What version of Codex is running?

official VS Code extension only (CLI not installed) version 0.4.19 latest stable

Which model were you using?

gpt-5-codex

What platform is your computer?

Linux 5.14.0-570.49.1.el9_6.x86_64 x86_64 x86_64

What steps can reproduce the bug?

1. Install and enable the official VS Code extension "Codex – OpenAI’s coding agent" (identifier openai.chatgpt, version 0.4.19) from the VS Code Marketplace.
2. On AlmaLinux 9 (x86_64), create the configuration file below in ~/.codex/config.toml.
3. Restart VS Code to ensure the configuration is loaded.
4. Interact normally with Codex (e.g., request code execution, troubleshooting, or diagnostics).
   During its internal workflow, Codex autonomously performs networked operations such as downloading resources, verifying URLs, or invoking internal tool calls.
   These internal network tasks fail even under full permission settings.

Configuration file

approval_policy = "never"
sandbox_mode = "danger-full-access"
model = "gpt-5-codex"
model_reasoning_effort = "medium"

[sandbox_workspace_write]
network_access = true

What is the expected behavior?

When configured with sandbox_mode="danger-full-access" and network_access=true,
Codex should be able to perform all internal network and HTTP operations without restrictions.

Expected behavior includes:

• Successful resolution of external hosts and URLs (e.g., via curl or similar internal requests).
• Stable communication with internal modules and tool calls that depend on network access.
• Consistent completion of workflows that involve fetching, validating, or transmitting data.
• No “failed in sandbox”, “operation not permitted”, or “network inaccessible” errors during normal autonomous reasoning.

Maintaining unrestricted network access is also essential for Codex’s reasoning quality and autonomy.
When the model can freely perform its own internal network operations, it maintains coherent reasoning,
executes full multi-step workflows, and preserves reliability and self-correction.
Any restriction or sandbox interference directly causes reasoning degradation, refusal of valid tasks,
and overall performance regression.

What do you see instead?

Codex autonomously executes network-related operations as part of its reasoning process and internal tool workflow (not user-invoked commands).
These internal tool calls frequently fail with sandbox or network restriction errors, despite full permissions being enabled.

Typical output from internal tasks:

failed in sandbox: curl: (6) Could not resolve host: raw.githubusercontent.com
tool call error: tool call failed for network scan module
tool call error: tool call failed for command execution task

These failures occur randomly during normal assistant workflows, even for simple network actions like fetching files, verifying endpoints, or scanning local resources.
The assistant frequently reports that it cannot complete tasks due to network inaccessibility or sandbox limitations.

In repeated tests, all network interfaces fail and internal wrappers consistently return “tool call failed”.

Summary from logged sessions:

No network task succeeds under these conditions.
Intermediate messages and logs often disappear because the sandbox rejects internal tool calls or HTTP requests.

Additional information

Environment

• VS Code extension: "Codex – OpenAI’s coding agent" (openai.chatgpt)
• Version: 0.4.19 (VS Code Marketplace)
• OS: AlmaLinux 9 (x86_64)
• VS Code: latest stable (Microsoft RPM repository)
• ChatGPT plan: Plus
• Model: gpt-5-codex
• CLI: Not installed
• Configuration file: ~/.codex/config.toml

Behavioral notes

• File editing works normally after the first approval (not related to this bug).
• Shell commands are executed by the extension via bash -lc '<command>'.
• DNS resolution and HTTP requests fail systematically, even under full danger access.
• Network access flag appears to be ignored.
• Continuous sandbox and network restriction errors, including random internal tool call failures and wrapper execution errors.
• The problem persists across sessions and restarts.

Degradation impact

The absence of real network access has a direct and measurable impact on Codex’s reasoning quality and behavior.

When the sandbox prevents internal HTTP or tool calls, the model begins to:

• Refuse to execute valid tasks that depend on remote information.
• Produce incomplete reasoning or stop early without justification.
• Fall back to incorrect assumptions or partial outputs.
• Loop over retries or display degraded autonomy when multi-step workflows are required.

This behavior shows that the sandbox network layer is interfering not only with external connectivity,
but also with Codex’s internal reasoning and execution loop.
As a result, the assistant’s overall performance deteriorates even in otherwise simple tasks,
causing visible regression in accuracy, reliability, and self-correction.

Request

Please investigate the network policy handling in the extension’s sandbox and internal tool invocation layers.
Even with explicit “danger-full-access”, DNS resolution, HTTP requests, and internally generated tool calls are being blocked.
This appears to be a regression in how the VS Code extension enforces or propagates network permissions during Codex’s autonomous workflows.