4.6 Egress capability scoping at emission boundary
4.6 Egress capability scoping at emission boundary
all outbound communications from unsupervised agent paths (chat posts, webhook calls, email sends, HTTP requests, image-rendering URLs, link-preview fetches) pass through an egress gate before leaving the trust boundary. Scope is application-layer egress from automated / scheduled / unattended agent action; interactive responses in user-supervised sessions are out of scope — symmetric with `PL4-prompt-injection-defence`'s ingestion-scope narrowing. IAM-level resource writes are covered separately by `PL4-least-privilege`. Gate enforces destination allowlists per channel, rate limits per destination, elevation gates on novel destinations. Content-based output scanning is defence-in-depth, not primary
Levels
Level 0
No scoping; unsupervised agent paths can reach arbitrary external destinations
Level 1
IAM-level write restrictions in place (per `PL4-least-privilege`) but application-layer outbound surfaces (Slack channels, email, webhooks, HTTP, image / link rendering) not individually scoped per channel
Level 2
Per-destination allowlist per outbound surface; rate limits per destination; novel-destination sends require elevation (PR review for git egress; tenancy + approval gate for chat / email / webhook surfaces via [bot-token credential tenancy](recipes/bot-token-credential-tenancy.md) + [GitOps JIT privilege elevation](recipes/gitops-jit-privilege-elevation.md)). Image-rendering and link-preview egress vectors explicitly considered as potential exfiltration paths
Level 3
Egress patterns learned from legitimate traffic; novel-destination attempts auto-flagged; exfiltration-shaped patterns (bursty volume, novel recipient combined with sensitive-content signatures) auto-detected with automated block + human review; allowlist evolves from observed legitimate use
Recipes that advance this criterion
No recipes yet.