From 255648eb9e01f23af29fb4b1fb16f70270cbb6ed Mon Sep 17 00:00:00 2001 From: Andrew Codispoti Date: Mon, 4 May 2026 11:52:20 -0700 Subject: [PATCH] fix(workflow): allow network access for package installs Summary: - Enable network access for the default Symphony turn sandbox policy used by the checked-in workflow. - Document that workflows running package managers or external host resolution need the networkAccess turn sandbox setting. Rationale: - The brix oaipkg install failure maps to Symphony launching Codex turns without an explicit network allowance, so DNS-dependent package installs can fail inside the turn sandbox. - Keeping the change in WORKFLOW.md is the smallest durable fix for this orchestration path and avoids changing safer implementation defaults for other workflows. Tests: - /usr/bin/env mix run -e IO.inspect(SymphonyElixir.Config.codex_runtime_settings(...)) - /usr/bin/env mix specs.check - /usr/bin/env mix test test/symphony_elixir/workspace_and_config_test.exs - /usr/bin/env make all MIX="/usr/bin/env mix" Co-authored-by: Codex --- elixir/README.md | 3 +++ elixir/WORKFLOW.md | 1 + 2 files changed, 4 insertions(+) diff --git a/elixir/README.md b/elixir/README.md index 6cb3ea98fe..eb4aabdef9 100644 --- a/elixir/README.md +++ b/elixir/README.md @@ -119,6 +119,9 @@ Notes: - When `codex.turn_sandbox_policy` is set explicitly, Symphony passes the map through to Codex unchanged. Compatibility then depends on the targeted Codex app-server version rather than local Symphony validation. +- Workflows that run package managers or other commands that resolve external hosts should set + `networkAccess: true` in `codex.turn_sandbox_policy`; otherwise DNS/network access may be denied + by the Codex turn sandbox. - `agent.max_turns` caps how many back-to-back Codex turns Symphony will run in a single agent invocation when a turn completes normally but the issue is still in an active state. Default: `20`. - If the Markdown body is blank, Symphony uses a default prompt template that includes the issue diff --git a/elixir/WORKFLOW.md b/elixir/WORKFLOW.md index 27e82cacc4..a458db0da3 100644 --- a/elixir/WORKFLOW.md +++ b/elixir/WORKFLOW.md @@ -34,6 +34,7 @@ codex: thread_sandbox: workspace-write turn_sandbox_policy: type: workspaceWrite + networkAccess: true --- You are working on a Linear ticket `{{ issue.identifier }}`