{
  "version": "1.0.0",
  "description": "L2.6 Egress Proxy Allowlist — domains that MCP servers are allowed to contact during sandbox testing. All other domains are blocked.",
  "domains": [
    "registry.npmjs.org",
    "pypi.org",
    "files.pythonhosted.org",
    "github.com",
    "raw.githubusercontent.com",
    "api.github.com",
    "objects.githubusercontent.com",
    "codeload.github.com",
    "marketnow.site",
    "api.marketnow.site",
    "osv-vulnerabilities.storage.googleapis.com",
    "api.osv.dev",
    "api.npmjs.org",
    "registry.nodejs.org",
    "nodejs.org",
    "dl.google.com",
    "storage.googleapis.com",
    "repo1.maven.org",
    "repo.maven.apache.org",
    "jcenter.bintray.com",
    "index.docker.io",
    "registry-1.docker.io",
    "auth.docker.io",
    "production.cloudflare.docker.com",
    "mainnet.base.org",
    "base-rpc.publicnode.com",
    "1rpc.io",
    "base.gateway.tenderly.co",
    "api.stripe.com",
    "checkout.stripe.com"
  ],
  "wildcard_domains": [
    "*.github.com",
    "*.githubusercontent.com",
    "*.npmjs.org",
    "*.pythonhosted.org",
    "*.docker.io",
    "*.googleapis.com",
    "*.cloudflare.com",
    "*.vercel.app",
    "*.alicelabs.site"
  ],
  "blocked_categories": {
    "metadata_endpoints": "169.254.169.254 (AWS/GCP/Azure metadata — SSRF prevention)",
    "localhost": "127.0.0.1, ::1, 0.0.0.0 (local services)",
    "private_ranges": "10.x.x.x, 172.16-31.x.x, 192.168.x.x (internal network)",
    "unknown_domains": "Any domain not in the allowlist above"
  },
  "notes": "This allowlist is intentionally restrictive. MCP servers that need to contact additional domains must declare them in their skill metadata (egress_domains field). The audit will add declared domains to a per-skill allowlist."
}
