I have some e2e tests that hit the alpaca api but for some reason the alpaca server it is not reachable:

Settings:

The image shows agent internet access settings enabled with specific allowed domains and HTTP methods, along with a security warning about potential risks. (Captioned by AI)1376×1136 79.2 KB

Error:

Caused by: Error: connect ENETUNREACH 35.221.23.121:443 - Local (0.0.0.0:0)

Well you have to use the HTTP_PROXY env var with Node fetch requests.

Adding this to the docs wouldn’t hurt.

Interesting, this option is not available to me.

Subject

Codex Cloud: Internet Access = On (+ allowlist) but agent phase still fails with ENETUNREACH

Summary
Despite enabling Agent Internet Access for my Codex Cloud environment (Domain allowlist = Common dependencies + api.openai.com, Allowed HTTP methods = All), outbound HTTPS requests from the agent phase consistently fail with ENETUNREACH. The same environment’s setup phase has internet access and completes npm ci successfully. This looks like an egress/allowlist bug affecting the agent runtime.

Environment details

• Agent Internet Access: On

• Domain allowlist: Common dependencies + api.openai.com

• Allowed HTTP methods: All

• Repo/Workspace: [ORG/REPO] @ [commit SHA]

• Task/Run ID(s): [IDs]

• Node.js: v20.19.4 (undici-based fetch)

Expected behavior
With internet access enabled and api.openai.com allowlisted, an HTTPS GET to https://api.openai.com/v1/models from the agent phase should succeed (401 without API key is acceptable) or at least establish a TCP connection.

Actual behavior
HTTPS requests from the agent phase fail with ENETUNREACH (no route). Example:

TypeError: fetch failed
Caused by: AggregateError:
  Error: connect ENETUNREACH 172.66.0.243:443 - Local (0.0.0.0:0)
  Error: connect ENETUNREACH 162.159.140.245:443 - Local (0.0.0.0:0)
code: ENETUNREACH

Minimal reproduction (agent phase)
Run inside the task (agent phase, not setup):

getent hosts api.openai.com
nc -vz api.openai.com 443 || true
curl -4 -sv https://api.openai.com/v1/models --max-time 10 || true

Observed result

• getent resolves to IPv4 (OK)

• nc to 443 → fails

• curl to https://api.openai.com/v1/models → fails

Tried (no change)

1. Forced IPv4 and Undici IPv4 agent:

import dns from 'node:dns';
import { Agent, setGlobalDispatcher } from 'undici';
dns.setDefaultResultOrder('ipv4first');
setGlobalDispatcher(new Agent({ connect: { family: 4 } }));

2. Also tried HTTPS_PROXY with explicit ProxyAgent:

import { setGlobalDispatcher, ProxyAgent } from 'undici';
setGlobalDispatcher(new ProxyAgent(process.env.HTTPS_PROXY || process.env.HTTP_PROXY!));

3. Verified methods = All; added api.openai.com to additional domains.

4. Confirmed this is the agent phase (setup has internet and succeeds).

Why this seems platform-level
Docs say agent internet is off by default but can be allowed per environment via allowlist and method filters; egress in agent phase appears blocked despite that configuration.

Attachments

• Screenshot of environment settings.

• Full vitest log + output from the preflight above.

Request

• Please verify egress for this environment and whether Additional allowed domains are honored in the agent phase.

• If there’s a known incident/regression, please confirm and share a workaround/ETA.

• If outbound traffic is intentionally proxied, let me know if further config is required on my side.