egress: require opt-in for HTTPS git fetch

2026-06-10 07:00:01 +00:00
parent acb9cd67c6
commit 3f04567290
8 changed files with 240 additions and 7 deletions
@@ -199,6 +199,25 @@ Named inbound detectors: `naive_injection_detection`.
 The manifest parser (`manifest_egress.py`) validates the `dlp` block and
 rejects unknown detector names.

+### Manifest schema — `git` block
+
+HTTPS Git clone/fetch traffic is not implied by a host-level egress route.
+Smart HTTP Git fetch uses `git-upload-pack`, which can transfer large repo
+packfiles and bypass the git-gate mirror path. It is therefore blocked by
+default and must be explicitly enabled per route:
+
+```yaml
+egress:
+  routes:
+    - host: github.com
+      git:
+        fetch: true
+```
+
+`git.fetch: true` permits read-only smart HTTP clone/fetch requests
+(`git-upload-pack`) after the normal host and `matches` checks pass. HTTPS
+Git push (`git-receive-pack`) remains blocked by the egress addon.
+
 ### `EgressRoute` changes

 `EgressRoute` replaces `PathAllowlist` with `Matches` and gains two new
@@ -232,6 +251,7 @@ class EgressRoute:
    AuthScheme: str = ""
    TokenRef: str = ""
    Role: tuple[str, ...] = ()
+    GitFetch: bool = False
    OutboundDetectors: tuple[str, ...] | None = None   # None = all enabled
    InboundDetectors: tuple[str, ...] | None = None    # None = all enabled
 ```
@@ -252,6 +272,7 @@ class Route:
    matches: tuple[MatchEntry, ...] = ()
    auth_scheme: str = ""
    token_env: str = ""
+    git_fetch: bool = False
    outbound_detectors: tuple[str, ...] | None = None
    inbound_detectors: tuple[str, ...] | None = None
 ```