feat(egress): add DELETE /policy endpoint for removing egress rules by target

Add DELETE handler that accepts a JSON array of target strings, removes
matching rules case-insensitively, and commits the updated policy. Targets
not found are silently ignored (idempotent). Spec and README docs updated.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: Pangjiping

components/egress/policy_server.go

@@ -147,8 +147,10 @@ func (s *policyServer) handlePolicy(w http.ResponseWriter, r *http.Request) {
 		s.handlePost(w, r)
 	case http.MethodPatch:
 		s.handlePatch(w, r)
+	case http.MethodDelete:
+		s.handleDelete(w, r)
 	default:
-		w.Header().Set("Allow", "GET, POST, PUT, PATCH")
+		w.Header().Set("Allow", "GET, POST, PUT, PATCH, DELETE")
 		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
 	}
 }
@@ -268,6 +270,84 @@ func (s *policyServer) handlePatch(w http.ResponseWriter, r *http.Request) {
 	})
 }
 
+func (s *policyServer) handleDelete(w http.ResponseWriter, r *http.Request) {
+	defer r.Body.Close()
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	raw, err := readPolicyRequestBody(r)
+	if err != nil || raw == "" {
+		if err != nil {
+			logEgressUpdateFailedWarn(fmt.Sprintf("failed to read body: %v", err))
+		} else {
+			logEgressUpdateFailedWarn("empty delete body")
+		}
+		http.Error(w, fmt.Sprintf("failed to read body: %v", err), http.StatusBadRequest)
+		return
+	}
+
+	var targets []string
+	if err := json.Unmarshal([]byte(raw), &targets); err != nil {
+		logEgressUpdateFailedWarn(fmt.Sprintf("invalid delete targets: %v", err))
+		http.Error(w, fmt.Sprintf("invalid delete targets: %v", err), http.StatusBadRequest)
+		return
+	}
+	if len(targets) == 0 {
+		logEgressUpdateFailedWarn("empty delete targets array")
+		http.Error(w, "invalid delete targets: empty array", http.StatusBadRequest)
+		return
+	}
+
+	base := s.proxy.CurrentPolicy()
+	if base == nil {
+		base = policy.DefaultDenyPolicy()
+	}
+	oldCount := len(base.Egress)
+	newEgress, removedRules := removeRulesByTarget(base.Egress, targets)
+	removed := oldCount - len(newEgress)
+
+	if removed == 0 {
+		mode := modeFromPolicy(base)
+		writeJSON(w, http.StatusOK, policyStatusResponse{
+			Status:          "ok",
+			Mode:            mode,
+			EnforcementMode: s.enforcementMode,
+			Reason:          "no matching targets found",
+			Policy:          base,
+		})
+		return
+	}
+
+	rawMerged, err := json.Marshal(policy.NetworkPolicy{
+		DefaultAction: base.DefaultAction,
+		Egress:        newEgress,
+	})
+	if err != nil {
+		logEgressUpdateFailedWarn(fmt.Sprintf("failed to marshal updated policy: %v", err))
+		http.Error(w, fmt.Sprintf("internal error: %v", err), http.StatusInternalServerError)
+		return
+	}
+	newPolicy, err := policy.ParsePolicy(string(rawMerged))
+	if err != nil {
+		logEgressUpdateFailedWarn(fmt.Sprintf("invalid policy after delete: %v", err))
+		http.Error(w, fmt.Sprintf("invalid policy after delete: %v", err), http.StatusBadRequest)
+		return
+	}
+
+	mode := modeFromPolicy(newPolicy)
+	log.Infof("policy API: deleting %d egress rule(s) by target, removed=%d, mode=%s, enforcement=%s", len(targets), removed, mode, s.enforcementMode)
+	if !s.commitPolicy(r.Context(), w, newPolicy, "delete") {
+		return
+	}
+	logEgressUpdated(newPolicy.DefaultAction, removedRules)
+	log.Infof("policy API: delete applied successfully")
+	writeJSON(w, http.StatusOK, policyStatusResponse{
+		Status:          "ok",
+		Mode:            mode,
+		EnforcementMode: s.enforcementMode,
+	})
+}
+
 // commitPolicy applies one logical change: optional disk persist → merge always file rules → nft
 // static (with nameserver allow-IPs) → then update in-memory user policy (POST/PATCH/GET view).
 func (s *policyServer) commitPolicy(ctx context.Context, w http.ResponseWriter, pol *policy.NetworkPolicy, op string) bool {

components/egress/policy_server_test.go

@@ -245,6 +245,150 @@ func TestHandlePatch_RejectsWhenOverMaxEgressRules(t *testing.T) {
 	require.Len(t, proxy.updated.Egress, 2, "policy should be unchanged")
 }
 
