fix: support managed network allowlist controls

[viyatb-oai]

Summary

• treat requirements.toml allowed_domains and denied_domains as managed network baselines for the proxy
• in restricted modes by default, build the effective runtime policy from the managed baseline plus user-configured allowlist and denylist entries, so common hosts can be pre-approved without blocking later user expansion
• add experimental_network.managed_allowed_domains_only = true to pin the effective allowlist to managed entries, ignore user allowlist additions, and hard-deny non-managed domains without prompting
• apply managed_allowed_domains_only anywhere managed network enforcement is active, including full access, while continuing to respect denied domains from all sources
• add regression coverage for merged-baseline behavior, managed-only behavior, and full-access managed-only enforcement

Behavior

Assuming requirements.toml defines both experimental_network.allowed_domains and experimental_network.denied_domains.

Default mode

• By default, the effective allowlist is experimental_network.allowed_domains plus user or persisted allowlist additions.
• By default, the effective denylist is experimental_network.denied_domains plus user or persisted denylist additions.
• Allowlist misses can go through the network approval flow.
• Explicit denylist hits and local or private-network blocks are still hard-denied.
• When experimental_network.managed_allowed_domains_only = true, only managed allowed_domains are respected, user allowlist additions are ignored, and non-managed domains are hard-denied without prompting.
• Denied domains continue to be respected from all sources.

Full access

• With managed requirements present, the effective allowlist is pinned to experimental_network.allowed_domains.
• With managed requirements present, the effective denylist is pinned to experimental_network.denied_domains.
• There is no allowlist-miss approval path in full access.
• Explicit denylist hits are hard-denied.
• experimental_network.managed_allowed_domains_only = true now also applies in full access, so managed-only behavior remains in effect anywhere managed network enforcement is active.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5cb9778652

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[viyatb-oai]

@codex review

[bolinfest]

By default, the effective allowlist is experimental_network.allowed_domains plus user or persisted allowlist additions.

In general, requirements.toml sets hard requirements on what values a config option can take on. While I think it may be hard for an enterprise to come up with comprehensive list of allowed_domains, I would say they are well within their rights to do so.

To set defaults that users can amend, that is supposed to go in /etc/codex/config.toml.

(Though similar to [permissions], we have the issue where arrays are not great when it comes to merging configs.)

[viyatb-oai]

yep I have this for experimental_network.managed_allowed_domains_only = true for enterprises that truly want to lock down. if its false, it balances the user experience of reducing prompts in default mode.