Add runtime egress enforcement and audit logging#9
Merged
initializ-mk merged 1 commit intomainfrom Feb 27, 2026
Merged
Conversation
- Add EgressEnforcer (http.RoundTripper) that validates outbound requests against domain allowlist with wildcard support and localhost bypass - Add structured NDJSON audit logger with correlation IDs and task IDs for end-to-end request tracing - Extend HookContext with TaskID/CorrelationID, populate in all Fire() calls - Wire egress transport into all HTTP-making tools (http_request, mcp_call, webhook_call, web_search_tavily, web_search_perplexity) - Resolve egress config in runner, inject enforcer and audit logger into handler context, register audit hooks for tool/LLM/egress events - Rewrite README with full coverage of fallback chains, OAuth, memory, runtime security, guardrails, context budgeting, and config reference
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
EgressEnforcer— anhttp.RoundTripperthat validates every outbound HTTP request against the resolved domain allowlist before forwarding. Supports exact match, wildcard domains (*.github.com), and always-allowed localhost. Three modes:deny-all,allowlist,dev-open.session_start,session_end,tool_exec,egress_allowed,egress_blocked,llm_call) and correlation IDs for end-to-end request tracing.TaskIDandCorrelationIDpropagated through context andHookContext, attached to all audit events including egress callbacks.http_request,mcp_call,webhook_call,web_search_tavily,web_search_perplexity) now use the egress-enforced transport/client from context.Files changed
forge-core/security/egress_enforcer.gohttp.RoundTripperwrapper + context helpersforge-core/security/egress_enforcer_test.goforge-core/security/egress_integration_test.goforge-core/runtime/audit.goforge-core/runtime/audit_test.goforge-core/runtime/audit_integration_test.goforge-core/runtime/hooks.goforge-core/runtime/loop.goforge-core/tools/builtins/http_request.goforge-core/tools/builtins/web_search_tavily.goforge-core/tools/builtins/web_search_perplexity.goforge-core/tools/adapters/mcp_call.goforge-core/tools/adapters/webhook_call.goforge-cli/runtime/runner.goREADME.mdTest plan
forge-core/security— all egress enforcer tests pass (allowlist, deny-all, dev-open, wildcards, localhost, callbacks, context helpers, integration)forge-core/runtime— all audit logger tests pass (emit, concurrent safety, context round-trips, event sequence)forge-core/tools— existing tool tests pass unchanged (backward compatible when no egress client in context)forge-cli/runtime— runner tests pass with updatedregisterHandlerssignaturegolangci-lintclean on bothforge-coreandforge-cli