[codex] Add danger-full-access denylist-only network mode#16946
Merged
viyatb-oai merged 2 commits intomainfrom Apr 7, 2026
Merged
[codex] Add danger-full-access denylist-only network mode#16946viyatb-oai merged 2 commits intomainfrom
viyatb-oai merged 2 commits intomainfrom
Conversation
Co-authored-by: Codex noreply@openai.com
Co-authored-by: Codex noreply@openai.com
viyatb-oai
force-pushed
the
codex/viyatb/danger-full-access-denylist-only
branch
from
f846f53 to
4df276f
Compare
rreichel3-oai
approved these changes
Apr 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This adds
experimental_network.danger_full_access_denylist_onlyfor orgs that want yolo / danger-full-access sessions to keep full network access while still enforcing centrally managed deny rules.When the flag is true and the session sandbox is
danger-full-access, the network proxy starts with:*denyentries enforcedCaveat: the denylist is best effort only. In yolo / danger-full-access mode, Codex or the model can use an allowed socket or other local/private network path to bypass the proxy denylist, so this should not be treated as a hard security boundary.
The flag is intentionally scoped to
SandboxPolicy::DangerFullAccess. Read-only and workspace-write modes keep the existing managed/user allowlist, denylist, Unix socket, and local-binding behavior. This does not enable the non-loopback proxy listener setting; that still requires its own explicit config.This also threads the new field through config requirements parsing, app-server protocol/schema output, config API mapping, and the TUI debug config output.
How to use
Add the flag under
[experimental_network]in the network policy config that is delivered to Codex. The setting is not under[permissions].With that configuration, yolo / danger-full-access sessions get broad network access except for the managed denied domains above. The denylist remains a best-effort proxy policy because the session may still use allowed sockets to bypass it. Other sandbox modes do not get the wildcard domain allowlist or the socket/local-binding relaxations from this flag.
Verification
cargo test -p codex-config network_requirementscargo test -p codex-core network_proxy_speccargo test -p codex-app-server map_requirements_toml_to_apicargo test -p codex-tui debug_config_outputcargo test -p codex-app-server-protocoljust write-app-server-schemajust fmtjust fix -p codex-config -p codex-core -p codex-app-server-protocol -p codex-app-server -p codex-tuijust fix -p codex-core -p codex-configgit diff --checkcargo clean