features.network_proxy
falsePublished Jul 15, 2026 · Verified against the official config docs
An experimental switch that routes a sandboxed session's outbound traffic through a local proxy so you can allow or deny it per-domain. Off by default. Set `features.network_proxy = true` for a plain on/off, or use the table form to write domain rules, control the SOCKS5 listeners, and pick which Unix sockets the agent can reach. Deny always wins over allow.
Values
features.network_proxy takes two shapes. The short form is a boolean, features.network_proxy = true, which flips sandboxed networking on with defaults. The table form lets you write actual policy. Sub-keys and their defaults:
| Key | Default | What it does |
|---|---|---|
enabled |
false |
Master on/off for the sandbox proxy |
domains |
unset | Map of pattern = "allow" / "deny" |
unix_sockets |
unset | Map of socket path to allow / deny |
proxy_url |
http://127.0.0.1:3128 |
HTTP/CONNECT listener |
socks_url |
http://127.0.0.1:8081 |
SOCKS5 listener |
enable_socks5 |
true |
Expose SOCKS5 |
enable_socks5_udp |
true |
UDP over SOCKS5 |
allow_local_binding |
false |
Permit RFC-1918 / localhost targets |
allow_upstream_proxy |
true |
Chain through your HTTPS_PROXY |
dangerously_allow_all_unix_sockets |
false |
Drop the socket allowlist |
dangerously_allow_non_loopback_proxy |
false |
Bind the proxy off loopback |
Domain patterns match four ways: an exact host, *.example.com for direct subdomains, **.example.com for the apex plus every nested subdomain, and a bare * for everything else (pattern rules).
[features.network_proxy]
enabled = true
[features.network_proxy.domains]
"registry.npmjs.org" = "allow"
"*.github.com" = "allow"
"*" = "deny"
The same keys live per-profile under permissions.<name>.network.*, so a named profile can carry its own allowlist.
When to change it
Turn it on when you want the agent online but fenced. Allow the npm and GitHub hosts a build genuinely needs and deny the rest. Hand a container job the Docker socket through unix_sockets. Lock an untrusted repo to "*" = "deny" so nothing it runs can phone home.
Gotchas
Deny beats allow. If a host matches both an allow and a deny rule, the proxy blocks it (deny always wins).
Limited mode drops writes. It blocks POST/PUT/DELETE at the proxy and turns SOCKS5 off completely, because the proxy can’t read an encrypted tunnel to confirm a request is read-only.
Enforcement has an open bug. As of CLI 0.117.0 the managed proxy isn’t applied under codex exec or interactive runs with -s workspace-write, so blocked domains still come back 200 (#16242). Test your policy against a domain you know should be denied before you trust it.
MITM/TLS termination needs the generated CA cert installed in the sandbox trust store, which is a real trust escalation. Leave allow_local_binding at false unless you have to change it; the default blocks private-range targets to stop DNS rebinding.
Related settings
- /config/sandbox-mode/. The proxy only enforces inside a sandbox, and this key sets that sandbox.
- /config/approval-policy/. Governs what the agent is allowed to run before the network layer ever sees a request.