egress_guard

Outbound network control by domain/IP policy.

What it mitigates

Exfiltration to unapproved hosts
Callback traffic to attacker-controlled endpoints
Data leakage via permissive networking

Recommended defaults

Profile	strategy
`local`	strict allowlist
`standard`	allowlist for critical paths, blocklist for known bad
`unbounded`	monitor and log aggressively

Minimal config

moduleConfig:
  egress_guard:
    bindingMode: global_only   # global_only | intersect
    # Choose one mode for predictability:
    # allowedDomains:
    #   - "api.openai.com"
    #   - "example.org"
    # blockedDomains:
    #   - "*.pastebin.com"

Tool-specific binding example (bindingMode: intersect):

moduleConfig:
  tool_policy:
    rules:
      - tool: "SlackSend"
        action: allow
        egress:
          allowedDomains: ["api.slack.com"]
  egress_guard:
    allowedDomains: ["api.slack.com", "api.openai.com"]
    bindingMode: intersect

Design guidance

Prefer allowlist mode in production-like contexts.
Use bindingMode: intersect to force tool-level egress narrowing.
Keep policy close to business-required outbound dependencies.
Revalidate after adding new tools/integrations.

egress_guard

What it mitigates

Recommended defaults

Minimal config

Design guidance

Related modules