feat: support host wildcards and multi-port endpoints in network policies

[johntmyers]

Problem Statement

The policy engine's endpoints[].host field only supports case-insensitive exact matching (sandbox-policy.rego:98). There is no way to express "allow all subdomains of example.com" without listing every subdomain individually. This is a common need — CDNs, API gateways, and cloud services often use many subdomains under a single root.

Similarly, endpoints[].port is a single uint32 (sandbox.proto:59). Services that listen on multiple ports (e.g., HTTP + HTTPS, or a database with primary + read replica ports) require duplicating the entire endpoint block for each port.

Proposed Design

1. Host Wildcards

Add glob-style wildcard support to endpoints[].host, evaluated via glob.match in Rego (same engine already used for binary paths and L7 URL paths).

Supported patterns:

Pattern	Matches	Does not match
*.example.com	api.example.com, cdn.example.com	example.com, deep.sub.example.com
**.example.com	api.example.com, deep.sub.example.com	example.com
example.com	example.com (exact, unchanged behavior)	api.example.com

Use "." as the glob delimiter (instead of "/" used for paths) so * matches a single DNS label and ** matches across labels.

Rego changes — add a third endpoint_allowed clause:

# Endpoint matching: glob host pattern + port.
endpoint_allowed(policy, network) if {
    some endpoint
    endpoint := policy.endpoints[_]
    contains(endpoint.host, "*")
    glob.match(endpoint.host, ["."], lower(network.host))
    endpoint.port == network.port
}

The existing exact-match clause (sandbox-policy.rego:95-100) stays unchanged — no wildcards means exact match, same as binary path matching.

Proto: No change needed — host is already a string.

2. Multi-Port Endpoints

Allow port to accept either a single integer or an array of integers in the YAML policy format while keeping the proto backwards compatible.

Option: keep proto as uint32 port + add repeated uint32 ports

message NetworkEndpoint {
  string host = 1;
  uint32 port = 2;               // Single port (existing, backwards compat)
  repeated uint32 ports = 9;     // Multiple ports (new)
  // ... rest unchanged
}

At validation/normalization time:

• If port is set and ports is empty → treat as ports: [port]
• If ports is non-empty and port is 0 → use ports as-is
• If both are set → reject with a validation error (mutually exclusive, same pattern as access vs rules)

YAML surface (handled by serde deserialization):

# Single port (existing syntax, still works)
endpoints:
  - host: api.example.com
    port: 443

# Multiple ports (new syntax)
endpoints:
  - host: api.example.com
    ports: [443, 8443]

Rego changes — iterate over normalized ports array:

endpoint_allowed(policy, network) if {
    some endpoint
    endpoint := policy.endpoints[_]
    lower(endpoint.host) == lower(network.host)
    endpoint.ports[_] == network.port
}

Normalization (port → ports array) should happen in Rust before passing data to the Rego engine, so Rego always sees ports as an array.

Alternatives Considered

Host wildcards via regex: Rejected — regex is more powerful than needed and inconsistent with the rest of the policy engine which uses globs everywhere. Glob with . delimiter maps naturally to DNS labels.

Host wildcards via a separate host_pattern field: Adds unnecessary surface area. The contains(host, "*") detection pattern is already established for binary paths and works well.

Multi-port via string port with comma syntax (e.g., "443,8443"): Fragile, requires string parsing, and doesn't compose well with proto typing. A proper repeated uint32 is cleaner.

Multi-port via port ranges (e.g., 443-8443): Over-broad — opens all intermediate ports. Explicit enumeration is safer for a security-critical field.

Agent Investigation

Current implementation references:

• Host matching (exact only): crates/openshell-sandbox/data/sandbox-policy.rego:95-100
• Hostless endpoint matching: sandbox-policy.rego:105-111
• Port field proto definition: proto/sandbox.proto:59 — uint32 port = 2
• Glob matching precedent (binary paths): sandbox-policy.rego:132-141 — uses contains(b.path, "*") to detect glob patterns, then glob.match(pattern, ["/"], path)
• Glob matching precedent (L7 URL paths): sandbox-policy.rego:211-215
• Endpoint matching test coverage: crates/openshell-sandbox/src/opa.rs:825-842 (case-insensitive host), opa.rs:1823-1841 (hostless endpoints)
• Policy validation: crates/openshell-policy/src/lib.rs:461-535

The glob infrastructure is already in the Rego policy — this feature extends the same pattern to a new field. The multi-port change is a normalization concern handled in Rust before Rego evaluation.

