fix: add chatgpt.com to CodexDefaultDomains and recompile all workflows

[Copilot]

The Codex CLI connects to chatgpt.com and ab.chatgpt.com during operation (auth/telemetry), but these domains were absent from CodexDefaultDomains, causing recurring AWF firewall blocks in the AI Moderator workflow and any other Codex-based workflow.

Changes

• pkg/workflow/domains.go — Add chatgpt.com to CodexDefaultDomains; AWF subdomain matching automatically covers ab.chatgpt.com
• pkg/workflow/domains_test.go — Update TestCodexDefaultDomains expected set to include chatgpt.com
• All Codex *.lock.yml workflows — Recompiled all 213 workflows; all Codex lock files (including ai-moderator, smoke-codex, changeset, and others) now include chatgpt.com in GH_AW_ALLOWED_DOMAINS and AWF config allowDomains entries

var CodexDefaultDomains = []string{
    "172.30.0.1",
    "api.openai.com",
    "chatgpt.com", // Codex CLI connects here (and subdomains e.g. ab.chatgpt.com) for auth/telemetry
    "host.docker.internal",
    "openai.com",
}

[pelikhan]

@lpcox anything against this?

[Copilot]

Pull request overview

Adds chatgpt.com to the Codex engine’s default allowlist so Codex CLI auth/telemetry calls stop getting blocked by the AWF firewall (notably in the AI Moderator workflow).

Changes:

• Add chatgpt.com to CodexDefaultDomains.
• Update TestCodexDefaultDomains expected domains to include chatgpt.com.
• Recompile .github/workflows/ai-moderator.lock.yml so GH_AW_ALLOWED_DOMAINS and AWF allowDomains include chatgpt.com.

Show a summary per file

File	Description
pkg/workflow/domains.go	Expands Codex default domain allowlist to include chatgpt.com.
pkg/workflow/domains_test.go	Updates unit test expectations for Codex default domains.
.github/workflows/ai-moderator.lock.yml	Updates compiled workflow allowlists so AI Moderator permits chatgpt.com.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 3/3 changed files
• Comments generated: 1

[github-actions]

🧪 Test Quality Sentinel Report

Test Quality Score: 100/100

✅ Excellent test quality

Metric	Value
New/modified tests analyzed	1 (table row addition)
✅ Design tests (behavioral contracts)	1 (100%)
⚠️ Implementation tests (low value)	0 (0%)
Tests with error/edge cases	1 (100%)
Duplicate test clusters	0
Test inflation detected	No (1:1 ratio)
🚨 Coding-guideline violations	None

---

Test Classification Details

Test	File	Classification	Issues Detected
TestCodexDefaultDomains (row: chatgpt.com)	pkg/workflow/domains_test.go:432	✅ Design	None

---

Analysis Notes

This PR makes a minimal, focused change:

• Production: adds "chatgpt.com" to CodexDefaultDomains in domains.go (+1 line)
• Test: adds "chatgpt.com" to the expectedDomains slice in TestCodexDefaultDomains (+1 line)

No new test functions were added. The change extends an existing behavioral contract test — TestCodexDefaultDomains verifies that required domains appear in the CodexDefaultDomains list. Adding chatgpt.com to the expected list correctly enforces the new behavioral requirement.

Build tag: ✅ //go:build !integration present on line 1
Mock usage: ✅ None
Test inflation ratio: ✅ 1:1 (1 line test, 1 line production)
Assertion style: Uses t.Errorf with the domain name — sufficient context for a domain-list check

---

Language Support

Tests analyzed:

• 🐹 Go (*_test.go): 1 modification — unit (//go:build !integration)
• 🟨 JavaScript (*.test.cjs, *.test.js): 0 changes

---

Verdict

✅ Check passed. 0% of new tests are implementation tests (threshold: 30%).

---

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

• Assert on observable outputs, return values, or state changes
• Cover error paths and boundary conditions
• Would catch a behavioral regression if deleted
• Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

• Assert on internal function calls (mocking internals)
• Only test the happy path with typical inputs
• Break during legitimate refactoring even when behavior is correct
• Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

🧪 Test quality analysis by Test Quality Sentinel · ● 438.4K · ◷

[github-actions]

✅ Test Quality Sentinel: 100/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). The single test modification correctly extends the behavioral contract test for CodexDefaultDomains to include the new chatgpt.com domain.

[lpcox]

@copilot merge main and recompile

[Copilot]

@copilot merge main and recompile

Done in 8a5037c. Merged main, rebuilt the binary, and recompiled all 213 workflows — all Codex lock files (including smoke-codex, changeset, and ai-moderator) now include chatgpt.com in GH_AW_ALLOWED_DOMAINS and AWF allowDomains.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv kend_inotify.go otify.go x_amd64/compile (http block)
• https://api.github.com/repos/actions/download-artifact/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/download-artifact/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/docker/metadata-action/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/docker/setup-buildx-action/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .default_branch (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)