HTTPS_PROXY
~/.mcp.json
HTTPS_PROXY
HTTPS_PROXY=http://127.0.0.1:8888
meta skuid <agent_uid>
HTTPS_PROXY
HTTPS_PROXY
env -u HTTPS_PROXY -u HTTP_PROXY curl https://example.com
kubectl exec
curl https://example.com - HTTPS_PROXY, HTTP_PROXY, NO_PROXY environment variables. Cooperative libraries read them. Uncooperative subprocesses ignore them. There is no kernel hook that says "this UID's traffic must traverse 127.0.0.1:8888."
- Tool deny-lists at the model layer. "Do not call curl." The model agrees and then writes a Python script that imports requests. The deny-list never sees requests.
- System prompts that say "do not exfiltrate." A system prompt is text inside a context window. The text shapes the model's output distribution. The model is free to be wrong, and a prompt injection further along in the context can rewrite the rules.
- Allowlists in the agent's own configuration. A configuration the agent process can read, the agent process can edit. Anything under ~/.config is asking nicely with extra steps.
- MCP server lists in ~/.mcp.json. Same shape. The agent picks which MCP servers to talk to. If the agent picks a different one, nobody stops it. - NetworkPolicy in Kubernetes. The CNI drops traffic that does not match the policy. The pod cannot opt out.
- nftables rules with meta skuid matches. The kernel drops traffic from the agent UID that does not match the egress rule. The agent process cannot remove the rule.
- Linux user namespaces with no route to the internet. A process inside the namespace has no IP routes that lead outside. Setting HTTPS_PROXY would be a no-op for traffic that has nowhere to go.
- Capability separation by UID. The agent UID has access to a proxy on loopback. The proxy UID has access to the internet. The agent UID does not. - The agent runs as a different Linux UID than the operator and the proxy.
- An nftables chain matches meta skuid <agent_uid> and drops everything except DNS to loopback.
- A separate nftables rule allows the proxy UID to reach the internet, because the proxy is the agent's only legitimate exit.
- The operator's UID is unaffected, so the desktop continues to work normally. - Check whether the agent process and the proxy process run as the same UID. If yes, the agent has direct internet whenever it wants it.
- Check whether your firewall has a rule that mentions the agent UID. If no, the policy is in HTTPS_PROXY and nowhere else.
- Try the bypass. Open a shell as the agent UID, run env -u HTTPS_PROXY -u HTTP_PROXY curl https://example.com, and see what happens. If you get a 200, your enforcement layer is missing. - Check whether the agent container and the proxy container live in the same pod. If yes, the proxy can scan but cannot prevent.
- Check whether the agent pod has a NetworkPolicy. If no, the agent has direct internet to anything inside or outside the cluster.
- Try the bypass from inside the agent pod. kubectl exec in, curl https://example.com. A 200 is the same problem in a different shape.
