Windows app 26.527: sandbox network fails despite workspace-write network access; workspace dependencies cannot reinstall

[ryanmartin164]

Summary

On Windows Codex app 26.527.3686.0, the app can execute local commands and read workspace files, but sandboxed outbound HTTPS still fails even when workspace-write networking is enabled. The same read-only Airtable validator succeeds outside the Codex sandbox on the same machine.

Feedback ID: 019e768b-bd2c-70b0-8a79-b72d941338dc

Environment

• OS: Windows
• Codex app package: OpenAI.Codex 26.527.3686.0
• Package family: OpenAI.Codex_2p2nqsd0c76g0
• Sandbox settings: workspace-write
• Network setting: sandbox_workspace_write.network_access = true
• Project trust level: trusted
• Workspace Dependencies UI: Current version: Not installed

Symptoms

1. Codex local command execution works.
2. Codex can read local repo files and .env.local.
3. Workspace Dependencies remain Not installed.
4. Diagnose only shows a toast: Codex dependencies may need repair. Send /feedback if this keeps happening.
5. Reinstall shows a toast: Couldn't reinstall Codex dependencies.
6. A read-only Airtable metadata validator fails inside the Codex sandbox with no HTTP status code.
7. The exact same validator succeeds outside the Codex sandbox in normal PowerShell on the same machine.
8. Maximized window rendering is broken after the same update; unmaximized state works.

Reproduction

1. Configure Codex on Windows with:

sandbox_mode = "workspace-write"

[sandbox_workspace_write]
network_access = true

2. Open Settings > Configuration and confirm:

   • Sandbox settings: Workspace write
   • Allow network access: enabled
   • Workspace Dependencies: Current version Not installed

3. Run a read-only HTTPS validator from inside Codex sandbox. In this case it reads local env values and performs a GET to Airtable metadata only.

Result inside Codex sandbox:

[PASS] .env.local exists
[PASS] AIRTABLE_PAT is present locally
[PASS] AIRTABLE_BASE_ID is present locally
[PASS] ENVIRONMENT is DEV
[INFO] Performing explicit live read check against the DEV Airtable base.
[FAIL] Live read check failed; verify PAT scopes and DEV base access
[INFO] HTTP status code unavailable.

4. Run the exact same command outside the Codex sandbox in normal PowerShell.

Result outside Codex sandbox:

[PASS] .env.local exists
[PASS] AIRTABLE_PAT is present locally
[PASS] AIRTABLE_BASE_ID is present locally
[PASS] ENVIRONMENT is DEV
[INFO] Performing explicit live read check against the DEV Airtable base.
[PASS] Live read check succeeded for AIRTABLE_BASE_ID
DEV Airtable credential readiness validation completed successfully.

Expected behavior

When sandbox_workspace_write.network_access = true is set and the UI shows network access enabled, sandboxed commands should be able to perform outbound HTTPS requests, or return a clear sandbox/network denial error.

Workspace Dependencies Diagnose/Reinstall should either succeed or emit actionable logs/errors instead of only a toast.

Actual behavior

Sandboxed HTTPS fails before a service HTTP response is available, while the same command succeeds outside the sandbox. Workspace dependency diagnose/reinstall paths appear broken and do not expose actionable diagnostics in the UI.

Notes

This does not appear to be an Airtable credential or repo issue because the same command succeeds outside Codex with the same local files and same machine network. The failure is isolated to the Codex sandbox/runtime path.

[github-actions]

Potential duplicates detected. Please review them and close your issue if it is a duplicate.

• Codex Desktop (Windows) Maximization bug #25160

Powered by Codex Action