Skip to content

Add idea: localhost-only egress for agent workloads#7

Merged
rkoster merged 1 commit into
cloudfoundry:mainfrom
rrashidov:idea/localhost-only-egress-for-agents
Jul 8, 2026
Merged

Add idea: localhost-only egress for agent workloads#7
rkoster merged 1 commit into
cloudfoundry:mainfrom
rrashidov:idea/localhost-only-egress-for-agents

Conversation

@rrashidov

Copy link
Copy Markdown
Contributor

What is this idea about?

An agent's outbound calls are decided at inference time — the developer cannot enumerate them statically, and a misconfigured or prompt-injected agent can silently reach unintended hosts. Direct network access from the agent process makes this uninspectable by default.

The proposal: CF should route all outbound agent traffic through a platform-owned proxy the workload cannot bypass. The developer declares bindings in the manifest (e.g. a model provider, a tool endpoint); the platform provides a localhost address the app calls, and the proxy handles the real outbound connection — enforcing the declared policy and logging every request. The app code doesn't change, only the target hostname does. What the proxy looks like and who owns egress policy is left open for platform experts to propose.

Checklist

  • File lives in ideas/ with a lowercase kebab-case filename (ideas/localhost-only-egress-for-agents.md)
  • Has a title (YAML title: present)
  • Tags added (sandboxing-isolation, observability-governance)
  • On-topic for agentic workloads on Cloud Foundry
  • Cross-links to sibling ideas

Related

@rkoster rkoster merged commit 11a1cac into cloudfoundry:main Jul 8, 2026
2 checks passed
@rrashidov rrashidov deleted the idea/localhost-only-egress-for-agents branch July 8, 2026 14:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants