Expand description
Shared host-pattern matcher for outbound-network allow/deny checks.
This is the single source of truth for host-pattern matching used by every
layer that gates outbound requests: the agent runtime’s egress proxy
(mur-agent-runtime::sandbox::reqwest_guard) and the research gateway’s
SSRF guard (mur-research-gateway::net_guard). A security boundary must
not have two copies of this logic that can silently drift apart.
IP-range predicates (loopback/private/link-local/unspecified) are deliberately NOT shared here — different callers apply different IP policies (e.g. the runtime allows loopback/RFC1918 for local LLMs while the research gateway forbids them). Only the host-pattern string matcher is common.
Functions§
- host_
allowed - True if
hostmatches any allowlist pattern. An empty allowlist denies all (fail-closed). Reuses the same matcher the agent’s reqwest guard uses, so per-MCP-server egress allowlisting behaves identically to agent-level hosts. - host_
matches_ pattern - Match a host against an allowlist pattern.