{
"schemaVersion": 1,
"generatedAt": "1781888348s since unix epoch",
"overallStatus": "warning",
"codexVersion": "0.141.0",
"checks": {
"app_server.status": {
"id": "app_server.status",
"category": "app-server",
"status": "ok",
"summary": "background server is not running",
"details": {
"control socket": "/home/coder/.codex/app-server-control/app-server-control.sock",
"daemon state dir": "/home/coder/.codex/app-server-daemon",
"mode": "ephemeral",
"pid file": "/home/coder/.codex/app-server-daemon/app-server.pid (missing)",
"settings": "/home/coder/.codex/app-server-daemon/settings.json (missing)",
"status": "not running",
"update-loop pid file": "/home/coder/.codex/app-server-daemon/app-server-updater.pid (missing)"
},
"remediation": null,
"durationMs": 0
},
"auth.credentials": {
"id": "auth.credentials",
"category": "auth",
"status": "ok",
"summary": "auth is provided by the active model provider",
"details": {
"auth file": "/home/coder/.codex/auth.json",
"auth storage mode": "File",
"model provider requires OpenAI auth": "false",
"provider auth env var": "CODER_AIBRIDGE_SESSION_TOKEN (present)"
},
"remediation": null,
"durationMs": 0
},
"config.load": {
"id": "config.load",
"category": "config",
"status": "ok",
"summary": "config loaded",
"details": {
"CODEX_HOME": "/home/coder/.codex",
"config.toml": "/home/coder/.codex/config.toml",
"config.toml parse": "ok",
"cwd": "/home/coder",
"enabled feature flags": "shell_tool, unified_exec, shell_snapshot, terminal_resize_reflow, sqlite, hooks, enable_request_compression, multi_agent, apps, tool_suggest, plugins, in_app_browser, browser_use, browser_use_external, computer_use, plugin_sharing, image_generation, skill_mcp_dependency_install, mentions_v2, steer, guardian_approval, goals, collaboration_modes, tool_call_mcp_elicitation, personality, fast_mode, tui_app_server, remote_compaction_v2, workspace_dependencies",
"feature flag overrides": "none",
"feature flags enabled": "29",
"log dir": "/home/coder/.codex/log",
"mcp servers": "2",
"model": "<default>",
"model provider": "aigateway",
"sqlite home": "/home/coder/.codex"
},
"remediation": null,
"durationMs": 0
},
"git.environment": {
"id": "git.environment",
"category": "git",
"status": "ok",
"summary": "git version 2.48.1",
"details": {
"PATH git #1": "/usr/bin/git",
"PATH git #2": "/bin/git",
"PATH git entries": "2",
"git build options": "git version 2.48.1; cpu: x86_64; no commit associated with this build; sizeof-long: 8; sizeof-size_t: 8; shell-path: /bin/sh; libcurl: 8.5.0; zlib: 1.3",
"git exec path": "/usr/lib/git-core",
"git version": "git version 2.48.1",
"repo detected": "false",
"selected git": "/usr/bin/git"
},
"remediation": null,
"durationMs": 43
},
"installation": {
"id": "installation",
"category": "install",
"status": "ok",
"summary": "installation looks consistent",
"details": {
"PATH codex #1": "/home/coder/.local/bin/codex",
"PATH codex #2": "/tmp/coder-script-data/bin/codex",
"PATH codex #3": "/home/coder/.local/bin/codex",
"PATH codex #4": "/home/coder/.local/bin/codex",
"PATH codex entries": "4",
"current executable": "/home/coder/.local/bin/codex",
"install context": "other",
"managed by bun": "false",
"managed by npm": "false",
"managed package root": "not set"
},
"remediation": null,
"durationMs": 1
},
"mcp.config": {
"id": "mcp.config",
"category": "mcp",
"status": "ok",
"summary": "MCP configuration is locally consistent",
"details": {
"configured servers": "2",
"disabled servers": "0",
"stdio servers": "2"
},
"remediation": null,
"durationMs": 0
},
"network.env": {
"id": "network.env",
"category": "network",
"status": "ok",
"summary": "network-related environment looks readable",
"details": {
"proxy env vars": "none"
},
"remediation": null,
"durationMs": 0
},
"network.provider_reachability": {
"id": "network.provider_reachability",
"category": "reachability",
"status": "warning",
"summary": "provider endpoint checks returned warnings",
"details": {
"aigateway API base URL": "https://<redacted>.coder.com/api/<redacted> reachable (HTTP 400)",
"aigateway API route probe": "https://<redacted>.coder.com/api/<redacted> returned HTTP 400 (warning)",
"reachability mode": "provider auth"
},
"remediation": "Check proxy, VPN, firewall, DNS, and custom CA configuration.",
"durationMs": 224
},
"network.websocket_reachability": {
"id": "network.websocket_reachability",
"category": "websocket",
"status": "ok",
"summary": "Responses WebSocket is not enabled for the active provider",
"details": {
"model provider": "aigateway",
"provider name": "AI Gateway",
