Skip to content

feat(bashkit): Phase 9 - Network allowlist and HTTP client#10

Merged
chaliy merged 1 commit intomainfrom
claude/bash-filesystem-library-cYGoo
Jan 31, 2026
Merged

feat(bashkit): Phase 9 - Network allowlist and HTTP client#10
chaliy merged 1 commit intomainfrom
claude/bash-filesystem-library-cYGoo

Conversation

@chaliy
Copy link
Contributor

@chaliy chaliy commented Jan 31, 2026
edited
Loading

Summary

Add secure network access with URL-based allowlist:

NetworkAllowlist

  • Empty allowlist blocks all URLs (secure by default)
  • Pattern matching on scheme, host, port, and path prefix
  • Support for multiple patterns via fluent API
  • allow_all() for testing/trusted environments

HttpClient (optional "network" feature)

  • HTTP methods: GET, POST, PUT, DELETE, HEAD, PATCH
  • Request/response with body and headers
  • Configurable timeout (default 30s)
  • All requests validated against allowlist

Security Model

  • Network disabled by default
  • Explicit opt-in via feature flag
  • All URLs validated before requests
  • No dangerously_allow_all in production paths

Test plan

  • Empty allowlist blocks all URLs
  • allow_all() permits all URLs
  • Exact host matching
  • Path prefix matching
  • Port matching
  • Multiple patterns
  • Invalid URL handling
  • Client blocks on empty allowlist
  • Client blocks non-matching URLs
  • All 140 tests pass (with network feature)
  • Clippy clean

@chatgpt-codex-connector
Copy link

chatgpt-codex-connector bot commented Jan 31, 2026

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

@claude
feat(bashkit): Phase 9 - Network allowlist and HTTP client
8247521 
Add secure network access with URL allowlist:

NetworkAllowlist:
- Empty allowlist blocks all URLs by default
- Pattern matching on scheme, host, port, and path prefix
- Support for multiple patterns
- Optional allow_all() for testing

HttpClient (behind "network" feature):
- GET, POST, PUT, DELETE, HEAD, PATCH methods
- Request/response handling with body and headers
- Automatic timeout (30s default)
- All requests validated against allowlist

Security: Network disabled by default, explicit opt-in required.

https://claude.ai/code/session_01A16cD8ztbTJs2PB2iHe1Ua
@chaliy chaliy force-pushed the claude/bash-filesystem-library-cYGoo branch from 338667f to 8247521 Compare January 31, 2026 06:11
@chaliy chaliy merged commit ddf4acb into main Jan 31, 2026
1 check failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chaliy @claude