67225a39fa
Config policies (16 files): alert_routing, architecture_pressure, backlog, cost_weights, data_governance, incident_escalation, incident_intelligence, network_allowlist, nodes_registry, observability_sources, rbac_tools_matrix, release_gate, risk_attribution, risk_policy, slo_policy, tool_limits, tools_rollout Ops (22 files): Caddyfile, calendar compose, grafana voice dashboard, deployments/incidents logs, runbooks for alerts/audit/backlog/incidents/sofiia/voice, cron jobs, scripts (alert_triage, audit_cleanup, migrate_*, governance, schedule), task_registry, voice alerts/ha/latency/policy Docs (30+ files): HUMANIZED_STEPAN v2.7-v3 changelogs and runbooks, NODA1/NODA2 status and setup, audit index and traces, backlog, incident, supervisor, tools, voice, opencode, release, risk, aistalk, spacebot Made-with: Cursor
144 lines
4.8 KiB
YAML
144 lines
4.8 KiB
YAML
# Network Allowlist for Tool HTTP Calls
|
|
# Tools that make outbound HTTP requests MUST use only hosts/IPs listed here.
|
|
# Any request to unlisted hosts is blocked by tool_governance.py middleware.
|
|
#
|
|
# Format per tool:
|
|
# hosts: exact hostname or IP
|
|
# prefixes: URL prefix match (for paths)
|
|
|
|
# ─── Observability Sources ────────────────────────────────────────────────────
|
|
observability_tool:
|
|
description: "Prometheus, Loki, Tempo datasources"
|
|
hosts:
|
|
- "localhost"
|
|
- "127.0.0.1"
|
|
- "prometheus"
|
|
- "loki"
|
|
- "tempo"
|
|
- "monitoring"
|
|
- "144.76.224.179" # NODA1 monitoring
|
|
ports_allowed: [9090, 3100, 3200, 9080]
|
|
schemes: ["http", "https"]
|
|
|
|
# ─── Oncall / Service Health ──────────────────────────────────────────────────
|
|
oncall_tool:
|
|
description: "Internal service health endpoints only"
|
|
hosts:
|
|
- "localhost"
|
|
- "127.0.0.1"
|
|
- "gateway"
|
|
- "router"
|
|
- "memory"
|
|
- "qdrant"
|
|
- "nats"
|
|
- "144.76.224.179" # NODA1
|
|
- "212.8.58.133" # NODA3
|
|
ports_allowed: [80, 443, 8000, 8080, 8222, 9000, 9100, 9102, 9200, 9300, 9400]
|
|
schemes: ["http", "https"]
|
|
|
|
# ─── Web Search / Extract ─────────────────────────────────────────────────────
|
|
web_search:
|
|
description: "Search provider APIs"
|
|
hosts:
|
|
- "api.duckduckgo.com"
|
|
- "serpapi.com"
|
|
- "api.bing.microsoft.com"
|
|
- "customsearch.googleapis.com"
|
|
schemes: ["https"]
|
|
|
|
web_extract:
|
|
description: "Any public HTTPS URL (user-provided)"
|
|
allow_any_public: true # Allow any non-private IP
|
|
block_private_ranges: true # Block RFC1918 / loopback / link-local
|
|
schemes: ["https"]
|
|
|
|
crawl4ai_scrape:
|
|
description: "Crawl4AI service + public URLs"
|
|
hosts:
|
|
- "localhost"
|
|
- "127.0.0.1"
|
|
- "crawl4ai"
|
|
ports_allowed: [11235]
|
|
allow_any_public: true
|
|
block_private_ranges: true
|
|
schemes: ["http", "https"]
|
|
|
|
# ─── Memory / Graph ───────────────────────────────────────────────────────────
|
|
memory_search:
|
|
description: "Memory service + Qdrant"
|
|
hosts:
|
|
- "localhost"
|
|
- "127.0.0.1"
|
|
- "memory-service"
|
|
- "qdrant"
|
|
- "144.76.224.179"
|
|
ports_allowed: [6333, 8001, 8100]
|
|
schemes: ["http", "https"]
|
|
|
|
graph_query:
|
|
description: "Neo4j bolt/http"
|
|
hosts:
|
|
- "localhost"
|
|
- "127.0.0.1"
|
|
- "neo4j"
|
|
ports_allowed: [7474, 7687]
|
|
schemes: ["http", "https", "bolt", "bolt+s"]
|
|
|
|
# ─── ComfyUI / Image Generation ──────────────────────────────────────────────
|
|
comfy_generate_image:
|
|
description: "ComfyUI on NODA3"
|
|
hosts:
|
|
- "localhost"
|
|
- "127.0.0.1"
|
|
- "212.8.58.133"
|
|
ports_allowed: [8188]
|
|
schemes: ["http"]
|
|
|
|
comfy_generate_video:
|
|
description: "ComfyUI video on NODA3"
|
|
hosts:
|
|
- "localhost"
|
|
- "127.0.0.1"
|
|
- "212.8.58.133"
|
|
ports_allowed: [8188]
|
|
schemes: ["http"]
|
|
|
|
# ─── LLM Providers ────────────────────────────────────────────────────────────
|
|
# (Used by router/gateway, not direct tool calls, but documented for reference)
|
|
llm_providers:
|
|
description: "External LLM APIs"
|
|
hosts:
|
|
- "api.x.ai" # xAI Grok
|
|
- "open.bigmodel.cn" # GLM-5 Z.AI
|
|
- "api.deepseek.com" # DeepSeek
|
|
- "api.openai.com" # OpenAI fallback
|
|
schemes: ["https"]
|
|
|
|
# ─── Presentation Service ─────────────────────────────────────────────────────
|
|
presentation_create:
|
|
description: "Presentation rendering service"
|
|
hosts:
|
|
- "localhost"
|
|
- "127.0.0.1"
|
|
- "presentation-service"
|
|
ports_allowed: [8080, 9500]
|
|
schemes: ["http", "https"]
|
|
|
|
# ─── Dependency Scanner ───────────────────────────────────────────────────────
|
|
dependency_scanner_tool:
|
|
description: "OSV.dev API for vulnerability lookups (online mode only)"
|
|
hosts:
|
|
- "api.osv.dev"
|
|
schemes: ["https"]
|
|
# Only used when vuln_mode=online; offline_cache requires no outbound
|
|
|
|
# ─── Private IP Ranges (always blocked for allow_any_public tools) ────────────
|
|
private_ip_ranges:
|
|
- "10.0.0.0/8"
|
|
- "172.16.0.0/12"
|
|
- "192.168.0.0/16"
|
|
- "127.0.0.0/8"
|
|
- "169.254.0.0/16"
|
|
- "::1/128"
|
|
- "fc00::/7"
|