"proxy env vars": "none",
"supports websockets": "false",
"wire API": "responses"
},
"remediation": null,
"durationMs": 0
},
"runtime.provenance": {
"id": "runtime.provenance",
"category": "runtime",
"status": "ok",
"summary": "running local build on linux-x86_64",
"details": {
"commit": "unknown",
"current executable": "/home/coder/.local/bin/codex",
"install method": "other",
"platform": "linux-x86_64",
"version": "0.141.0"
},
"remediation": null,
"durationMs": 0
},
"runtime.search": {
"id": "runtime.search",
"category": "search",
"status": "warning",
"summary": "search command could not be verified",
"details": {
"search command": "rg",
"search command readiness": "No such file or directory (os error 2)",
"search provider": "system"
},
"remediation": "Install ripgrep or repair the bundled Codex package.",
"durationMs": 0
},
"sandbox.helpers": {
"id": "sandbox.helpers",
"category": "sandbox",
"status": "ok",
"summary": "sandbox configuration is readable",
"details": {
"approval policy": "OnRequest",
"codex-linux-sandbox helper": "/home/coder/.codex/tmp/arg0/codex-arg0TawEZy/codex-linux-sandbox",
"execve wrapper helper": "/home/coder/.codex/tmp/arg0/codex-arg0TawEZy/codex-execve-wrapper",
"filesystem sandbox": "restricted",
"network sandbox": "restricted"
},
"remediation": null,
"durationMs": 0
},
"state.paths": {
"id": "state.paths",
"category": "state",
"status": "ok",
"summary": "state paths and databases are inspectable",
"details": {
"CODEX_HOME": "/home/coder/.codex (dir)",
"active rollout files": "0 files, 0 total bytes, 0 average bytes",
"archived rollout files": "0 files, 0 total bytes, 0 average bytes",
"goals DB": "/home/coder/.codex/goals_1.sqlite (missing)",
"goals DB integrity": "skipped (missing)",
"log DB": "/home/coder/.codex/logs_2.sqlite (missing)",
"log DB integrity": "skipped (missing)",
"log dir": "/home/coder/.codex/log (missing)",
"memories DB": "/home/coder/.codex/memories_1.sqlite (missing)",
"memories DB integrity": "skipped (missing)",
"sqlite home": "/home/coder/.codex (dir)",
"state DB": "/home/coder/.codex/state_5.sqlite (missing)",
"state DB integrity": "skipped (missing)"
},
"remediation": null,
"durationMs": 0
},
"state.rollout_db_parity": {
"id": "state.rollout_db_parity",
"category": "threads",
"status": "ok",
"summary": "no rollout/state DB inventory to compare",
"details": {
"default model provider": "aigateway",
"rollout DB active files": "0",
"rollout DB archived files": "0",
"rollout DB malformed file names": "0",
"rollout DB rows": "skipped (state DB missing)",
"rollout DB scan cap reached": "false",
"rollout DB scan errors": "0"
},
"remediation": null,
"durationMs": 0
},
"system.environment": {
"id": "system.environment",
"category": "system",
"status": "ok",
"summary": "OS language en-US",
"details": {
"EDITOR": "not set",
"LANG": "en_US.UTF-8",
"LC_ALL": "en_US.UTF-8",
"VISUAL": "not set",
"os": "Ubuntu 24.4.0 (noble) [64-bit]",
"os language": "en-US",
"os type": "Ubuntu",
"os version": "24.4.0"
},
"remediation": null,
"durationMs": 15
},
"terminal.env": {
"id": "terminal.env",
"category": "terminal",
"status": "ok",
"summary": "terminal metadata was detected",
"details": {
"SSH_CLIENT": "present",
"SSH_CONNECTION": "present",
"TERM": "xterm-256color",
"color output": "enabled",
"effective locale": "en_US.UTF-8",
"stderr is terminal": "true",
"stdin is terminal": "true",
"stdout is terminal": "true",
"terminal": "unknown",
"terminal size": "146x50"
},
"remediation": null,
"durationMs": 0
},
"terminal.title": {
"id": "terminal.title",
"category": "title",
"status": "ok",
"summary": "terminal title default",
"details": {
"terminal title activity": "true",
"terminal title items": "activity, project-name",
"terminal title project source": "cwd",
"terminal title project value": "coder",
"terminal title source": "default"
},
"remediation": null,
"durationMs": 0
},
"updates.status": {
"id": "updates.status",
"category": "updates",
"status": "ok",
"summary": "update configuration is locally consistent",
"details": {
"check for update on startup": "true",
"latest version": "0.141.0",
"latest version status": "current version is not older",
"update action": "manual or unknown",
"version cache": [
"/home/coder/.codex/version.json",
"missing"
]
},
"remediation": null,
"durationMs": 492
}
}
}When Codex spawns MCP stdio subprocesses it clears the environment and only passes through the hardcoded DEFAULT_ENV_VARS whitelist (HOME, PATH, SHELL, USER, TERM, etc.). The CA cert and proxy vars are not in that whitelist and are stripped.
