From bc457c918e5cdaf7e7fc3c3df1477dbfdcd6aa24 Mon Sep 17 00:00:00 2001 From: "Jiaxiao (mossaka) Zhou" Date: Wed, 4 Feb 2026 21:08:19 +0000 Subject: [PATCH 1/3] Fix Codex MCP Gateway connection by removing hardcoded IP The hardcoded IP 172.30.0.1 was added to work around perceived DNS resolution issues in Rust, but it broke Squid ACL matching because `dstdomain` ACLs only match domain names, not IP addresses. This change aligns Codex with how Claude already works successfully: - Remove 172.30.0.1 from CodexDefaultDomains - Use host.docker.internal directly in convert_gateway_config_codex.sh - Update tests to reflect the new domain list Co-Authored-By: Claude Opus 4.5 --- .github/workflows/smoke-codex.lock.yml | 4 ++-- .../setup/sh/convert_gateway_config_codex.sh | 11 ++--------- pkg/workflow/domains.go | 1 - pkg/workflow/domains_test.go | 17 ++++++++--------- 4 files changed, 12 insertions(+), 21 deletions(-) diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index ef5259062e..ae96c184f9 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -1500,7 +1500,7 @@ jobs: run: | set -o pipefail mkdir -p "$CODEX_HOME/logs" - sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,172.30.0.1,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.githubassets.com,go.dev,golang.org,goproxy.io,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,mcp.tavily.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkg.go.dev,playwright.download.prss.microsoft.com,ppa.launchpad.net,proxy.golang.org,raw.githubusercontent.com,s.symcb.com,s.symcd.com,security.ubuntu.com,sum.golang.org,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.4 --skip-pull --agent-image act \ + sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.githubassets.com,go.dev,golang.org,goproxy.io,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,mcp.tavily.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkg.go.dev,playwright.download.prss.microsoft.com,ppa.launchpad.net,proxy.golang.org,raw.githubusercontent.com,s.symcb.com,s.symcd.com,security.ubuntu.com,sum.golang.org,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.4 --skip-pull --agent-image act \ -- /bin/bash -c 'export PATH="$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && INSTRUCTION="$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" && codex ${GH_AW_MODEL_AGENT_CODEX:+-c model="$GH_AW_MODEL_AGENT_CODEX" }exec --dangerously-bypass-approvals-and-sandbox --skip-git-repo-check "$INSTRUCTION"' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1552,7 +1552,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,172.30.0.1,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" + GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: diff --git a/actions/setup/sh/convert_gateway_config_codex.sh b/actions/setup/sh/convert_gateway_config_codex.sh index b89ac2fa2a..08a3175844 100755 --- a/actions/setup/sh/convert_gateway_config_codex.sh +++ b/actions/setup/sh/convert_gateway_config_codex.sh @@ -61,15 +61,8 @@ echo "Target domain: $MCP_GATEWAY_DOMAIN:$MCP_GATEWAY_PORT" # Note: URLs must use the correct domain (host.docker.internal) for container access # Build the correct URL prefix using the configured domain and port -# For host.docker.internal, resolve to the gateway IP to avoid DNS resolution issues in Rust -if [ "$MCP_GATEWAY_DOMAIN" = "host.docker.internal" ]; then - # AWF network gateway IP is always 172.30.0.1 - RESOLVED_DOMAIN="172.30.0.1" - echo "Resolving host.docker.internal to gateway IP: $RESOLVED_DOMAIN" -else - RESOLVED_DOMAIN="$MCP_GATEWAY_DOMAIN" -fi -URL_PREFIX="http://${RESOLVED_DOMAIN}:${MCP_GATEWAY_PORT}" +# Use the domain directly (like Claude does) - Squid ACLs properly match domain names +URL_PREFIX="http://${MCP_GATEWAY_DOMAIN}:${MCP_GATEWAY_PORT}" # Create the TOML