Fix Codex MCP Gateway connection by removing hardcoded IP

actions/setup/sh/convert_gateway_config_codex.sh

@@ -61,15 +61,8 @@ echo "Target domain: $MCP_GATEWAY_DOMAIN:$MCP_GATEWAY_PORT"
 # Note: URLs must use the correct domain (host.docker.internal) for container access
 
 # Build the correct URL prefix using the configured domain and port
-# For host.docker.internal, resolve to the gateway IP to avoid DNS resolution issues in Rust
-if [ "$MCP_GATEWAY_DOMAIN" = "host.docker.internal" ]; then
-  # AWF network gateway IP is always 172.30.0.1
-  RESOLVED_DOMAIN="172.30.0.1"
-  echo "Resolving host.docker.internal to gateway IP: $RESOLVED_DOMAIN"
-else
-  RESOLVED_DOMAIN="$MCP_GATEWAY_DOMAIN"
-fi
-URL_PREFIX="http://${RESOLVED_DOMAIN}:${MCP_GATEWAY_PORT}"
+# Use the domain directly (like Claude does) - Squid ACLs properly match domain names
+URL_PREFIX="http://${MCP_GATEWAY_DOMAIN}:${MCP_GATEWAY_PORT}"
 
 # Create the TOML configuration
 cat > /tmp/gh-aw/mcp-config/config.toml << 'TOML_EOF'

pkg/workflow/domains.go

@@ -34,7 +34,6 @@ var CopilotDefaultDomains = []string{
 
 // CodexDefaultDomains are the minimal default domains required for Codex CLI operation
 var CodexDefaultDomains = []string{
-	"172.30.0.1", // AWF gateway IP - Codex resolves host.docker.internal to this IP for Rust DNS compatibility
 	"api.openai.com",
 	"host.docker.internal",
 	"openai.com",

pkg/workflow/domains_test.go

@@ -259,7 +259,6 @@ func TestCopilotDefaultDomains(t *testing.T) {
 func TestCodexDefaultDomains(t *testing.T) {
 	// Verify that expected Codex domains are present
 	expectedDomains := []string{
-		"172.30.0.1", // AWF gateway IP - Codex resolves host.docker.internal to this IP
 		"api.openai.com",
 		"host.docker.internal",
 		"openai.com",
@@ -287,8 +286,8 @@ func TestGetCodexAllowedDomains(t *testing.T) {
 	t.Run("nil network permissions returns only defaults", func(t *testing.T) {
 		result := GetCodexAllowedDomains(nil)
 		// Should contain default Codex domains, sorted
-		if result != "172.30.0.1,api.openai.com,host.docker.internal,openai.com" {
-			t.Errorf("Expected '172.30.0.1,api.openai.com,host.docker.internal,openai.com', got %q", result)
+		if result != "api.openai.com,host.docker.internal,openai.com" {
+			t.Errorf("Expected 'api.openai.com,host.docker.internal,openai.com', got %q", result)
 		}
 	})
 
@@ -298,8 +297,8 @@ func TestGetCodexAllowedDomains(t *testing.T) {
 		}
 		result := GetCodexAllowedDomains(network)
 		// Should contain both default Codex domains and user-specified domain
-		if result != "172.30.0.1,api.openai.com,example.com,host.docker.internal,openai.com" {
-			t.Errorf("Expected '172.30.0.1,api.openai.com,example.com,host.docker.internal,openai.com', got %q", result)
+		if result != "api.openai.com,example.com,host.docker.internal,openai.com" {
+			t.Errorf("Expected 'api.openai.com,example.com,host.docker.internal,openai.com', got %q", result)
 		}
 	})
 
@@ -309,8 +308,8 @@ func TestGetCodexAllowedDomains(t *testing.T) {
 		}
 		result := GetCodexAllowedDomains(network)
 		// api.openai.com should not appear twice
-		if result != "172.30.0.1,api.openai.com,example.com,host.docker.internal,openai.com" {
-			t.Errorf("Expected '172.30.0.1,api.openai.com,example.com,host.docker.internal,openai.com', got %q", result)
+		if result != "api.openai.com,example.com,host.docker.internal,openai.com" {
+			t.Errorf("Expected 'api.openai.com,example.com,host.docker.internal,openai.com', got %q", result)
 		}
 	})
 
@@ -320,8 +319,8 @@ func TestGetCodexAllowedDomains(t *testing.T) {
 		}
 		result := GetCodexAllowedDomains(network)
 		// Empty allowed list should still return Codex defaults
-		if result != "172.30.0.1,api.openai.com,host.docker.internal,openai.com" {
-			t.Errorf("Expected '172.30.0.1,api.openai.com,host.docker.internal,openai.com', got %q", result)
+		if result != "api.openai.com,host.docker.internal,openai.com" {
+			t.Errorf("Expected 'api.openai.com,host.docker.internal,openai.com', got %q", result)
 		}
 	})
 }