+func TestHandleDelete_RemovesMatchingTargets(t *testing.T) {
+	initial := &policy.NetworkPolicy{
+		DefaultAction: policy.ActionDeny,
+		Egress: []policy.EgressRule{
+			{Action: policy.ActionAllow, Target: "example.com"},
+			{Action: policy.ActionDeny, Target: "blocked.com"},
+			{Action: policy.ActionAllow, Target: "keep.com"},
+		},
+	}
+	proxy := &stubProxy{updated: initial}
+	nft := &stubNft{}
+	srv := &policyServer{proxy: proxy, nft: nft, enforcementMode: "dns+nft"}
+
+	body := `["blocked.com","nonexistent.com"]`
+	req := httptest.NewRequest(http.MethodDelete, "/policy", strings.NewReader(body))
+	w := httptest.NewRecorder()
+
+	srv.handlePolicy(w, req)
+
+	resp := w.Result()
+	require.Equal(t, http.StatusOK, resp.StatusCode, "expected 200 OK")
+	require.Equal(t, 1, nft.calls, "expected nft ApplyStatic called once")
+	require.NotNil(t, proxy.updated, "expected proxy policy updated")
+	require.Equal(t, policy.ActionDeny, proxy.updated.DefaultAction, "defaultAction should be preserved")
+	require.Len(t, proxy.updated.Egress, 2, "expected 2 rules remaining after delete")
+	require.Equal(t, policy.ActionAllow, proxy.updated.Egress[0].Action)
+	require.Equal(t, "example.com", proxy.updated.Egress[0].Target)
+	require.Equal(t, policy.ActionAllow, proxy.updated.Egress[1].Action)
+	require.Equal(t, "keep.com", proxy.updated.Egress[1].Target)
+}
+
+func TestHandleDelete_CaseInsensitiveMatch(t *testing.T) {
+	initial := &policy.NetworkPolicy{
+		DefaultAction: policy.ActionDeny,
+		Egress: []policy.EgressRule{
+			{Action: policy.ActionAllow, Target: "Example.COM"},
+			{Action: policy.ActionDeny, Target: "Blocked.COM"},
+		},
+	}
+	proxy := &stubProxy{updated: initial}
+	nft := &stubNft{}
+	srv := &policyServer{proxy: proxy, nft: nft, enforcementMode: "dns+nft"}
+
+	body := `["example.com"]`
+	req := httptest.NewRequest(http.MethodDelete, "/policy", strings.NewReader(body))
+	w := httptest.NewRecorder()
+
+	srv.handlePolicy(w, req)
+
+	resp := w.Result()
+	require.Equal(t, http.StatusOK, resp.StatusCode, "expected 200 OK")
+	require.NotNil(t, proxy.updated)
+	require.Len(t, proxy.updated.Egress, 1, "expected 1 rule remaining")
+	require.Equal(t, "Blocked.COM", proxy.updated.Egress[0].Target, "unmatched rule should remain")
+}
+
+func TestHandleDelete_NoMatchReturns200(t *testing.T) {
+	initial := &policy.NetworkPolicy{
+		DefaultAction: policy.ActionDeny,
+		Egress: []policy.EgressRule{
+			{Action: policy.ActionAllow, Target: "keep.com"},
+		},
+	}
+	proxy := &stubProxy{updated: initial}
+	nft := &stubNft{}
+	srv := &policyServer{proxy: proxy, nft: nft, enforcementMode: "dns+nft"}
+
+	body := `["nonexistent.com"]`
+	req := httptest.NewRequest(http.MethodDelete, "/policy", strings.NewReader(body))
+	w := httptest.NewRecorder()
+
+	srv.handlePolicy(w, req)
+
+	resp := w.Result()
+	require.Equal(t, http.StatusOK, resp.StatusCode, "expected 200 OK even when no targets match")
+	require.Equal(t, 0, nft.calls, "nft should not be called when nothing changes")
+	require.Len(t, proxy.updated.Egress, 1, "policy should be unchanged")
+}
+
+func TestHandleDelete_EmptyBodyReturns400(t *testing.T) {
+	proxy := &stubProxy{updated: policy.DefaultDenyPolicy()}
+	srv := &policyServer{proxy: proxy, nft: nil, enforcementMode: "dns"}
+
+	req := httptest.NewRequest(http.MethodDelete, "/policy", strings.NewReader(""))
+	w := httptest.NewRecorder()
+
+	srv.handlePolicy(w, req)
+
+	resp := w.Result()
+	require.Equal(t, http.StatusBadRequest, resp.StatusCode, "expected 400 for empty body")
+}
+
+func TestHandleDelete_EmptyArrayReturns400(t *testing.T) {
+	proxy := &stubProxy{updated: policy.DefaultDenyPolicy()}
+	srv := &policyServer{proxy: proxy, nft: nil, enforcementMode: "dns"}
+
+	body := `[]`
+	req := httptest.NewRequest(http.MethodDelete, "/policy", strings.NewReader(body))
+	w := httptest.NewRecorder()
+
+	srv.handlePolicy(w, req)
+
+	resp := w.Result()
+	require.Equal(t, http.StatusBadRequest, resp.StatusCode, "expected 400 for empty array")
+}
+
+func TestHandleDelete_InvalidJSONReturns400(t *testing.T) {
+	proxy := &stubProxy{updated: policy.DefaultDenyPolicy()}
+	srv := &policyServer{proxy: proxy, nft: nil, enforcementMode: "dns"}
+
+	body := `not-json`
+	req := httptest.NewRequest(http.MethodDelete, "/policy", strings.NewReader(body))
+	w := httptest.NewRecorder()
+
+	srv.handlePolicy(w, req)
+
+	resp := w.Result()
+	require.Equal(t, http.StatusBadRequest, resp.StatusCode, "expected 400 for invalid JSON")
+}
+
+func TestHandleDelete_NftFailureReturns500(t *testing.T) {
+	initial := &policy.NetworkPolicy{
+		DefaultAction: policy.ActionDeny,
+		Egress: []policy.EgressRule{
+			{Action: policy.ActionAllow, Target: "example.com"},
+		},
+	}
+	proxy := &stubProxy{updated: initial}
+	nft := &stubNft{err: errors.New("nft apply failed")}
+	srv := &policyServer{proxy: proxy, nft: nft, enforcementMode: "dns+nft"}
+
+	body := `["example.com"]`
+	req := httptest.NewRequest(http.MethodDelete, "/policy", strings.NewReader(body))
+	w := httptest.NewRecorder()
+
+	srv.handlePolicy(w, req)
+
+	resp := w.Result()
+	require.Equal(t, http.StatusInternalServerError, resp.StatusCode, "expected 500 on nft failure")
+	require.Equal(t, 1, nft.calls, "expected nft ApplyStatic called once")
+	require.Len(t, proxy.updated.Egress, 1, "proxy should not be updated on nft failure")
+	require.Equal(t, "example.com", proxy.updated.Egress[0].Target, "original rule should remain")
+}
+
 func TestHandlePost_RejectsWhenOverMaxEgressRules(t *testing.T) {
 	proxy := &stubProxy{}
 	nft := &stubNft{}

