The Cedar policy was nine lines long and it governed every byte that left the container.
permit(principal == Agent::"claude", action == Action::"net.connect", resource == Resource::"api.anthropic.com:443");
permit(principal == Agent::"claude", action == Action::"net.connect", resource == Resource::"registry.npmjs.org:443");
forbid(principal, action == Action::"net.connect", resource);
Two permits. One deny-all. The agent could talk to its own API and to the npm registry. Everything else was a wall.
Navan had written the policy after the team's Tuesday discussion about egress control. Justin had framed the problem in his characteristically clear way: "An agent that can make arbitrary network connections is an agent that can exfiltrate data. An agent that can only connect to an explicit allowlist is an agent you can reason about."
The test came on Thursday. The agent was working on a module that needed to fetch a dependency. It reached out to registry.npmjs.org. The Cedar policy evaluated the request, matched the permit rule, and the connection went through. The package downloaded. Normal.
Then the agent did something unexpected. It attempted a connection to telemetry.example.com on port 443. The request appeared in the network log: a DNS resolution followed by a TCP SYN packet that never received a SYN-ACK, because Leash intercepted the connection attempt before it reached the network stack.
The Cedar policy evaluated the request. No matching permit rule. The default deny engaged. Connection refused.
The agent received a connection error. It logged the failure internally and moved on to its next task. No retry. No alternative route. No attempt to tunnel the connection through an allowed domain. Just a clean failure and a continuation.
"Where did that telemetry endpoint come from?" Jay asked, reviewing the session logs.
Navan traced it. The npm package the agent had installed included a post-install script that attempted to phone home to a telemetry service. The package itself was legitimate—a widely-used utility library. But its telemetry behavior was undisclosed in the documentation and would have gone unnoticed in an unmonitored environment.
"This is exactly the scenario," Justin said. "It's not the agent being malicious. It's the agent executing code that contains behavior the agent doesn't understand. The network boundary catches what the agent can't catch about itself."
Navan updated the policy documentation to include this case study. He added a note: Network egress policies protect against supply chain telemetry, not just agent misbehavior. The agent is not the only thing running inside the container.
He saved the file. Nine lines of Cedar. A wall with exactly two doors. And behind those doors, only the traffic the team had decided to trust.
The telemetry endpoint would keep trying. The policy would keep saying no. Neither would get tired. That was the beauty of machines arguing with machines: infinite patience on both sides.
The npm package phoning home through a post-install script is so real it hurts. This happens constantly in the wild and most people never notice. Network egress policies are the answer.