fix(signals): always allow local domains

[joshsny]

Signals pipeline breaks locally with docker sandboxes due to local domains not being allowlisted for all ports, we don't mind which ports they use locally and we want to allow it to access the MCP server at 8787

[greptile-apps]

_{Reviews (1): Last reviewed commit: "always allow local domains" | Re-trigger Greptile}

[Copilot]

Pull request overview

Adjusts the AgentSH network policy generation used by the tasks/signals sandboxing pipeline so local development in Docker sandboxes can reach local/host services without being blocked by the domain allowlist.

Changes:

• Adds a dedicated debug-only network rule (allow-local-dev-hosts) to allow localhost and host.docker.internal on any port.
• Removes adding local dev hostnames into the “infrastructure domains” list, keeping that list focused on actual infrastructure.
• Adds tests asserting the debug-only rule exists, has no port restriction, and appears before the default deny rule.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
products/tasks/backend/services/agentsh.py	Adds a DEBUG-only allow rule for local dev hostnames and refactors where local domains are injected into policy generation.
products/tasks/backend/tests/test_agentsh.py	Adds test coverage to ensure debug-mode local host rules exist, are unrestricted by port, and have correct precedence.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[deployment-status-posthog]

Deploy status

Environment	Status	Deployed At	Workflow
dev	✅ Deployed	2026-05-29 12:26 UTC	Run
prod-us	✅ Deployed	2026-05-29 13:01 UTC	Run
prod-eu	✅ Deployed	2026-05-29 12:54 UTC	Run