You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Spec: §7.1 (container boundary), §7.2 (network egress allowlist), §1 Principle 4 (security is infrastructure, not agent goodwill).
The infrastructure security boundary. Only agent-runner is network-locked: routed solely through the Squid egress proxy with a hostname allowlist, backed by an iptables DROP rule, and filesystem-bound to a single project directory.
Acceptance criteria
egress-proxy runs Squid with a hostname ACL allowlist: github.com, api.github.com, codeload.github.com, registry.npmjs.org, pypi.org, files.pythonhosted.org, api.anthropic.com — domain-level only, no TLS interception, no CA cert.
Allowlist is extendable per-project (driven by project.yamlegress.allow, §16).
agent-runner has HTTP_PROXY/HTTPS_PROXY pointed at Squid and no default internet route.
An iptables DROP rule on the external interface blocks direct egress, so the proxy cannot be bypassed even if the agent removes the env vars (§7.2).
agent-runner filesystem-bound (mount) to a single project directory; it cannot read or write outside it (§7.1).
Other services (orchestrator-api, orchestrator-ui, langfuse) retain normal internet access — only agent-runner is locked.
Verification: a request from agent-runner to a non-allowlisted host is blocked; an allowlisted host succeeds (documented test or script).
Spec: §7.1 (container boundary), §7.2 (network egress allowlist), §1 Principle 4 (security is infrastructure, not agent goodwill).
The infrastructure security boundary. Only
agent-runneris network-locked: routed solely through the Squid egress proxy with a hostname allowlist, backed by an iptables DROP rule, and filesystem-bound to a single project directory.Acceptance criteria
egress-proxyruns Squid with a hostname ACL allowlist:github.com,api.github.com,codeload.github.com,registry.npmjs.org,pypi.org,files.pythonhosted.org,api.anthropic.com— domain-level only, no TLS interception, no CA cert.project.yamlegress.allow, §16).agent-runnerhasHTTP_PROXY/HTTPS_PROXYpointed at Squid and no default internet route.agent-runnerfilesystem-bound (mount) to a single project directory; it cannot read or write outside it (§7.1).orchestrator-api,orchestrator-ui,langfuse) retain normal internet access — onlyagent-runneris locked.agent-runnerto a non-allowlisted host is blocked; an allowlisted host succeeds (documented test or script).Dependencies
Depends on: #7