LIVE|CLI v0.144.0·model GPT-5.6 Sol·verified 2026-07-09
Codex Insider
The unofficial wire for OpenAI Codex.
config.toml key

features.network_proxy

default: false

Published Jul 15, 2026 · Verified against the official config docs

What it does

An experimental switch that routes a sandboxed session's outbound traffic through a local proxy so you can allow or deny it per-domain. Off by default. Set `features.network_proxy = true` for a plain on/off, or use the table form to write domain rules, control the SOCKS5 listeners, and pick which Unix sockets the agent can reach. Deny always wins over allow.

Values

features.network_proxy takes two shapes. The short form is a boolean, features.network_proxy = true, which flips sandboxed networking on with defaults. The table form lets you write actual policy. Sub-keys and their defaults:

Key Default What it does
enabled false Master on/off for the sandbox proxy
domains unset Map of pattern = "allow" / "deny"
unix_sockets unset Map of socket path to allow / deny
proxy_url http://127.0.0.1:3128 HTTP/CONNECT listener
socks_url http://127.0.0.1:8081 SOCKS5 listener
enable_socks5 true Expose SOCKS5
enable_socks5_udp true UDP over SOCKS5
allow_local_binding false Permit RFC-1918 / localhost targets
allow_upstream_proxy true Chain through your HTTPS_PROXY
dangerously_allow_all_unix_sockets false Drop the socket allowlist
dangerously_allow_non_loopback_proxy false Bind the proxy off loopback

Domain patterns match four ways: an exact host, *.example.com for direct subdomains, **.example.com for the apex plus every nested subdomain, and a bare * for everything else (pattern rules).

[features.network_proxy]
enabled = true

[features.network_proxy.domains]
"registry.npmjs.org" = "allow"
"*.github.com" = "allow"
"*" = "deny"

The same keys live per-profile under permissions.<name>.network.*, so a named profile can carry its own allowlist.

When to change it

Turn it on when you want the agent online but fenced. Allow the npm and GitHub hosts a build genuinely needs and deny the rest. Hand a container job the Docker socket through unix_sockets. Lock an untrusted repo to "*" = "deny" so nothing it runs can phone home.

Gotchas

Deny beats allow. If a host matches both an allow and a deny rule, the proxy blocks it (deny always wins).

Limited mode drops writes. It blocks POST/PUT/DELETE at the proxy and turns SOCKS5 off completely, because the proxy can’t read an encrypted tunnel to confirm a request is read-only.

Enforcement has an open bug. As of CLI 0.117.0 the managed proxy isn’t applied under codex exec or interactive runs with -s workspace-write, so blocked domains still come back 200 (#16242). Test your policy against a domain you know should be denied before you trust it.

MITM/TLS termination needs the generated CA cert installed in the sandbox trust store, which is a real trust escalation. Leave allow_local_binding at false unless you have to change it; the default blocks private-range targets to stop DNS rebinding.

Sources