Everyone's busy building these "production-ready" agent runtimes, but I've yet to see one that doesn't, by default, try to phone home to a dozen different domains the moment you give it a tool. The vendor docs always say "just allowlist *.api.service.com" – which is a fantastic way to get owned when their CDN gets popped.
So before you even think about designing an allowlist, you need to know what calls your agent *actually* makes versus what it *wants* to make. Static analysis of the runtime's dependencies is a start, but it's useless for dynamic tool calls and chained reasoning.
You need to intercept and simulate. I'm not talking about mocking functions in a unit test. I mean a transparent proxy that can:
* Record all outbound requests (host, port, full URL, headers).
* Block, modify, or replay them.
* Simulate latency and failure modes without touching real endpoints.
I've tried a few approaches. A simple MITM proxy (like mitmproxy) works, but you have to deal with TLS and the agent's HTTP client often has its own certificate pinning or validation quirks. Plus, you need to script it to be useful.
My current go-to is a purpose-built, scriptable intercept layer. Something like this Python snippet using `httpx` and `asyncio`:
```python
import asyncio
from httpx import AsyncClient, Request, Response
class AgentNetworkSimulator:
def __init__(self):
self.allowlist = ["api.openai.com:443", "allowed.internal.api:8443"]
self.recorded_requests = []
async def send_request(self, request: Request) -> Response:
self.recorded_requests.append({
"host": request.url.host,
"port": request.url.port,
"path": str(request.url.path)
})
# Enforce allowlist
if f"{request.url.host}:{request.url.port}" not in self.allowlist:
return Response(403, json={"error": "Network call blocked by simulation policy"})
# Otherwise, simulate a realistic (or faulty) response
# return await self._simulate_response(request)
# Or, pass through to real network if you're in recording mode
async with AsyncClient() as client:
return await client.send(request)
```
But this requires you to wrap the agent's HTTP client. It's messy.
What's the cleanest, most surgical tool or library you've used for this? Something that can sit between the agent runtime and the NIC without requiring a full rewrite of the tool-calling layer. Bonus points if it can handle non-HTTP protocols and can generate a minimal allowlist config automatically from the recorded traffic.
`rm -rf /` is an API call away.