configuration cat > /tmp/gh-aw/mcp-config/config.toml << 'TOML_EOF' diff --git a/pkg/workflow/domains.go b/pkg/workflow/domains.go index 0d942d6284..12d5e1009c 100644 --- a/pkg/workflow/domains.go +++ b/pkg/workflow/domains.go @@ -34,7 +34,6 @@ var CopilotDefaultDomains = []string{ // CodexDefaultDomains are the minimal default domains required for Codex CLI operation var CodexDefaultDomains = []string{ - "172.30.0.1", // AWF gateway IP - Codex resolves host.docker.internal to this IP for Rust DNS compatibility "api.openai.com", "host.docker.internal", "openai.com", diff --git a/pkg/workflow/domains_test.go b/pkg/workflow/domains_test.go index b55a99d450..e8f6b31927 100644 --- a/pkg/workflow/domains_test.go +++ b/pkg/workflow/domains_test.go @@ -259,7 +259,6 @@ func TestCopilotDefaultDomains(t *testing.T) { func TestCodexDefaultDomains(t *testing.T) { // Verify that expected Codex domains are present expectedDomains := []string{ - "172.30.0.1", // AWF gateway IP - Codex resolves host.docker.internal to this IP "api.openai.com", "host.docker.internal", "openai.com", @@ -287,8 +286,8 @@ func TestGetCodexAllowedDomains(t *testing.T) { t.Run("nil network permissions returns only defaults", func(t *testing.T) { result := GetCodexAllowedDomains(nil) // Should contain default Codex domains, sorted - if result != "172.30.0.1,api.openai.com,host.docker.internal,openai.com" { - t.Errorf("Expected '172.30.0.1,api.openai.com,host.docker.internal,openai.com', got %q", result) + if result != "api.openai.com,host.docker.internal,openai.com" { + t.Errorf("Expected 'api.openai.com,host.docker.internal,openai.com', got %q", result) } }) @@ -298,8 +297,8 @@ func TestGetCodexAllowedDomains(t *testing.T) { } result := GetCodexAllowedDomains(network) // Should contain both default Codex domains and user-specified domain - if result != "172.30.0.1,api.openai.com,example.com,host.docker.internal,openai.com" { - t.Errorf("Expected '172.30.0.1,api.openai.com,example.com,host.docker.internal,openai.com', got %q", result) + if result != "api.openai.com,example.com,host.docker.internal,openai.com" { + t.Errorf("Expected 'api.openai.com,example.com,host.docker.internal,openai.com', got %q", result) } }) @@ -309,8 +308,8 @@ func TestGetCodexAllowedDomains(t *testing.T) { } result := GetCodexAllowedDomains(network) // api.openai.com should not appear twice - if result != "172.30.0.1,api.openai.com,example.com,host.docker.internal,openai.com" { - t.Errorf("Expected '172.30.0.1,api.openai.com,example.com,host.docker.internal,openai.com', got %q", result) + if result != "api.openai.com,example.com,host.docker.internal,openai.com" { + t.Errorf("Expected 'api.openai.com,example.com,host.docker.internal,openai.com', got %q", result) } }) @@ -320,8 +319,8 @@ func TestGetCodexAllowedDomains(t *testing.T) { } result := GetCodexAllowedDomains(network) // Empty allowed list should still return Codex defaults - if result != "172.30.0.1,api.openai.com,host.docker.internal,openai.com" { - t.Errorf("Expected '172.30.0.1,api.openai.com,host.docker.internal,openai.com', got %q", result) + if result != "api.openai.com,host.docker.internal,openai.com" { + t.Errorf("Expected 'api.openai.com,host.docker.internal,openai.com', got %q", result) } }) } From 1de56ee5018c4042017bdcc5cbcc82e8e4a057d5 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 4 Feb 2026 21:18:02 +0000 Subject: [PATCH 2/3] Add changeset [skip-ci] --- .changeset/patch-remove-codex-hardcoded-ip.