Skip to main content

Module network_policy

zagens_runtime

Module network_policy 

Source
Expand description

Per-domain network policy for outbound network calls (#135).

Three small pieces:

  1. DecisionAllow | Deny | Prompt.
  2. NetworkPolicy — a list of allow/deny hostnames + a default decision, with deny-wins precedence: a host that matches an entry in deny is denied even if it also matches allow.
  3. NetworkAuditor — appends one plaintext line per outbound call to ~/.deepseek/audit.log in the format described below.

In addition, NetworkSessionCache holds in-process “approve once for this session” state for the Prompt flow, and NetworkDenied is the structured error surfaced to callers when a host is blocked.

§Host-matching rules

  • Exact match — an entry like api.deepseek.com matches only the host api.deepseek.com (case-insensitive).
  • Subdomain match — an entry that starts with a leading dot, e.g. .example.com, matches any subdomain (api.example.com, a.b.example.com) but not the apex example.com. To match both, list both.

Matching is case-insensitive and trims a single trailing dot from the host (so example.com. and example.com are equivalent).

§Audit-log format

<RFC3339-timestamp> network <host> <tool> <Allow|Deny|Prompt-Approved|Prompt-Denied>

Plaintext, one line per call, appended to <audit_path> (defaults to ~/.deepseek/audit.log). Best-effort: write failures are logged but do not block the call.

Structs§

NetworkAuditor
Best-effort writer for the network audit log.
NetworkDenied
Structured error surfaced to callers when an outbound call is blocked.
NetworkPolicy
Per-domain allow/deny list with a default fallback.
NetworkPolicyDecider
Glue type that bundles a NetworkPolicy with a session cache and an auditor. Tools call NetworkPolicyDecider::evaluate before any HTTP transport is constructed; the result decides whether to proceed, deny, or prompt the user.
NetworkSessionCache
In-process cache of “approve once for this session” decisions. Keyed by normalized host. Thread-safe.

Enums§

Decision
What the policy decided about an outbound network call.
DecisionToml
Wire-format wrapper for Decision used in serde-derived TOML/JSON. The runtime API exposes Decision directly; this type only exists so default = "prompt" round-trips cleanly through TOML.

Functions§

host_from_url
Extract the host portion of a URL, lowercased. Returns None if the URL can’t be parsed or has no host.