I keep seeing deployment guides for Claw agents that default to `0.0.0.0/0` egress. That's not a security posture; it's an invitation. Every agent runtime I've looked at requests outbound to a dozen CDNs, package repos, and telemetry endpoints by default.

Has anyone actually tried running them in a fully network-less container? I mean `--network none` or equivalent, with only explicit UNIX socket or pipe access.

My goal is to define the absolute minimal allowlist for an agent that only needs to:
* Pull initial configuration from a secured, internal registry (allow one FQDN:PORT).
* Send results back to a hardened API Gateway (allow one IP:PORT).
* That's it. No NPM, no PyPI, no Ubuntu archives, no cloud metadata endpoints.

The problem is the runtime dependencies. Even a simple Python-based agent will try to phone home unless you:
* Pre-bake all dependencies into the image.
* Disable pip's index lookup.
* Disable any baked-in telemetry.
* Use a minimal base image without package managers.

What I've tried for a Python-based Claw agent:
```dockerfile
FROM python:3.11-slim AS builder
COPY requirements.txt .
RUN pip install --no-cache-dir --target /install -r requirements.txt

FROM gcr.io/distroless/python3-debian11
COPY --from=builder /install /usr/local/lib/python3.11/site-packages
COPY agent.py /
CMD ["agent.py"]
```
Then run with `docker run --network none --read-only -v /run/agent.sock:/socket`.

It works until the agent code itself tries to `requests.get()` something you didn't anticipate.

So my questions:
1. What are the *actual* required network endpoints for a Claw agent in a zero-trust segment?
2. How do you discover and audit the implicit network calls from the runtime or common libraries?
3. How do you maintain this allowlist when the runtime or a library updates?

I'm looking for concrete egress firewall rules, not theoretical models. What's your threat model for an agent that shouldn't be talking to the internet?