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .changeset/patch-remove-codex-hardcoded-ip.md diff --git a/.changeset/patch-remove-codex-hardcoded-ip.md b/.changeset/patch-remove-codex-hardcoded-ip.md new file mode 100644 index 0000000000..2dda5e5143 --- /dev/null +++ b/.changeset/patch-remove-codex-hardcoded-ip.md @@ -0,0 +1,5 @@ +--- +"gh-aw": patch +--- + +Align Codex MCP gateway defaults with Claude by dropping the 172.30.0.1 hack, using host.docker.internal in the Codex convert script, and updating the smoke workflow/test domains. From b8e02e42747e6d2bfade115a619423fc4a0b14fa Mon Sep 17 00:00:00 2001 From: "Jiaxiao (mossaka) Zhou" Date: Thu, 5 Feb 2026 01:05:12 +0000 Subject: [PATCH 3/3] Bump MCP Gateway to v0.0.99 (fixes OAuth discovery timeout) Updates the default MCP Gateway version to v0.0.99 which includes the fix for OAuth discovery requests hanging instead of returning 404. This fix (github/gh-aw-mcpg#672) adds a handler at the standard `/.well-known/oauth-authorization-server` path to return 404 immediately, preventing the 15-second timeout that was causing 4/6 MCP servers to fail. Co-Authored-By: Claude Opus 4.5 --- .github/workflows/smoke-codex.lock.yml | 6 +++--- pkg/constants/constants.go | 2 +- pkg/constants/constants_test.go | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index ae96c184f9..19de04d57e 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -209,7 +209,7 @@ jobs: const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent-act:0.13.4 ghcr.io/github/gh-aw-firewall/squid:0.13.4 ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.30.3 mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent-act:0.13.4 ghcr.io/github/gh-aw-firewall/squid:0.13.4 ghcr.io/github/gh-aw-mcpg:v0.0.99 ghcr.io/github/github-mcp-server:v0.30.3 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -1085,7 +1085,7 @@ jobs: # Register API key as secret to mask it from logs echo "::add-mask::${MCP_GATEWAY_API_KEY}" export GH_AW_ENGINE="codex" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_INPUTS_PORT -e GH_AW_SAFE_INPUTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -e GH_TOKEN -e TAVILY_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.0.98' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_INPUTS_PORT -e GH_AW_SAFE_INPUTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -e GH_TOKEN -e TAVILY_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.0.99' cat > /tmp/gh-aw/mcp-config/config.toml << EOF [history] @@ -1257,7 +1257,7 @@ jobs: allowed_domains: ["defaults","github","playwright"], firewall_enabled: true, awf_version: "v0.13.4", - awmg_version: "v0.0.98", + awmg_version: "v0.0.99", steps: { firewall: "squid" }, diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go index 3e56413e57..bfdb4b221e 100644 --- a/pkg/constants/constants.go +++ b/pkg/constants/constants.go @@ -278,7 +278,7 @@ const DefaultGitHubMCPServerVersion Version = "v0.30.3" const DefaultFirewallVersion Version = "v0.13.4" // DefaultMCPGatewayVersion is the default version of the MCP Gateway (gh-aw-mcpg) Docker image -const DefaultMCPGatewayVersion Version = "v0.0.98" +const DefaultMCPGatewayVersion Version = "v0.0.99" // DefaultMCPGatewayContainer is the default container image for the MCP Gateway const DefaultMCPGatewayContainer = "ghcr.io/github/gh-aw-mcpg" diff --git a/pkg/constants/constants_test.go b/pkg/constants/constants_test.go index e6ac75f46c..373c3384ff 100644 --- a/pkg/constants/constants_test.go +++ b/pkg/constants/constants_test.go @@ -286,7 +286,7 @@ func TestVersionConstants(t *testing.T) { {"DefaultCopilotVersion", DefaultCopilotVersion, "0.0.402"}, {"DefaultCodexVersion", DefaultCodexVersion, "0.94.0"}, {"DefaultGitHubMCPServerVersion", DefaultGitHubMCPServerVersion, "v0.30.3"}, - {"DefaultMCPGatewayVersion", DefaultMCPGatewayVersion, "v0.0.98"}, + {"DefaultMCPGatewayVersion", DefaultMCPGatewayVersion, "v0.0.99"}, {"DefaultSandboxRuntimeVersion", DefaultSandboxRuntimeVersion, "0.0.34"}, {"DefaultFirewallVersion", DefaultFirewallVersion, "v0.13.4"}, {"DefaultPlaywrightMCPVersion", DefaultPlaywrightMCPVersion, "0.0.63"},