You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This daily firewall report covers all agentic workflow runs with the firewall feature enabled over the past 7 days. Analysis is based on 33 runs from 2026-04-02, representing today's activity. The overall block rate is very low at 1.0% — the vast majority of network requests were served correctly, with only 8 blocked requests across 4 unique domains. All blocked requests appear to stem from codex/smoke-test workflows that attempted to access domains outside their configured allowlists.
Key Metrics
Metric
Value
🔥 Workflow Runs Analyzed
33
📅 Date Range
2026-04-02
📊 Total Requests Monitored
805
✅ Allowed Requests
797 (99.0%)
🚫 Blocked Requests
8 (1.0%)
🌐 Unique Blocked Domains
4
📈 Firewall Activity Trends
Request Patterns
The firewall processed 805 total requests today, with an excellent 99.0% allow rate. The 8 blocked requests (1.0% block rate) are all attributable to smoke-test and changeset-generation workflows that attempted connections to non-allowlisted domains. This low block rate indicates that production workflows have well-configured network permissions.
Top Blocked Domains
The most-blocked domain is chatgpt.com:443 (3 blocks), followed by github.com:443 and api.github.com:443 (2 blocks each). These blocks appear in smoke-test and changeset generator workflows — likely expected test behavior to verify firewall enforcement. The ab.chatgpt.com:443 domain (1 block) is a subdomain of chatgpt.com, also blocked in the same context.
Note on github.com and api.github.com blocks: These domains appear blocked in smoke-test and changeset-generator runs that use the codex engine with restricted allowed_domains: [defaults, node, go]. The Codex engine attempted to access GitHub APIs directly rather than through the GitHub MCP server — this is expected behavior verified by the smoke tests.
View Detailed Request Patterns by Workflow
Workflow: Changeset Generator (1 run — 23898592687)
Domain
Blocked
Allowed
Notes
chatgpt.com:443
1
0
Codex engine blocked from accessing ChatGPT
github.com:443
1
0
Direct git clone blocked
api.github.com:443
1
0
GitHub API direct access blocked
Engine: codex, Allowed domains: defaults, node, go
Total blocked: 3, Unique blocked domains: 3
Workflow: Smoke Call Workflow (1 run — 23896090674)
✅ No production workflow concerns — All blocked domains were in smoke-test or CI validation workflows. These blocks appear intentional (testing firewall enforcement).
🔧 Codex engine network access — The Changeset Generator workflow using the codex engine had blocked access to github.com and api.github.com. If this workflow needs GitHub access, consider using the GitHub MCP server toolset (tools.github.toolsets: [default]) instead of direct API access, as the Copilot agent cannot access api.github.com directly.
🚫 ChatGPT domain blocks — chatgpt.com and ab.chatgpt.com were blocked across multiple smoke-test workflows. These appear to be probe requests from the Codex engine trying to reach its backend. If these workflows require OpenAI/Codex API access, ensure api.openai.com is in the allowlist (it is allowed by the defaults preset).
📊 Low block rate is healthy — A 1.0% block rate with all blocks in test workflows indicates good network permission hygiene across production workflows. No suspicious or unexpected domain access patterns were detected.
📈 Monitor for trends — Only one day of data is available in this analysis period. Running this report daily will build historical trends to detect anomalies over time.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Executive Summary
This daily firewall report covers all agentic workflow runs with the firewall feature enabled over the past 7 days. Analysis is based on 33 runs from 2026-04-02, representing today's activity. The overall block rate is very low at 1.0% — the vast majority of network requests were served correctly, with only 8 blocked requests across 4 unique domains. All blocked requests appear to stem from codex/smoke-test workflows that attempted to access domains outside their configured allowlists.
Key Metrics
📈 Firewall Activity Trends
Request Patterns
The firewall processed 805 total requests today, with an excellent 99.0% allow rate. The 8 blocked requests (1.0% block rate) are all attributable to smoke-test and changeset-generation workflows that attempted connections to non-allowlisted domains. This low block rate indicates that production workflows have well-configured network permissions.
Top Blocked Domains
The most-blocked domain is
chatgpt.com:443(3 blocks), followed bygithub.com:443andapi.github.com:443(2 blocks each). These blocks appear in smoke-test and changeset generator workflows — likely expected test behavior to verify firewall enforcement. Theab.chatgpt.com:443domain (1 block) is a subdomain of chatgpt.com, also blocked in the same context.Top Blocked Domains
chatgpt.com:443github.com:443api.github.com:443ab.chatgpt.com:443View Detailed Request Patterns by Workflow
Workflow: Changeset Generator (1 run — 23898592687)
chatgpt.com:443github.com:443api.github.com:443Workflow: Smoke Call Workflow (1 run — 23896090674)
chatgpt.com:443github.com:443api.github.com:443ab.chatgpt.com:443Workflow: Smoke Codex (1 run — 23898592738)
chatgpt.com:443View Complete Blocked Domains List (Alphabetical)
ab.chatgpt.com:443api.github.com:443chatgpt.com:443github.com:443Security Recommendations
✅ No production workflow concerns — All blocked domains were in smoke-test or CI validation workflows. These blocks appear intentional (testing firewall enforcement).
🔧 Codex engine network access — The Changeset Generator workflow using the
codexengine had blocked access togithub.comandapi.github.com. If this workflow needs GitHub access, consider using the GitHub MCP server toolset (tools.github.toolsets: [default]) instead of direct API access, as the Copilot agent cannot accessapi.github.comdirectly.🚫 ChatGPT domain blocks —
chatgpt.comandab.chatgpt.comwere blocked across multiple smoke-test workflows. These appear to be probe requests from the Codex engine trying to reach its backend. If these workflows require OpenAI/Codex API access, ensureapi.openai.comis in the allowlist (it is allowed by thedefaultspreset).📊 Low block rate is healthy — A 1.0% block rate with all blocks in test workflows indicates good network permission hygiene across production workflows. No suspicious or unexpected domain access patterns were detected.
📈 Monitor for trends — Only one day of data is available in this analysis period. Running this report daily will build historical trends to detect anomalies over time.
References:
Beta Was this translation helpful? Give feedback.
All reactions