daarion-admin/microdao-daarion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7a95f739d4d99fd25c54f551530338c8250b2eb9
microdao-daarion/config/network_allowlist.yml
Apple 67225a39fa docs(platform): add policy configs, runbooks, ops scripts and platform documentation 
Config policies (16 files): alert_routing, architecture_pressure, backlog,
cost_weights, data_governance, incident_escalation, incident_intelligence,
network_allowlist, nodes_registry, observability_sources, rbac_tools_matrix,
release_gate, risk_attribution, risk_policy, slo_policy, tool_limits, tools_rollout

Ops (22 files): Caddyfile, calendar compose, grafana voice dashboard,
deployments/incidents logs, runbooks for alerts/audit/backlog/incidents/sofiia/voice,
cron jobs, scripts (alert_triage, audit_cleanup, migrate_*, governance, schedule),
task_registry, voice alerts/ha/latency/policy

Docs (30+ files): HUMANIZED_STEPAN v2.7-v3 changelogs and runbooks,
NODA1/NODA2 status and setup, audit index and traces, backlog, incident,
supervisor, tools, voice, opencode, release, risk, aistalk, spacebot

Made-with: Cursor
2026-03-03 07:14:53 -08:00

144 lines
4.8 KiB
YAML
Raw Blame History

# Network Allowlist for Tool HTTP Calls
# Tools that make outbound HTTP requests MUST use only hosts/IPs listed here.
# Any request to unlisted hosts is blocked by tool_governance.py middleware.
#
# Format per tool:
# hosts: exact hostname or IP
# prefixes: URL prefix match (for paths)
# ─── Observability Sources ────────────────────────────────────────────────────
observability_tool:
description: "Prometheus, Loki, Tempo datasources"
hosts:
- "localhost"
- "127.0.0.1"
- "prometheus"
- "loki"
- "tempo"
- "monitoring"
- "144.76.224.179" # NODA1 monitoring
ports_allowed: [9090, 3100, 3200, 9080]
schemes: ["http", "https"]
# ─── Oncall / Service Health ──────────────────────────────────────────────────
oncall_tool:
description: "Internal service health endpoints only"
hosts:
- "localhost"
- "127.0.0.1"
- "gateway"
- "router"
- "memory"
- "qdrant"
- "nats"
- "144.76.224.179" # NODA1
- "212.8.58.133" # NODA3
ports_allowed: [80, 443, 8000, 8080, 8222, 9000, 9100, 9102, 9200, 9300, 9400]
schemes: ["http", "https"]
# ─── Web Search / Extract ─────────────────────────────────────────────────────
web_search:
description: "Search provider APIs"
hosts:
- "api.duckduckgo.com"
- "serpapi.com"
- "api.bing.microsoft.com"
- "customsearch.googleapis.com"
schemes: ["https"]
web_extract:
description: "Any public HTTPS URL (user-provided)"
allow_any_public: true # Allow any non-private IP
block_private_ranges: true # Block RFC1918 / loopback / link-local
schemes: ["https"]
crawl4ai_scrape:
description: "Crawl4AI service + public URLs"
hosts:
- "localhost"
- "127.0.0.1"
- "crawl4ai"
ports_allowed: [11235]
allow_any_public: true
block_private_ranges: true
schemes: ["http", "https"]
# ─── Memory / Graph ───────────────────────────────────────────────────────────
memory_search:
description: "Memory service + Qdrant"
hosts:
- "localhost"
- "127.0.0.1"
- "memory-service"
- "qdrant"
- "144.76.224.179"
ports_allowed: [6333, 8001, 8100]
schemes: ["http", "https"]
graph_query:
description: "Neo4j bolt/http"
hosts:
- "localhost"
- "127.0.0.1"
- "neo4j"
ports_allowed: [7474, 7687]
schemes: ["http", "https", "bolt", "bolt+s"]
# ─── ComfyUI / Image Generation ──────────────────────────────────────────────
comfy_generate_image:
description: "ComfyUI on NODA3"
hosts:
- "localhost"
- "127.0.0.1"
- "212.8.58.133"
ports_allowed: [8188]
schemes: ["http"]
comfy_generate_video:
description: "ComfyUI video on NODA3"
hosts:
- "localhost"
- "127.0.0.1"
- "212.8.58.133"
ports_allowed: [8188]
schemes: ["http"]
# ─── LLM Providers ────────────────────────────────────────────────────────────
# (Used by router/gateway, not direct tool calls, but documented for reference)
llm_providers:
description: "External LLM APIs"
hosts:
- "api.x.ai" # xAI Grok
- "open.bigmodel.cn" # GLM-5 Z.AI
- "api.deepseek.com" # DeepSeek
- "api.openai.com" # OpenAI fallback
schemes: ["https"]
# ─── Presentation Service ─────────────────────────────────────────────────────
presentation_create:
description: "Presentation rendering service"
hosts:
- "localhost"
- "127.0.0.1"
- "presentation-service"
ports_allowed: [8080, 9500]
schemes: ["http", "https"]
# ─── Dependency Scanner ───────────────────────────────────────────────────────
dependency_scanner_tool:
description: "OSV.dev API for vulnerability lookups (online mode only)"
hosts:
- "api.osv.dev"
schemes: ["https"]
# Only used when vuln_mode=online; offline_cache requires no outbound
# ─── Private IP Ranges (always blocked for allow_any_public tools) ────────────
private_ip_ranges:
- "10.0.0.0/8"
- "172.16.0.0/12"
- "192.168.0.0/16"
- "127.0.0.0/8"
- "169.254.0.0/16"
- "::1/128"
- "fc00::/7"
Reference in New Issue View Git Blame Copy Permalink