13 lines
749 B
Markdown
13 lines
749 B
Markdown
# Network Policy
|
|
|
|
Network-capable scripts are allowed only when their outbound boundary is explicit and reviewable.
|
|
|
|
Current policy:
|
|
|
|
- `scripts/check_update.py` may read version metadata from `raw.githubusercontent.com/yaojingang/yao-meta-skill/` over HTTPS.
|
|
- `scripts/github_benchmark_scan.py` may call the GitHub REST API at `api.github.com` over HTTPS.
|
|
- Custom update URLs are denied by default and require explicit operator opt-in plus reviewer awareness.
|
|
- New network-capable scripts must be added to `security/network_policy.json` before a governed or team-distributed release.
|
|
|
|
The trust checker compares HTTPS URL literals in scripts with `security/network_policy.json`. Missing or mismatched host declarations are reported as warnings.
|