Problem
Codex v0.121.0 workflows are failing with 401 Unauthorized errors from OpenAI, and a secondary firewall signal shows chatgpt.com:443 is being blocked by AWF. Codex attempts to cache plugin IDs at chatgpt.com, and the firewall denying this connection may contribute to workflow degradation or auth flow failures.
Context
Root Cause
AWF domain whitelisting (via Squid ACL generated in src/squid-config.ts) does not include chatgpt.com. Codex attempts to fetch plugin/model metadata from chatgpt.com as part of its startup; the CONNECT request to chatgpt.com:443 is denied with a 403 TCP_DENIED response from Squid.
The 401 on api.openai.com is likely a credential issue (expired/missing OPENAI_API_KEY), but the blocked chatgpt.com request is a distinct AWF firewall gap that should be addressed independently.
Proposed Solution
- Add
chatgpt.com to the codex workflow's --allow-domains list in the workflow definition that invokes awf. This is the most targeted fix.
- Audit codex domain requirements: Run codex with
--keep-containers and inspect squid-logs (sudo grep TCP_DENIED /tmp/squid-logs-*/access.log) to enumerate all domains codex contacts. Update the workflow's allow-list accordingly.
- Investigate OPENAI_API_KEY: Verify the repository secret is set, not expired, and scoped to the
gpt-5.3-codex model / /v1/responses endpoint — this is the root cause of the 401 failures.
Relevant files:
src/squid-config.ts — generateSquidConfig() builds Squid ACL from --allow-domainssrc/docker-manager.ts — domain list passed via WrapperConfig.allowedDomains- Workflow files invoking
awf with codex engine (check .github/workflows/ in github/gh-aw)
Generated by Firewall Issue Dispatcher · ● 155.3K · ◷
Problem
Codex v0.121.0 workflows are failing with
401 Unauthorizederrors from OpenAI, and a secondary firewall signal showschatgpt.com:443is being blocked by AWF. Codex attempts to cache plugin IDs atchatgpt.com, and the firewall denying this connection may contribute to workflow degradation or auth flow failures.Context
gpt-5.3-codex401 Unauthorizedonapi.openai.com, but the firewall is also blockingchatgpt.com:443Root Cause
AWF domain whitelisting (via Squid ACL generated in
src/squid-config.ts) does not includechatgpt.com. Codex attempts to fetch plugin/model metadata fromchatgpt.comas part of its startup; the CONNECT request tochatgpt.com:443is denied with a403 TCP_DENIEDresponse from Squid.The 401 on
api.openai.comis likely a credential issue (expired/missingOPENAI_API_KEY), but the blockedchatgpt.comrequest is a distinct AWF firewall gap that should be addressed independently.Proposed Solution
chatgpt.comto the codex workflow's--allow-domainslist in the workflow definition that invokesawf. This is the most targeted fix.--keep-containersand inspectsquid-logs(sudo grep TCP_DENIED /tmp/squid-logs-*/access.log) to enumerate all domains codex contacts. Update the workflow's allow-list accordingly.gpt-5.3-codexmodel //v1/responsesendpoint — this is the root cause of the 401 failures.Relevant files:
src/squid-config.ts—generateSquidConfig()builds Squid ACL from--allow-domainssrc/docker-manager.ts— domain list passed viaWrapperConfig.allowedDomainsawfwith codex engine (check.github/workflows/ingithub/gh-aw)