MCP subprocesses then attempt TLS connections through the intercepting proxy, which presents a certificate signed by the proxy's CA. Because NODE_EXTRA_CA_CERTS was stripped, Node.js rejects the certificate, and the connection is blocked at the OS level by the proxy:
The subprocess never fetches the package or initializes. Codex reports the MCP server as failed.
MCP stdio subprocesses should inherit CA cert and proxy environment variables by default so that TLS verification works in network-isolated environments without requiring per-server env_vars configuration.
These are conventional, cross-ecosystem env vars. Stripping them silently breaks any MCP server subprocess that makes outbound TLS connections in a proxied environment.
No upstream issue currently tracks this Linux/TLS variant.
What version of Codex CLI is running?
codex-cli 0.141.0
What subscription do you have?
Not Relevant
Which model were you using?
Not model-specific
What platform is your computer?
Linux 6.8.0-110-generic x86_64 x86_64
What terminal emulator and version are you using (if applicable)?
No response
Codex doctor report
{ "schemaVersion": 1, "generatedAt": "1781888348s since unix epoch", "overallStatus": "warning", "codexVersion": "0.141.0", "checks": { "app_server.status": { "id": "app_server.status", "category": "app-server", "status": "ok", "summary": "background server is not running", "details": { "control socket": "/home/coder/.codex/app-server-control/app-server-control.sock", "daemon state dir": "/home/coder/.codex/app-server-daemon", "mode": "ephemeral", "pid file": "/home/coder/.codex/app-server-daemon/app-server.pid (missing)", "settings": "/home/coder/.codex/app-server-daemon/settings.json (missing)", "status": "not running", "update-loop pid file": "/home/coder/.codex/app-server-daemon/app-server-updater.pid (missing)" }, "remediation": null, "durationMs": 0 }, "auth.credentials": { "id": "auth.credentials", "category": "auth", "status": "ok", "summary": "auth is provided by the active model provider", "details": { "auth file": "/home/coder/.codex/auth.json", "auth storage mode": "File", "model provider requires OpenAI auth": "false", "provider auth env var": "CODER_AIBRIDGE_SESSION_TOKEN (present)" }, "remediation": null, "durationMs": 0 }, "config.load": { "id": "config.load", "category": "config", "status": "ok", "summary": "config loaded", "details": { "CODEX_HOME": "/home/coder/.codex", "config.toml": "/home/coder/.codex/config.toml", "config.toml parse": "ok", "cwd": "/home/coder", "enabled feature flags": "shell_tool, unified_exec, shell_snapshot, terminal_resize_reflow, sqlite, hooks, enable_request_compression, multi_agent, apps, tool_suggest, plugins, in_app_browser, browser_use, browser_use_external, computer_use, plugin_sharing, image_generation, skill_mcp_dependency_install, mentions_v2, steer, guardian_approval, goals, collaboration_modes, tool_call_mcp_elicitation, personality, fast_mode, tui_app_server, remote_compaction_v2, workspace_dependencies", "feature flag overrides": "none", "feature flags enabled": "29", "log dir": "/home/coder/.codex/log", "mcp servers": "2", "model": "<default>", "model provider": "aigateway", "sqlite home": "/home/coder/.codex" }, "remediation": null, "durationMs": 0 }, "git.environment": { "id": "git.environment", "category": "git", "status": "ok", "summary": "git version 2.48.1", "details": { "PATH git #1": "/usr/bin/git", "PATH git #2": "/bin/git", "PATH git entries": "2", "git build options": "git version 2.48.1; cpu: x86_64; no commit associated with this build; sizeof-long: 8; sizeof-size_t: 8; shell-path: /bin/sh; libcurl: 8.5.0; zlib: 1.3", "git exec path": "/usr/lib/git-core", "git version": "git version 2.48.1", "repo detected": "false", "selected git": "/usr/bin/git" }, "remediation": null, "durationMs": 43 }, "installation": { "id": "installation", "category": "install", "status": "ok", "summary": "installation looks consistent", "details": { "PATH codex #1": "/home/coder/.local/bin/codex", "PATH