components/egress/policy_utils.go

@@ -83,6 +83,28 @@ func mergeEgressRules(base, additions []policy.EgressRule) []policy.EgressRule {
 	return out
 }
 
+// removeRulesByTarget returns a new slice with rules matching targets removed,
+// plus the removed rules. Domain targets are matched case-insensitively.
+// Targets not found are silently ignored.
+func removeRulesByTarget(rules []policy.EgressRule, targets []string) (kept, removed []policy.EgressRule) {
+	if len(targets) == 0 || len(rules) == 0 {
+		return rules, nil
+	}
+	removeSet := make(map[string]struct{}, len(targets))
+	for _, t := range targets {
+		removeSet[strings.ToLower(strings.TrimSpace(t))] = struct{}{}
+	}
+	kept = make([]policy.EgressRule, 0, len(rules))
+	for _, r := range rules {
+		if _, ok := removeSet[strings.ToLower(r.Target)]; ok {
+			removed = append(removed, r)
+		} else {
+			kept = append(kept, r)
+		}
+	}
+	return kept, removed
+}
+
 // mergeKey: domain targets lowercased for dedupe; IP/CIDR left as-is.
 func mergeKey(r policy.EgressRule) string {
 	if r.Target == "" {

specs/README.md

@@ -122,6 +122,7 @@ the sandbox endpoint for the egress port and then calling the sidecar endpoint d
 **Main Endpoints:**
 - `GET /policy` - Get the current egress policy
 - `PATCH /policy` - Merge new egress rules into the current policy
+- `DELETE /policy` - Remove specific egress rules from the current policy by target
 
 ## Technical Features
 

specs/README_zh.md

@@ -121,6 +121,7 @@
 **主要端点：**
 - `GET /policy` - 获取当前 egress 策略
 - `PATCH /policy` - 将新的 egress 规则合并到当前策略
+- `DELETE /policy` - 按 target 删除当前策略中的指定 egress 规则
 
 ## 技术特性
 

specs/egress-api.yaml

@@ -109,6 +109,54 @@ paths:
           $ref: '#/components/responses/Unauthorized'
         '500':
           $ref: '#/components/responses/InternalServerError'
+    delete:
+      tags: [Policy]
+      summary: Delete egress rules
+      description: |
+        Remove specific egress rules from the currently enforced policy by target.
+
+        - Accepts a list of target strings (FQDNs or wildcard domains).
+        - Matching rules are removed; targets not found in the current policy
+          are silently ignored (idempotent).
+        - Returns the resulting policy after deletion.
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: array
+              minItems: 1
+              items:
+                type: string
+                description: FQDN or wildcard domain to remove from the policy.
+              example:
+                - bad.example.com
+                - "*.blocked.org"
+      responses:
+        '200':
+          description: Rules removed successfully.
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/PolicyStatusResponse'
+              examples:
+                removed:
+                  summary: Rules removed
+                  value:
+                    status: ok
+                    mode: deny_all
+                    enforcementMode: dns
+                    policy:
+                      defaultAction: deny
+                      egress:
+                        - action: allow
+                          target: pypi.org
+        '400':
+          $ref: '#/components/responses/BadRequest'
+        '401':
+          $ref: '#/components/responses/Unauthorized'
+        '500':
+          $ref: '#/components/responses/InternalServerError'
 components:
   responses:
     BadRequest: