egress-demo / denied

denied - cli-guard examples/egress

NAME

denied - dial a host that is not on the allowlist

SYNOPSIS

denied

DESCRIPTION

Dials https://www.iana.org via the same proxy + allowlist as allowed. The hostname is not on the allowlist, so the proxy refuses the CONNECT with 403 and records decision=deny.

Examples:

egress-demo denied
# proxy listening on 127.0.0.1:<port>
# response: 403 403 Forbidden
# egress rows:
#   host=www.iana.org:443               decision=deny   up=0 down=0 ms=...

What the child sees: a normal-looking HTTP 403 from its proxy. From the child's perspective the upstream simply did not respond. There is no special signal that cli-guard caused the failure, and that is intentional: we do not want to teach hostile code to fingerprint the gate and route around it. The forensic trail lives in the audit row, not in the child's error message.

Agent behavior on a deny: surface the egress row to the operator, propose an allowlist update if the host is legitimate, do NOT try to work around the proxy by setting HTTPS_PROXY="" or dialing the address directly. Bypassing the gate is what the gate is there to catch.

Usage:

denied [GLOBAL OPTIONS] [command [COMMAND OPTIONS]] [ARGUMENTS...]