egress_guard
Outbound network control by domain/IP policy.
What it mitigates
- Exfiltration to unapproved hosts
- Callback traffic to attacker-controlled endpoints
- Data leakage via permissive networking
Recommended defaults
| Profile | strategy |
|---|---|
local | strict allowlist |
standard | allowlist for critical paths, blocklist for known bad |
unbounded | monitor and log aggressively |
Minimal config
moduleConfig:
egress_guard:
# Choose one mode for predictability:
# allowedDomains:
# - "api.openai.com"
# - "example.org"
# blockedDomains:
# - "*.pastebin.com"Design guidance
- Prefer allowlist mode in production-like contexts.
- Keep policy close to business-required outbound dependencies.
- Revalidate after adding new tools/integrations.