github · lpcox · Jun 23, 2026 · Jun 18, 2026 · Jun 18, 2026 · Jun 18, 2026
diff --git a/.github/lychee.toml b/.github/lychee.toml
@@ -20,6 +20,9 @@ exclude = [
   "^https://docs\\.github\\.com/en/github/site-policy/github-bug-bounty",
   "^https://www\\.sei\\.cmu\\.edu/",
   "^https://platform\\.openai\\.com/docs/api-reference/authentication$",
+  # opentelemetry.io intermittently drops connections from CI runners
+  # (returns 200 interactively but "error sending request" in Actions)
+  "^https://opentelemetry\\.io/docs/specs/otel/",
   # LOGGING.md is referenced but doesn't exist yet (planned doc)
   "LOGGING\\.md",
 ]

diff --git a/.github/workflows/test-egress-enforcement-adversarial.yml b/.github/workflows/test-egress-enforcement-adversarial.yml
diff --git a/.github/workflows/test-gvisor-firewall-comparison.yml b/.github/workflows/test-gvisor-firewall-comparison.yml
diff --git a/containers/agent/entrypoint.sh b/containers/agent/entrypoint.sh
@@ -136,24 +136,31 @@ wait_for_iptables() {
 # The awf-iptables-init container shares our network namespace and runs
 # setup-iptables.sh, then writes a ready signal file. This ensures the agent
 # container NEVER needs NET_ADMIN capability.
-echo "[entrypoint] Waiting for iptables initialization from init container..."
-INIT_TIMEOUT=300  # 300 * 0.1s = 30 seconds
-INIT_ELAPSED=0
-while [ ! -f /tmp/awf-init/ready ]; do
-  if [ "$INIT_ELAPSED" -ge "$INIT_TIMEOUT" ]; then
-    echo "[entrypoint][ERROR] Timed out waiting for iptables init container after 30s"
-    if [ -f /tmp/awf-init/output.log ]; then
-      echo "[entrypoint] Init container output:"
-      cat /tmp/awf-init/output.log
-    else
-      echo "[entrypoint] No init container output log found"
+#
+# In network-isolation (topology) mode there is no iptables-init container —
+# egress is enforced by Docker network topology — so skip the handshake.
+if [ "${AWF_NETWORK_ISOLATION:-}" = "1" ]; then
+  echo "[entrypoint] Network-isolation mode: skipping iptables init container wait"
+else
+  echo "[entrypoint] Waiting for iptables initialization from init container..."
+  INIT_TIMEOUT=300  # 300 * 0.1s = 30 seconds
+  INIT_ELAPSED=0
+  while [ ! -f /tmp/awf-init/ready ]; do
+    if [ "$INIT_ELAPSED" -ge "$INIT_TIMEOUT" ]; then
+      echo "[entrypoint][ERROR] Timed out waiting for iptables init container after 30s"
+      if [ -f /tmp/awf-init/output.log ]; then
+        echo "[entrypoint] Init container output:"
+        cat /tmp/awf-init/output.log
+      else
+        echo "[entrypoint] No init container output log found"
+      fi
+      exit 1
     fi
-    exit 1
-  fi
-  sleep 0.1
-  INIT_ELAPSED=$((INIT_ELAPSED + 1))
-done
-echo "[entrypoint] iptables initialization complete"
+    sleep 0.1
+    INIT_ELAPSED=$((INIT_ELAPSED + 1))
+  done
+  echo "[entrypoint] iptables initialization complete"
+fi
 }
 
 check_service_health() {

diff --git a/docs/awf-config-spec.md b/docs/awf-config-spec.md
@@ -98,6 +98,8 @@ AWF settings MAY be supplied via config files, including stdin (`--config -`).
 - `network.blockDomains[]` → `--block-domains <csv>`
 - `network.dnsServers[]` → `--dns-servers <csv>`
 - `network.upstreamProxy` → `--upstream-proxy`
+- `network.isolation` → `--network-isolation` *(experimental; enforces egress via Docker network topology instead of host iptables)*
+- `network.topologyAttach[]` → `--topology-attach <name>` *(repeatable; requires `network.isolation: true`)*
 - `apiProxy.enabled` → `--enable-api-proxy`
 - `apiProxy.enableTokenSteering` → `--enable-token-steering`
 - `apiProxy.anthropicAutoCache` → `--anthropic-auto-cache`

diff --git a/docs/awf-config.schema.json b/docs/awf-config.schema.json
@@ -39,8 +39,38 @@
         "upstreamProxy": {
           "type": "string",
           "description": "Upstream HTTP proxy URL (e.g. \"http://proxy.corp.example.com:8080\"). When set, the AWF Squid proxy forwards traffic through this proxy."
+        },
+        "isolation": {
+          "type": "boolean",
+          "description": "Experimental: enforce egress via Docker network topology (an internal network with no internet route plus a dual-homed Squid proxy) instead of host iptables. Requires no sudo/NET_ADMIN, so it works inside ARC/Kubernetes DinD runners. Not yet supported together with dnsOverHttps or enableHostAccess. Maps to the --network-isolation CLI flag."
+        },
+        "topologyAttach": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "description": "Names of externally-launched trusted containers (e.g. an MCP gateway or DIFC proxy) to attach to the internal topology network so the agent can reach them without granting them their own egress path. Requires network.isolation to be true. Maps to repeated --topology-attach CLI flags."
         }
-      }
+      },
+      "allOf": [
+        {
+          "if": {
+            "required": [
+              "topologyAttach"
+            ]
+          },
+          "then": {
+            "required": [
+              "isolation"
+            ],
+            "properties": {
+              "isolation": {
+                "const": true
+              }
+            }
+          }
+        }
+      ]
     },
     "apiProxy": {
       "type": "object",