network-exposure-baseline

What problem does it solve?

This Skill prevents breaches-by-default by enforcing an explicit, time-bounded allowlist/blocklist for network bind targets before any port or listener change.

Core Features & Use Cases

• Tiered exposure policy (Tier 0–3): Automatically classifies bind targets such as loopback, Tailscale ranges, and public/public-internet listeners, making “safe-by-default” the default path.
• Justification + TTL gate for public exposure (Tier 3): Requires an exposure justification plus an x-exposure-expires date that must be unexpired and ≤ 90 days from the file’s last modification time.
• Verifier integration across common surfaces: Enforces policy across docker-compose.yml ports, redis.conf bind/protected-mode, postgresql.conf listen addresses, systemd .socket ListenStream, firewall/UFW rules, and runtime bind arguments.
• Pipeline consumption for consistent enforcement: Used by PRD/plan/do/archive pipeline stages to warn, hard-block, and validate that Tier 3 justifications remain current.

Quick Start

Load the network-exposure-baseline skill before editing docker-compose.yml, redis.conf, postgresql.conf, systemd .socket units, or firewall rules that change any bind or published port.