Feature A in the Codex handoff brief: docs/handoff/codex-network-policy.md §2.
Extend the merged IPv4-CIDR egress allowlist to support CIDR:port and IPv6:
- LPM value carries the port (0 = any); hook reads
sin_port and compares after the trie hit.
- Parallel
EGRESS_CIDR6_MAP ([u8;16] key) for IPv6; gate_remote branches on family.
- Parser returns
{family, addr, prefix_bits, port}; unit-test every shape + rejects.
- Gate proves same-IP/different-port → EPERM and IPv6 range hits/misses (
verify-egress-policy).
Acceptance criteria and CI gotchas are in the brief.
🤖 Generated with Claude Code
Feature A in the Codex handoff brief: docs/handoff/codex-network-policy.md §2.
Extend the merged IPv4-CIDR egress allowlist to support
CIDR:portand IPv6:sin_portand compares after the trie hit.EGRESS_CIDR6_MAP([u8;16]key) for IPv6;gate_remotebranches on family.{family, addr, prefix_bits, port}; unit-test every shape + rejects.verify-egress-policy).Acceptance criteria and CI gotchas are in the brief.
🤖 Generated with Claude Code