remove cloudflare ranges

.devcontainer/README.md

@@ -28,7 +28,6 @@ This is a Codex-focused devcontainer setup adapted for this monorepo.
   - applies firewall rules through `init-firewall.sh`
   - enforces IPv6 default-deny so strict mode cannot be bypassed over IPv6
   - optionally adds GitHub CIDR ranges from `api.github.com/meta`
-  - optionally adds Cloudflare IPv4 CIDR ranges for CDN-backed endpoints
 
 ## Firewall modes
 
@@ -38,7 +37,6 @@ This is a Codex-focused devcontainer setup adapted for this monorepo.
 Optional strict-mode enhancement:
 
 - `CODEX_INCLUDE_GITHUB_META_RANGES=1` (default) hydrates GitHub CIDRs into the allowlist.
-- `CODEX_INCLUDE_CLOUDFLARE_RANGES=1` (default) hydrates Cloudflare IPv4 CIDRs into the allowlist.
 
 To run in permissive mode during a session:
 

.devcontainer/devcontainer.json

@@ -33,7 +33,6 @@
     "CODEX_UNSAFE_ALLOW_NO_SANDBOX": "1",
     "CODEX_ENABLE_FIREWALL": "1",
     "CODEX_INCLUDE_GITHUB_META_RANGES": "1",
-    "CODEX_INCLUDE_CLOUDFLARE_RANGES": "1",
     "OPENAI_ALLOWED_DOMAINS": "api.openai.com auth.openai.com github.com api.github.com codeload.github.com raw.githubusercontent.com objects.githubusercontent.com crates.io index.crates.io static.crates.io static.rust-lang.org registry.npmjs.org",
     "CARGO_TARGET_DIR": "/workspace/codex-rs/target/devcontainer",
     "GIT_CONFIG_GLOBAL": "/home/vscode/.gitconfig.local",

.devcontainer/init-firewall.sh

@@ -4,7 +4,6 @@ IFS=$'\n\t'
 
 allowed_domains_file="/etc/codex/allowed_domains.txt"
 include_github_meta_ranges="${CODEX_INCLUDE_GITHUB_META_RANGES:-1}"
-include_cloudflare_ranges="${CODEX_INCLUDE_CLOUDFLARE_RANGES:-1}"
 
 if [ -f "$allowed_domains_file" ]; then
   mapfile -t allowed_domains < <(sed '/^\s*#/d;/^\s*$/d' "$allowed_domains_file")
@@ -121,21 +120,6 @@ if [ "$include_github_meta_ranges" = "1" ]; then
   done < <(echo "$github_meta" | jq -r '((.web // []) + (.api // []) + (.git // []))[]' | sort -u)
 fi
 
-if [ "$include_cloudflare_ranges" = "1" ]; then
-  echo "Fetching Cloudflare IPv4 ranges"
-  cloudflare_ranges="$(curl -fsSL --connect-timeout 10 https://www.cloudflare.com/ips-v4)"
-
-  if [ -z "$(echo "$cloudflare_ranges" | sed '/^\s*#/d;/^\s*$/d')" ]; then
-    echo "ERROR: Cloudflare range response was empty"
-    exit 1
-  fi
-
-  while IFS= read -r cidr; do
-    [ -z "$cidr" ] && continue
-    add_ipv4_cidr_to_allowlist "Cloudflare" "$cidr"
-  done < <(echo "$cloudflare_ranges" | sed '/^\s*#/d;/^\s*$/d' | sort -u)
-fi
-
 host_ip="$(ip route | awk '/default/ {print $3; exit}')"
 if [ -z "$host_ip" ]; then
   echo "ERROR: Failed to detect host IP"

.devcontainer/post-start.sh

@@ -33,4 +33,4 @@ sudo chmod 0444 /etc/codex/allowed_domains.txt
 rm -f "$tmp_file"
 
 echo "[devcontainer] Applying firewall policy for domains: ${domains[*]}"
-sudo --preserve-env=CODEX_INCLUDE_GITHUB_META_RANGES,CODEX_INCLUDE_CLOUDFLARE_RANGES /usr/local/bin/init-firewall.sh
+sudo --preserve-env=CODEX_INCLUDE_GITHUB_META_RANGES /usr/local/bin/init-firewall.sh