118,6 +127,7 @@ pub fn assess_command_safety(
     if is_known_safe_command(command) || approved.contains(command) {
         return SafetyCheck::AutoApprove {
             sandbox_type: SandboxType::None,
+            user_explicitly_approved: false,
         };
     }
 
@@ -143,13 +153,17 @@ pub(crate) fn assess_safety_for_untrusted_command(
         | (Never, DangerFullAccess)
         | (OnRequest, DangerFullAccess) => SafetyCheck::AutoApprove {
             sandbox_type: SandboxType::None,
+            user_explicitly_approved: false,
         },
         (OnRequest, ReadOnly) | (OnRequest, WorkspaceWrite { .. }) => {
             if with_escalated_permissions {
                 SafetyCheck::AskUser
             } else {
                 match get_platform_sandbox() {
-                    Some(sandbox_type) => SafetyCheck::AutoApprove { sandbox_type },
+                    Some(sandbox_type) => SafetyCheck::AutoApprove {
+                        sandbox_type,
+                        user_explicitly_approved: false,
+                    },
                     // Fall back to asking since the command is untrusted and
                     // we do not have a sandbox available
                     None => SafetyCheck::AskUser,
@@ -161,7 +175,10 @@ pub(crate) fn assess_safety_for_untrusted_command(
         | (OnFailure, ReadOnly)
         | (OnFailure, WorkspaceWrite { .. }) => {
             match get_platform_sandbox() {
-                Some(sandbox_type) => SafetyCheck::AutoApprove { sandbox_type },
+                Some(sandbox_type) => SafetyCheck::AutoApprove {
+                    sandbox_type,
+                    user_explicitly_approved: false,
+                },
                 None => {
                     if matches!(approval_policy, OnFailure) {
                         // Since the command is not trusted, even though the
@@ -362,7 +379,8 @@ mod tests {
         assert_eq!(
             safety_check,
             SafetyCheck::AutoApprove {
-                sandbox_type: SandboxType::None
+                sandbox_type: SandboxType::None,
+                user_explicitly_approved: false,
             }
         );
     }
@@ -409,7 +427,10 @@ mod tests {
         );
 
         let expected = match get_platform_sandbox() {
-            Some(sandbox_type) => SafetyCheck::AutoApprove { sandbox_type },
+            Some(sandbox_type) => SafetyCheck::AutoApprove {
+                sandbox_type,
+                user_explicitly_approved: false,
+            },
             None => SafetyCheck::AskUser,
         };
         assert_eq!(safety_check, expected);