[johntmyers]

🏗️ build-plan

Implementation Plan

Issue type: feat
Complexity: Medium
Confidence: High — both features follow existing patterns (binary glob matching, access preset normalization)

Summary

Add glob-style host wildcards (*.example.com) to endpoints[].host using OPA's glob.match with . as delimiter, and add a ports array field for multi-port endpoints with backwards-compatible normalization from the existing port field. The Rego policy already demonstrates both the glob.match and contains(x, "*") detection patterns for binary paths — this extends those patterns to endpoint matching.

Scope

• proto/sandbox.proto: Add repeated uint32 ports = 9 to NetworkEndpoint
• crates/openshell-policy/src/lib.rs: Add ports to YAML serde types, normalization in to_proto()/from_proto(), validation for ports and host wildcard patterns
• crates/openshell-sandbox/data/sandbox-policy.rego: Split endpoint_allowed into exact/glob host rules, change endpoint.port → endpoint.ports[_] in all rules, add glob host matching to endpoint_matches_request
• crates/openshell-sandbox/src/opa.rs: Update both proto_to_opa_data_json() (proto path) and preprocess_yaml_data() (YAML path) to emit ports array; deprecate or fix reload() bypass; add ~18 new tests
• crates/openshell-sandbox/src/l7/mod.rs: Update validate_l7_policies() to read ports array and validate wildcard hosts
• crates/openshell-sandbox/src/mechanistic_mapper.rs: Emit ports field in generated NetworkEndpoint proposals
• architecture/security-policy.md: Document new features
• .agents/skills/generate-sandbox-policy/SKILL.md: Update examples and schema reference

Critical: Two Independent OPA Data Conversion Paths

There is no single choke point for policy-to-OPA-JSON conversion. The port → ports normalization must happen in two places:

1. Proto path — proto_to_opa_data_json() at opa.rs:592 manually constructs {"host": e.host, "port": e.port} via serde_json::json!(). Used by the gateway (gRPC initial load via from_proto(), hot-reload via reload_from_proto(), disk discovery).

2. YAML path — preprocess_yaml_data() at opa.rs:516 parses YAML via serde_yaml::from_str into serde_json::Value. The port value passes through as-is from the YAML. Used by from_files() and from_strings() (local dev overrides, all test helpers).

Both paths converge on the shared validate_l7_policies() and expand_access_presets() pipeline before loading into regorus. The normalization for each path:

• Proto path: Change JSON construction in proto_to_opa_data_json() to emit "ports": [e.port] (or e.ports if populated) instead of "port": e.port.
• YAML path: Add a normalization step in preprocess_yaml_data() after serde_yaml parse and before validation — walk each endpoint and convert "port": N → "ports": [N].

There is also a raw bypass — OpaEngine::reload() at opa.rs:278 loads YAML directly into regorus via regorus::Value::from_yaml_str(), skipping all preprocessing, L7 validation, and preset expansion. Currently only called from one test (reload_replaces_policy at opa.rs:926). This must be updated to route through preprocess_yaml_data() or be removed to prevent future divergence.

