potiuk opened a new pull request, #429: URL: https://github.com/apache/airflow-steward/pull/429
## Summary Adds `tools/egress-gateway/` — a local **host-allowlisting HTTP(S) forward proxy** (a `proxy.py` plugin) that constrains *where* framework tools may send data, and documents it in **RFC-AI-0003** as Mechanism 3 (defence-in-depth). RFC-AI-0003's two mechanisms (PII redactor + approved-LLM gate) act at the **application layer** — they bound what a skill deliberately sends to an LLM. Neither stops an *unintended* outbound flow (a buggy tool, or a prompt-injection payload coaxing the agent into `curl`-ing private data out) — the gap `docs/setup/secure-agent-setup.md` flags for `Bash(curl *)` egress. The gateway closes it at the **network layer**: default-deny host allowlist, `403` before a socket opens. Layered *under* the two mechanisms, never a replacement. ## What's here - **`tools/egress-gateway/`** — `proxy.py` plugin (`EgressAllowlistPlugin`) + CLI launcher + `tool.md`/`README.md`. Default allowlist mirrors `sandbox.network.allowedDomains` (ASF infra, GitHub, Google APIs, PyPI), suffix-matched; loopback always allowed; adopters extend via `EGRESS_ALLOW_EXTRA`. - **`host_allowed()`** is a pure function with **28 unit tests** (IPv6, port/dot normalisation, suffix-spoof rejection, env-extra parsing). - **RFC-AI-0003** — abstract note + §4.4 (Mechanism 3) + §6.4 (implementation) + §10.6 (wiring follow-ups) + references. - Registered in `docs/labels-and-capabilities.md` (`capability:setup`) and the uv workspace. ## Notes - **Host-level only** (HTTPS via CONNECT, no TLS interception/payload inspection) — egress control without MITM. - Separate tool (not a `privacy-llm` sub-tool) because it carries a third-party runtime dep (`proxy.py`); the privacy-llm sub-tools are stdlib-only by contract. - **Optional & provisional**: ships as a documented, tested tool but is not yet wired into a setup skill or `privacy-llm-check`; §10.6 tracks that. ## Test plan - [x] `prek run` green (ruff, mypy, pytest, doctoc, workspace-members, capability validator) - [x] 28/28 unit tests pass - [x] Manually verified end-to-end locally: allowed host -> 200, off-list host -> 403 CONNECT-rejected Generated-by: Claude Code (Claude Opus 4.8) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
