The GitHub Actions job "link-check" on airflow-steward.git/egress-gateway-proxy has succeeded. Run started by GitHub user potiuk (triggered by potiuk).
Head commit for run: 7764743a2afc0a80ae01421941f098a942421392 / Jarek Potiuk <[email protected]> feat(egress-gateway): add egress-allowlist proxy; document in RFC-AI-0003 Adds tools/egress-gateway/ — a local host-allowlisting HTTP(S) forward proxy (a proxy.py plugin) that constrains where framework tools may send data. It is the network-layer egress-control chokepoint: tools point HTTPS_PROXY at it, and any CONNECT/request to a host not on the allowlist is rejected with 403 before a socket is opened. Why: RFC-AI-0003's two mechanisms (PII redactor + approved-LLM gate) act at the application layer — they bound what a skill deliberately sends to an LLM. Neither stops an unintended outbound flow (a buggy tool, or a prompt-injection payload coaxing the agent into curling private data out) — the gap docs/setup/secure-agent-setup.md flags for Bash(curl *) egress. The gateway closes it at the network layer as defence-in-depth, layered under the two mechanisms, never a replacement. Design: - Default-deny allowlist mirrors sandbox.network.allowedDomains (ASF infra, GitHub, Google APIs, PyPI), suffix-matched; loopback always allowed; adopters extend via EGRESS_ALLOW_EXTRA without editing code. - Host-level only (HTTPS via CONNECT, no TLS interception / payload inspection) — the right model for egress control without MITM. - host_allowed() is a pure function with 28 unit tests (IPv6, port/dot normalisation, suffix-spoof rejection, env-extra parsing). proxy.py integration is not exercised in CI (needs to bind a port). - Separate tool (not a privacy-llm sub-tool) because it carries a third-party runtime dep (proxy.py); the privacy-llm sub-tools are stdlib-only by contract. RFC-AI-0003 updated: abstract note + §4.4 (Mechanism 3, defence-in-depth) + §6.4 (implementation) + §10.6 (wiring follow-ups) + references. Tool registered in docs/labels-and-capabilities.md (capability:setup) and the uv workspace. The mechanism is optional and provisional: it ships as a documented, tested tool but is not yet wired into a setup skill or privacy-llm-check; §10.6 tracks that follow-up. Generated-by: Claude Code (Claude Opus 4.8) Report URL: https://github.com/apache/airflow-steward/actions/runs/26761220484 With regards, GitHub Actions via GitBox --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
