Codex currently runs with it's built-in sandboxing disabled. This is much as if these settings are set:

tools:
  bash:
  web-search:
  edit:

network: *

In the context of GH-AW this is not honouring the user's input settings which are more restrictive on network.

Codex has its own sandboxing available in the tool, so that, for example,

• network access can be restricted
• bash commands can be pre-approved
• edit permissions can be restricted to workspace and /tmp

See https://github.com/openai/codex/blob/main/docs/config.md

We should continue to refine the GH-AW permission model to be coherent across Claude/Codex