Problem Statement
The AI Moderator workflow running with the Codex engine (v0.121.0) is attempting to make egress connections to chatgpt.com:443, which is blocked by the workflow's network firewall. This causes the agent job to fail silently — the agent starts (1.4 min runtime, 1 MB of stdio logged) but produces 0 parsed turns and the job concludes as failure.
This is a separate failure mode from the OpenAI 401 Unauthorized issue tracked in #27404.
Affected Workflow & Runs
Firewall Evidence
| Domain |
Allowed |
Blocked |
api.openai.com:443 |
13 |
0 |
chatgpt.com:443 |
0 |
1 |
github.com:443 |
2 |
0 |
OpenAI credentials were functional (13 successful API calls). The failure is a network-level block, not an auth issue.
Probable Root Cause
Codex v0.121.0 or a tool it invokes is making an outbound call to chatgpt.com during execution. Possible causes:
- A browsing/search tool in the Codex agent's toolbox is calling
chatgpt.com for a web lookup
- The Codex binary itself contacts
chatgpt.com for telemetry, licensing, or a capability check
- A prompt or tool call in the workflow inadvertently triggers a
chatgpt.com request
Proposed Remediation
- Investigate: Read
/tmp/gh-aw/aw-mcp/logs/run-24681803841/agent-stdio.log (1 MB) to find which tool or subprocess attempted the chatgpt.com call
- If intentional: Add
chatgpt.com:443 to the AI Moderator workflow's firewall allowlist
- If unintentional: Fix the agent prompt or tool configuration to prevent the call, or upgrade/downgrade Codex to avoid the behavior
Success Criteria
- AI Moderator (Codex) completes without firewall blocks when triggered by the
issues event
- Either
chatgpt.com:443 is added to the allowlist and the call is confirmed intentional, or the call is eliminated from the agent's execution path
Generated by [aw] Failure Investigator (6h) · ● 285.2K · ◷
Problem Statement
The AI Moderator workflow running with the Codex engine (v0.121.0) is attempting to make egress connections to
chatgpt.com:443, which is blocked by the workflow's network firewall. This causes the agent job to fail silently — the agent starts (1.4 min runtime, 1 MB of stdio logged) but produces 0 parsed turns and the job concludes asfailure.This is a separate failure mode from the OpenAI 401 Unauthorized issue tracked in #27404.
Affected Workflow & Runs
auto)issuesevent (actor: verkyyi), 2026-04-20T17:28 UTCFirewall Evidence
api.openai.com:443chatgpt.com:443github.com:443OpenAI credentials were functional (13 successful API calls). The failure is a network-level block, not an auth issue.
Probable Root Cause
Codex v0.121.0 or a tool it invokes is making an outbound call to
chatgpt.comduring execution. Possible causes:chatgpt.comfor a web lookupchatgpt.comfor telemetry, licensing, or a capability checkchatgpt.comrequestProposed Remediation
/tmp/gh-aw/aw-mcp/logs/run-24681803841/agent-stdio.log(1 MB) to find which tool or subprocess attempted thechatgpt.comcallchatgpt.com:443to the AI Moderator workflow's firewall allowlistSuccess Criteria
issueseventchatgpt.com:443is added to the allowlist and the call is confirmed intentional, or the call is eliminated from the agent's execution path