docs(changelog): runner egress policy foundation entry#83
Merged
Conversation
Internal-tagged Jun 11 update: RUNNER_NETWORK_POLICY selects the runner network posture (allow_all default — unchanged behavior, deny_all_egress, allow_list_egress fail-closed UZ-RUN-007 until enforcement ships). No user-visible behavior change; entry lands per Indy's ask rather than folding into the next user-visible release. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
…y (greptile P2) Operator docs stay at the operational level per AGENTS.md; the nftables/ netns mechanism belongs in main-repo playbooks, not the changelog. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds an Internal-tagged Jun 11, 2026 changelog entry for the merged egress-policy foundation (agentsfleet/agentsfleet#391):
RUNNER_NETWORK_POLICYnow selects the runner network posture —allow_all(default, behavior unchanged),deny_all_egress, andallow_list_egress(fails closed withUZ-RUN-007until kernel enforcement ships in an upcoming release).No user-visible behavior change; entry explicitly states the default stays today's posture. Landed now per Indy's direction instead of folding into the next user-visible release.
🤖 Generated with Claude Code
Greptile Summary
This PR adds a single changelog entry documenting the
RUNNER_NETWORK_POLICYenvironment variable foundation (agentsfleet/agentsfleet#391), taggedInternal+Security. No user-visible behavior change is introduced — the entry explicitly states the default posture is unchanged.RUNNER_NETWORK_POLICYenv var — documents the three values (allow_all,deny_all_egress,allow_list_egress) and their behavior;allow_list_egressis noted as failing closed withUZ-RUN-007until kernel-level enforcement ships.Confidence Score: 5/5
Documentation-only change; no code execution paths are affected.
The change is a single changelog entry documenting a new env var. The prose is accurate to the PR description, the MDX structure is valid, the Internal+Security tags are appropriate, and the prior comment about the nftables implementation-detail parenthetical has been resolved in this revision.
No files require special attention.
Important Files Changed
Flowchart
%%{init: {'theme': 'neutral'}}%% flowchart TD A[Runner starts] --> B{RUNNER_NETWORK_POLICY\nenv var set?} B -- "unset / allow_all" --> C[Full outbound access\ncurrent default behavior] B -- "deny_all_egress" --> D[No outbound network] B -- "allow_list_egress" --> E{Kernel enforcement\nshipped?} E -- "No (current state)" --> F["Fails closed\nUZ-RUN-007"] E -- "Yes (upcoming release)" --> G[Outbound only to\npermitted destinations]Reviews (2): Last reviewed commit: "docs(changelog): drop kernel-mechanism p..." | Re-trigger Greptile