codex #2": "/tmp/coder-script-data/bin/codex", "PATH codex #3": "/home/coder/.local/bin/codex", "PATH codex #4": "/home/coder/.local/bin/codex", "PATH codex entries": "4", "current executable": "/home/coder/.local/bin/codex", "install context": "other", "managed by bun": "false", "managed by npm": "false", "managed package root": "not set" }, "remediation": null, "durationMs": 1 }, "mcp.config": { "id": "mcp.config", "category": "mcp", "status": "ok", "summary": "MCP configuration is locally consistent", "details": { "configured servers": "2", "disabled servers": "0", "stdio servers": "2" }, "remediation": null, "durationMs": 0 }, "network.env": { "id": "network.env", "category": "network", "status": "ok", "summary": "network-related environment looks readable", "details": { "proxy env vars": "none" }, "remediation": null, "durationMs": 0 }, "network.provider_reachability": { "id": "network.provider_reachability", "category": "reachability", "status": "warning", "summary": "provider endpoint checks returned warnings", "details": { "aigateway API base URL": "https://<redacted>.coder.com/api/<redacted> reachable (HTTP 400)", "aigateway API route probe": "https://<redacted>.coder.com/api/<redacted> returned HTTP 400 (warning)", "reachability mode": "provider auth" }, "remediation": "Check proxy, VPN, firewall, DNS, and custom CA configuration.", "durationMs": 224 }, "network.websocket_reachability": { "id": "network.websocket_reachability", "category": "websocket", "status": "ok", "summary": "Responses WebSocket is not enabled for the active provider", "details": { "model provider": "aigateway", "provider name": "AI Gateway", "proxy env vars": "none", "supports websockets": "false", "wire API": "responses" }, "remediation": null, "durationMs": 0 }, "runtime.provenance": { "id": "runtime.provenance", "category": "runtime", "status": "ok", "summary": "running local build on linux-x86_64", "details": { "commit": "unknown", "current executable": "/home/coder/.local/bin/codex", "install method": "other", "platform": "linux-x86_64", "version": "0.141.0" }, "remediation": null, "durationMs": 0 }, "runtime.search": { "id": "runtime.search", "category": "search", "status": "warning", "summary": "search command could not be verified", "details": { "search command": "rg", "search command readiness": "No such file or directory (os error 2)", "search provider": "system" }, "remediation": "Install ripgrep or repair the bundled Codex package.", "durationMs": 0 }, "sandbox.helpers": { "id": "sandbox.helpers", "category": "sandbox", "status": "ok", "summary": "sandbox configuration is readable", "details": { "approval policy": "OnRequest", "codex-linux-sandbox helper": "/home/coder/.codex/tmp/arg0/codex-arg0TawEZy/codex-linux-sandbox", "execve wrapper helper": "/home/coder/.codex/tmp/arg0/codex-arg0TawEZy/codex-execve-wrapper", "filesystem sandbox": "restricted", "network sandbox": "restricted" }, "remediation": null, "durationMs": 0 }, "state.paths": { "id": "state.paths", "category": "state", "status": "ok", "summary": "state paths and databases are inspectable", "details": { "CODEX_HOME": "/home/coder/.codex (dir)", "active rollout files": "0 files, 0 total bytes, 0 average bytes", "archived rollout files": "0 files, 0 total bytes, 0 average bytes", "goals DB": "/home/coder/.codex/goals_1.sqlite (missing)", "goals DB integrity": "skipped (missing)", "log DB": "/home/coder/.codex/logs_2.sqlite (missing)", "log DB integrity": "skipped (missing)", "log dir": "/home/coder/.codex/log (missing)", "memories DB": "/home/coder/.codex/memories_1.sqlite (missing)", "memories DB integrity": "skipped (missing)", "sqlite home": "/home/coder/.codex (dir)", "state DB": "/home/coder/.codex/state_5.sqlite (missing)", "state DB integrity": "skipped (missing)" }, "remediation": null, "durationMs": 0 }, "state.rollout_db_parity": { "id": "state.rollout_db_parity", "category": "threads", "status": "ok", "summary": "no rollout/state DB inventory to