Skip to content

agent-runner network lockdown: Squid egress allowlist + iptables DROP + mount boundary #8

Description

@Ryan-Atkinson87

Spec: §7.1 (container boundary), §7.2 (network egress allowlist), §1 Principle 4 (security is infrastructure, not agent goodwill).

The infrastructure security boundary. Only agent-runner is network-locked: routed solely through the Squid egress proxy with a hostname allowlist, backed by an iptables DROP rule, and filesystem-bound to a single project directory.

Acceptance criteria

  • egress-proxy runs Squid with a hostname ACL allowlist: github.com, api.github.com, codeload.github.com, registry.npmjs.org, pypi.org, files.pythonhosted.org, api.anthropic.com — domain-level only, no TLS interception, no CA cert.
  • Allowlist is extendable per-project (driven by project.yaml egress.allow, §16).
  • agent-runner has HTTP_PROXY/HTTPS_PROXY pointed at Squid and no default internet route.
  • An iptables DROP rule on the external interface blocks direct egress, so the proxy cannot be bypassed even if the agent removes the env vars (§7.2).
  • agent-runner filesystem-bound (mount) to a single project directory; it cannot read or write outside it (§7.1).
  • Other services (orchestrator-api, orchestrator-ui, langfuse) retain normal internet access — only agent-runner is locked.
  • Verification: a request from agent-runner to a non-allowlisted host is blocked; an allowlisted host succeeds (documented test or script).

Dependencies

Depends on: #7

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions