[plan] Add package registry and CDN allowlists to firewall configuration #7415
Description
Objective
Add commonly-used package registries and CDNs to the firewall allowlist to reduce legitimate request denials while maintaining security.
Context
The Firewall Report (referenced in discussion #7407) shows frequent blocks of CDN and registry domains. Workflows legitimately need access to npm, PyPI, Docker Hub, and common CDNs for package installation and dependency resolution.
Approach
- Review firewall denial logs to identify legitimate package registry and CDN domains
- Create a standard allowlist for common registries:
registry.npmjs.org(npm)pypi.org,files.pythonhosted.org(PyPI)registry.hub.docker.com(Docker Hub)- Common CDNs used by these services
- Document the allowlist in workflow configuration documentation
- Recommend workflows include these in their
network.allowedconfiguration - Consider creating a reusable network config snippet
Files to Create/Modify
- Documentation file explaining standard network allowlists
- Example workflow showing proper network configuration
- Possibly: Shared YAML anchor or template for common network configs
Example Configuration
network:
allowed:
- "registry.npmjs.org"
- "pypi.org"
- "files.pythonhosted.org"
- "registry.hub.docker.com"Acceptance Criteria
- Standard allowlist documented
- Example configurations provided
- Workflows updated to use allowlists where needed
- Firewall denial rate decreases for legitimate registry access
- No security regressions (overly broad allowlists)
Expected Impact
- Reduces firewall denial rate for legitimate operations
- Standardizes network configuration across workflows
- Enables proper dependency installation
- Maintains security posture
Related to [plan] Address DeepReport Intelligence Briefing findings (Dec 23, 2025) #7410
AI generated by Plan Command for discussion #7407