[codex] Use IPv6 loopback for managed macOS HTTP proxy

[viyatb-oai]

Why

Managed macOS network sessions inject an HTTP proxy endpoint for sandboxed child processes. The endpoint is currently bound to 127.0.0.1, but Python gRPC connects to an IPv4 proxy endpoint using an IPv4-mapped IPv6 socket (::ffff:127.0.0.1). Seatbelt does not recognize that socket representation as localhost, so it denies the proxy connection before any HTTP CONNECT request reaches ProxyF.

This presents as gRPC-based commands hanging or timing out even though ProxyF is active and ordinary HTTP clients can reach an allowed destination through the same proxy.

What changed

• Bind Codex-managed macOS HTTP proxy listeners on native IPv6 loopback ([::1]) instead of IPv4 loopback.
• Leave SOCKS listener behavior unchanged, preserving the existing macOS nc/SSH proxy-command path.
• Extend proxy tests to assert the macOS managed HTTP listener and injected HTTPS_PROXY URL use IPv6 loopback.

This keeps the existing Seatbelt localhost:<proxy-port> boundary intact; it avoids adding a wildcard-port allowance that would permit direct egress to arbitrary remote hosts on the proxy port.

Validation

• Reproduced the failure under Seatbelt: an IPv4 HTTP proxy endpoint works with requests, while gRPC fails with connect: Operation not permitted; a raw AF_INET6 connection to ::ffff:127.0.0.1 fails the same way.
• Verified the safe route: placing a native IPv6 loopback listener in front of the same ProxyF endpoint makes the same sandboxed gRPC connection succeed.
• Ran just fmt.
• Ran just test -p codex-network-proxy (166 tests passed).
• Ran just fix -p codex-network-proxy.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9a69b0bf3b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve IPv6 proxy address when unix sockets are enabled

On macOS with network.allow_unix_sockets or dangerously_allow_all_unix_sockets enabled, this reserves the managed HTTP listener on [::1]:0, but build() then re-applies config::clamp_bind_addrs, whose unix-socket safety path always rewrites loopback binds to 127.0.0.1:<port>. The actual reserved listener is still [::1]:<port>, while apply_to_env advertises http://127.0.0.1:<port>, so those sessions lose the native IPv6 proxy URL this change is meant to provide and gRPC can hit the same Seatbelt denial again. The new macOS assertion only covers the default config, so please keep the clamped managed HTTP address aligned with the IPv6 listener for the unix-socket-enabled case as well.

Useful? React with 👍 / 👎.