Restore Codex default-deny fetch behavior for workflow compilation (#34726)

Copilot · pelikhan · web-flow · commit 0c5dcc622cc1 · 2026-05-25T10:06:36.000-07:00
* fix: disable codex fetch unless web-fetch tool is configured

Co-authored-by: pelikhan &lt;4175913+pelikhan@users.noreply.github.com&gt;

* test: align codex fetch test naming and comments

Co-authored-by: pelikhan &lt;4175913+pelikhan@users.noreply.github.com&gt;

* docs: clarify codex fetch override comments

Co-authored-by: pelikhan &lt;4175913+pelikhan@users.noreply.github.com&gt;

* docs: tighten fetch override wording

Co-authored-by: pelikhan &lt;4175913+pelikhan@users.noreply.github.com&gt;

---------

Co-authored-by: copilot-swe-agent[bot] &lt;198982749+Copilot@users.noreply.github.com&gt;
Co-authored-by: pelikhan &lt;4175913+pelikhan@users.noreply.github.com&gt;
Co-authored-by: Peli de Halleux &lt;pelikhan@users.noreply.github.com&gt;
diff --git a/pkg/workflow/codex_engine.go b/pkg/workflow/codex_engine.go
@@ -166,13 +166,22 @@ func (e *CodexEngine) GetExecutionSteps(workflowData *WorkflowData, logFile stri
 	// Codex enables web search by default, so we must explicitly set web_search="disabled" to disable it.
 	// The --no-search flag does not exist; use the -c web_search="disabled" config option instead.
 	// See https://developers.openai.com/codex/cli/features#web-search
-	// Leading space is intentional: the format string concatenates this directly after "exec" with no space separator.
+	// Leading space is intentional: these params are concatenated directly and need their own separator.
 	webSearchParam := ` -c web_search="disabled"`
 	if workflowData.ParsedTools != nil && workflowData.ParsedTools.WebSearch != nil {
 		// Web search is enabled by default in Codex; no extra flag needed.
 		webSearchParam = ""
 	}
 
+	// Build fetch parameter: enforce AWF default-deny for fetch unless web-fetch tool is present.
+	// Codex enables fetch by default, so this code explicitly sets fetch="disabled" unless web-fetch is configured.
+	// Leading space is intentional: these params are concatenated directly and need their own separator.
+	webFetchParam := ` -c fetch="disabled"`
+	if workflowData.ParsedTools != nil && workflowData.ParsedTools.WebFetch != nil {
+		// When web-fetch is configured, omit override so Codex default fetch behavior remains enabled.
+		webFetchParam = ""
+	}
+
 	// See https://github.com/github/gh-aw/issues/892
 	// In AWF mode we bypass Codex approvals/sandboxing because AWF provides the sandbox layer.
 	// Outside AWF, keep Codex sandboxing enabled and disable approvals for non-interactive execution.
@@ -220,12 +229,12 @@ func (e *CodexEngine) GetExecutionSteps(workflowData *WorkflowData, logFile stri
 		// Harness-wrapped execution: the harness reads --prompt-file and passes its content
 		// as the last positional arg.  The harness also provides retry logic.
 		execPrefix := fmt.Sprintf(`%s %s/%s %s`, nodeRuntimeResolutionCommand, SetupActionDestinationShell, harnessScriptName, commandName)
-		codexCommand = fmt.Sprintf("%s exec%s%s%s%s--prompt-file /tmp/gh-aw/aw-prompts/prompt.txt",
-			execPrefix, modelParam, webSearchParam, executionPolicyParam, customArgsParam)
+		codexCommand = fmt.Sprintf("%s exec%s%s%s%s%s--prompt-file /tmp/gh-aw/aw-prompts/prompt.txt",
+			execPrefix, modelParam, webSearchParam, webFetchParam, executionPolicyParam, customArgsParam)
 	} else {
 		// Without harness: use shell expansion for the prompt (no retry logic).
-		codexCommand = fmt.Sprintf("%s exec%s%s%s%s\"$INSTRUCTION\"",
-			commandName, modelParam, webSearchParam, executionPolicyParam, customArgsParam)
+		codexCommand = fmt.Sprintf("%s exec%s%s%s%s%s\"$INSTRUCTION\"",
+			commandName, modelParam, webSearchParam, webFetchParam, executionPolicyParam, customArgsParam)
 	}
 
 	// Build the full command with agent file handling and AWF wrapping if enabled
diff --git a/pkg/workflow/codex_engine_test.go b/pkg/workflow/codex_engine_test.go
@@ -1010,7 +1010,7 @@ func TestCodexEngineWebSearch(t *testing.T) {
 func TestCodexEngineWebFetch(t *testing.T) {
 	engine := NewCodexEngine()
 
-	t.Run("fetch config is not emitted when tool not specified", func(t *testing.T) {
+	t.Run("disables fetch by default when web-fetch tool not specified", func(t *testing.T) {
 		workflowData := &WorkflowData{
 			Name: "test-workflow",
 		}
@@ -1019,8 +1019,8 @@ func TestCodexEngineWebFetch(t *testing.T) {
 			t.Fatalf("Expected 1 step, got %d", len(steps))
 		}
 		stepContent := strings.Join([]string(steps[0]), "\n")
-		if strings.Contains(stepContent, `-c fetch="disabled"`) {
-			t.Errorf(`Expected no -c fetch="disabled" config when web-fetch tool is not specified, got:\n%s`, stepContent)
+		if !strings.Contains(stepContent, `-c fetch="disabled"`) {
+			t.Errorf(`Expected -c fetch="disabled" config when web-fetch tool is not specified, got:\n%s`, stepContent)
 		}
 	})
 

Original file line number	Diff line number	Diff line change
`@@ -1010,7 +1010,7 @@ func TestCodexEngineWebSearch(t *testing.T) {`
`1010`	`1010`	`func TestCodexEngineWebFetch(t *testing.T) {`
`1011`	`1011`	`engine := NewCodexEngine()`
`1012`	`1012`
`1013`		`- t.Run("fetch config is not emitted when tool not specified", func(t *testing.T) {`
	`1013`	`+ t.Run("disables fetch by default when web-fetch tool not specified", func(t *testing.T) {`
`1014`	`1014`	`workflowData := &WorkflowData{`
`1015`	`1015`	`Name: "test-workflow",`
`1016`	`1016`	`}`
`@@ -1019,8 +1019,8 @@ func TestCodexEngineWebFetch(t *testing.T) {`
`1019`	`1019`	`t.Fatalf("Expected 1 step, got %d", len(steps))`
`1020`	`1020`	`}`
`1021`	`1021`	`stepContent := strings.Join([]string(steps[0]), "\n")`
`1022`		- if strings.Contains(stepContent, `-c fetch="disabled"`) {
`1023`		- t.Errorf(`Expected no -c fetch="disabled" config when web-fetch tool is not specified, got:\n%s`, stepContent)
	`1022`	+ if !strings.Contains(stepContent, `-c fetch="disabled"`) {
	`1023`	+ t.Errorf(`Expected -c fetch="disabled" config when web-fetch tool is not specified, got:\n%s`, stepContent)
`1024`	`1024`	`}`
`1025`	`1025`	`})`
`1026`	`1026`