github · Mossaka · Aug 27, 2025 · Aug 22, 2025 · Aug 23, 2025 · Aug 23, 2025
diff --git a/docs/mcps.md b/docs/mcps.md
@@ -194,6 +194,34 @@ tools:
         X-Custom-Key: "${secrets.CUSTOM_KEY}"
 ```
 
+## Network Egress Permissions
+
+Restrict outbound network access for containerized MCP servers using a per‑tool domain allowlist. Define allowed domains under `mcp.permissions.network.allowed`.
+
+```yaml
+tools:
+  fetch:
+    mcp:
+      container: mcp/fetch
+      permissions:
+        network:
+          allowed:
+            - "example.com"
+    allowed: ["fetch"]
+```
+
+Enforcement in compiled workflows:
+
+- A Squid proxy is generated and pinned to a dedicated Docker network for each proxy‑enabled MCP server.
+- The MCP container is configured with `HTTP_PROXY`/`HTTPS_PROXY` to point at Squid; iptables rules only allow egress to the proxy.
+- The proxy is seeded with an `allowed_domains.txt` built from your `allowed` list; requests to other domains are blocked.
+
+Notes:
+
+- Applies to stdio MCP servers that specify a `container`. Non‑container stdio and remote `type: http` servers do not use this control (at the moment)
+- Use bare domains without scheme; list each domain you intend to permit.
+
+
 ## Debugging and Troubleshooting
 
 ### MCP Server Inspection
@@ -255,4 +283,4 @@ Error: Tool 'my_tool' not found
 ## External Resources
 
 - [Model Context Protocol Specification](https://github.com/modelcontextprotocol/specification)
-- [GitHub MCP Server](https://github.com/github/github-mcp-server)
+- [GitHub MCP Server](https://github.com/github/github-mcp-server)
diff --git a/docs/security-notes.md b/docs/security-notes.md
@@ -169,7 +169,33 @@ tools:
 
 #### Egress Filtering
 
-A critical guardrail is strict control over outbound network connections. Consider using network proxies to enforce allowlists for outbound hosts.
+A critical guardrail is strict control over outbound network connections. Agentic Workflows now supports declarative network allowlists for containerized MCP servers.
+
+Example (domain allowlist):
+
+```yaml
+tools:
+  fetch:
+    mcp:
+      type: stdio
+      container: mcp/fetch
+      permissions:
+        network:
+          allowed:
+            - "example.com"
+    allowed: ["fetch"]
+```
+
+Enforcement details:
+
+- Compiler generates a per‑tool Squid proxy and Docker network; MCP egress is forced through the proxy via iptables.
+- Only listed domains are reachable; all others are denied at the network layer.
+- Applies to `mcp.container` stdio servers. Non‑container stdio and `type: http` servers are not governed by this control.
+
+Operational guidance:
+
+- Use bare domains (no scheme). Explicitly list each domain you intend to permit.
+- Prefer minimal allowlists; review the compiled `.lock.yml` to verify proxy setup and rules.
 
 ### Agent Security and Prompt Injection Defense