Implementation Steps

1. Proto + normalization layer — Add repeated uint32 ports = 9 to proto, add ports to YAML serde type, implement port↔ports normalization in to_proto()/from_proto(), add validation. Existing tests should not break (proto default for repeated is []).
2. OPA data JSON conversion (both paths) — Update proto_to_opa_data_json() to emit ports array. Add port → ports normalization step to preprocess_yaml_data(). Fix or remove reload() bypass. These changes and Step 3 must land together since Rego will reference endpoint.ports[_].
3. Rego multi-port — Change endpoint.port == network.port → endpoint.ports[_] == network.port in all endpoint_allowed and endpoint_matches_request rules. Coordinated with Step 2 (same commit). Add multi-port tests.
4. Rego host wildcards — Add new endpoint_allowed and endpoint_matches_request clauses using contains(endpoint.host, "*") guard + glob.match(lower(endpoint.host), ["."], lower(network.host)). Add host wildcard tests.
5. L7 + policy validation — Update validate_l7_policies() for ports array and wildcard host validation (reject bare *, require *. prefix, warn on shallow patterns like *.com). Update mechanistic mapper.
6. Documentation — Update architecture/security-policy.md and generate-sandbox-policy skill.

Test Plan

• Unit tests (crates/openshell-sandbox/src/opa.rs):
  • Multi-port: multi_port_endpoint_matches_first_port, multi_port_endpoint_matches_second_port, multi_port_endpoint_rejects_unlisted_port, single_port_backwards_compat, l7_multi_port_request_evaluation, hostless_endpoint_multi_port
  • Host wildcards: wildcard_host_matches_subdomain, wildcard_host_rejects_deep_subdomain, wildcard_host_rejects_exact_domain, wildcard_host_case_insensitive, wildcard_host_plus_port, wildcard_host_l7_rules_apply, wildcard_host_l7_endpoint_config_returned
  • Combined: wildcard_host_multi_port
• Unit tests (crates/openshell-policy/src/lib.rs): parse_ports_array, parse_single_port_normalized_to_ports, round_trip_preserves_multi_port, validate_rejects_bare_wildcard_host, validate_accepts_valid_wildcard
• Unit tests (crates/openshell-sandbox/src/l7/mod.rs): validate_ports_array_rest_443_warns, validate_wildcard_host_star_only_error
• Integration tests: N/A — the OPA tests are already integration-level (Rego + Rust via regorus)
• E2E tests: N/A — no changes to e2e/ expected; proxy behavior is unchanged at the transport layer

Risks & Open Questions

• regorus glob.match delimiter behavior — Must verify that glob.match("*.example.com", ["."], "api.example.com") works correctly in regorus. The glob.match built-in is already used for binary paths with "/" but has not been tested with ".". Highest-risk item — mitigated by comprehensive tests in Step 4.
• Coordinated Rego + JSON change — Steps 2 and 3 (JSON emitting ports array + Rego reading endpoint.ports[_]) must land in the same commit. If only one side changes, all policy evaluation breaks.
• Two conversion paths must stay in sync — proto_to_opa_data_json() and preprocess_yaml_data() must both produce the same ports array format. The shared validate_l7_policies() downstream will catch structural mismatches, but a normalization bug in one path could slip through if tests only exercise the other.
• reload() bypass — Currently test-only, but a latent divergence risk. Must be fixed as part of this work.
• Overly broad wildcards — *.com or *.* are dangerous. Validation rejects bare * and requires *. prefix; warns on patterns with ≤2 labels.
• allowed_ips + wildcards interaction — Works naturally: OPA grants the CONNECT based on wildcard host match, then the proxy validates resolved IPs against allowed_ips. No special handling needed.

Documentation Impact

• architecture/security-policy.md: Document host wildcard syntax, delimiter semantics, multi-port syntax, backwards compat behavior
• .agents/skills/generate-sandbox-policy/SKILL.md: Update examples and schema reference

---

Revision 2 — clarified two independent OPA data conversion paths (proto vs YAML), reload() bypass risk, coordinated landing requirement for Steps 2+3
Revision 1 — initial plan

[johntmyers]

🏗️ build-from-issue-agent

Implementation Complete

PR: #366

What was built

Host wildcard support (*.example.com) for endpoints[].host using glob matching with . as delimiter, and multi-port endpoints via a ports array field — backwards compatible with existing single-port policies.

Tests

• Unit: 33 tests added (18 OPA, 7 policy lib, 8 L7 validation)
• E2E: 6 tests added (3 multi-port, 3 host wildcard)

Docs updated

• architecture/security-policy.md

The issue will auto-close when the PR is merged.