compare", "details": { "default model provider": "aigateway", "rollout DB active files": "0", "rollout DB archived files": "0", "rollout DB malformed file names": "0", "rollout DB rows": "skipped (state DB missing)", "rollout DB scan cap reached": "false", "rollout DB scan errors": "0" }, "remediation": null, "durationMs": 0 }, "system.environment": { "id": "system.environment", "category": "system", "status": "ok", "summary": "OS language en-US", "details": { "EDITOR": "not set", "LANG": "en_US.UTF-8", "LC_ALL": "en_US.UTF-8", "VISUAL": "not set", "os": "Ubuntu 24.4.0 (noble) [64-bit]", "os language": "en-US", "os type": "Ubuntu", "os version": "24.4.0" }, "remediation": null, "durationMs": 15 }, "terminal.env": { "id": "terminal.env", "category": "terminal", "status": "ok", "summary": "terminal metadata was detected", "details": { "SSH_CLIENT": "present", "SSH_CONNECTION": "present", "TERM": "xterm-256color", "color output": "enabled", "effective locale": "en_US.UTF-8", "stderr is terminal": "true", "stdin is terminal": "true", "stdout is terminal": "true", "terminal": "unknown", "terminal size": "146x50" }, "remediation": null, "durationMs": 0 }, "terminal.title": { "id": "terminal.title", "category": "title", "status": "ok", "summary": "terminal title default", "details": { "terminal title activity": "true", "terminal title items": "activity, project-name", "terminal title project source": "cwd", "terminal title project value": "coder", "terminal title source": "default" }, "remediation": null, "durationMs": 0 }, "updates.status": { "id": "updates.status", "category": "updates", "status": "ok", "summary": "update configuration is locally consistent", "details": { "check for update on startup": "true", "latest version": "0.141.0", "latest version status": "current version is not older", "update action": "manual or unknown", "version cache": [ "/home/coder/.codex/version.json", "missing" ] }, "remediation": null, "durationMs": 492 } } }What issue are you seeing?
When Codex runs inside a MITM-proxying network isolator (e.g. Coder agent-firewall), the proxy injects CA cert and proxy env vars into the Codex process:
When Codex spawns MCP stdio subprocesses it clears the environment and only passes through the hardcoded
DEFAULT_ENV_VARSwhitelist (HOME,PATH,SHELL,USER,TERM, etc.). The CA cert and proxy vars are not in that whitelist and are stripped.MCP subprocesses then attempt TLS connections through the intercepting proxy, which presents a certificate signed by the proxy's CA. Because
NODE_EXTRA_CA_CERTSwas stripped, Node.js rejects the certificate, and the connection is blocked at the OS level by the proxy:The subprocess never fetches the package or initializes. Codex reports the MCP server as failed.
What steps can reproduce the bug?
Run Codex inside a MITM proxy that injects
NODE_EXTRA_CA_CERTSandHTTPS_PROXY(e.g. Coder agent-firewall).Configure an MCP stdio server in
~/.codex/config.toml:Start Codex. The MCP server subprocess fails immediately with
EACCESon the npm registry fetch becauseHTTPS_PROXYandNODE_EXTRA_CA_CERTSwere stripped from its environment.Workaround that confirms the root cause — adding
env_varsmakes it work:What is the expected behavior?
MCP stdio subprocesses should inherit CA cert and proxy environment variables by default so that TLS verification works in network-isolated environments without requiring per-server
env_varsconfiguration.The minimal fix is to add the standard TLS and proxy vars to
DEFAULT_ENV_VARSincodex-rs/rmcp-client/src/utils.rs:These are conventional, cross-ecosystem env vars. Stripping them silently breaks any MCP server subprocess that makes outbound TLS connections in a proxied environment.
Additional information
Root cause:
DEFAULT_ENV_VARSwhitelist incodex-rs/rmcp-client/src/utils.rsdoes not include TLS certificate or proxy variables. Every MCP subprocess env is built from this whitelist viaenv_clear(), so all proxy-injected vars are lost.No upstream issue currently tracks this Linux/TLS variant.