{
  "id": "container_network_policy",
  "label": "Container Network Policy Canonical",
  "phase": "phase-04",
  "category": "containerization",
  "status": "ACTIVE_DH_MIRROR",
  "purpose": "Define how DEVON-DEV containers communicate, which services are public, which services remain internal, which flows are restricted and which ports must never be exposed.",
  "function": "Prevent containerization from becoming mere process isolation by declaring network class, ingress path, exposed ports, blocked ports, permitted service-to-service communication and forbidden flows before any runtime traffic is allowed.",
  "network_policy_contract": {
    "requires_internal_networks": true,
    "requires_public_networks": true,
    "requires_exposed_ports": true,
    "requires_blocked_ports": true,
    "requires_allowed_service_communication": true,
    "requires_forbidden_service_communication": true,
    "requires_public_internal_restricted_classification": true,
    "requires_backend_only_services": true,
    "requires_fsm_or_tool_boundary_only_services": true,
    "blocks_public_database": true,
    "blocks_public_secrets_manager": true,
    "blocks_public_llm_runtime": true,
    "blocks_public_vector_index": true,
    "requires_reverse_proxy_boundary": true,
    "decision_authority": "NONE_FSM_DECIDES"
  },
  "service_network_examples": {
    "devon_web_ui_to_devon_api_core": "allowed",
    "devon_api_core_to_devon_fsm_core": "allowed",
    "devon_api_core_to_devon_rag_service": "allowed",
    "devon_fsm_core_to_rule_registry": "allowed",
    "devon_db_public_access": "blocked",
    "devon_secrets_manager_public_access": "blocked",
    "devon_llm_runtime_public_access": "blocked",
    "devon_vector_index_public_access": "blocked"
  },
  "technology_requirements": [
    {
      "technology": "Docker networks",
      "required_for": "Separate public, internal and restricted DEVON-DEV container communication paths before runtime traffic is allowed.",
      "required_by_phase": "phase-04",
      "required_by_category": "container_network_policy",
      "required_by_buckets": [
        "Prerequisites",
        "Installation",
        "Configuration",
        "Validation",
        "Observable Evidence",
        "Failure Modes & Recovery",
        "Completion & Promotion"
      ],
      "expected_version": "MISSING until Docker runtime and network topology are materially present",
      "validation_command": "MISSING until Docker network inspect can prove public, internal and restricted networks with service membership",
      "evidence_path": "/home/yeff/public_html/devon/canon/execution/state/dh_sources/container_network_policy_canonical.json",
      "status_source": "Documentation Hub + future Docker runtime support + Execution Ledger",
      "blocking_if_missing": true,
      "failure_impact": "Without Docker network governance, DEVON-DEV containers may communicate through default networks without declared isolation or auditable service boundaries."
    },
    {
      "technology": "Docker Compose network segmentation",
      "required_for": "Declare service-to-service communication paths, internal-only services, restricted services and public ingress boundaries in Compose topology.",
      "required_by_phase": "phase-04",
      "required_by_category": "container_network_policy",
      "required_by_buckets": [
        "Installation",
        "Configuration",
        "Validation",
        "Observable Evidence",
        "Failure Modes & Recovery"
      ],
      "expected_version": "MISSING until Compose topology exists with explicit network segmentation",
      "validation_command": "MISSING until compose config can prove service networks, exposed ports, internal ports and restricted service placement",
      "evidence_path": "/home/yeff/public_html/devon/canon/execution/state/dh_sources/container_network_policy_canonical.json",
      "status_source": "Documentation Hub + future Compose config + Docker runtime support",
      "blocking_if_missing": true,
      "failure_impact": "Without Compose network segmentation, DEVON-DEV can expose internal services by default or connect unrelated services through broad shared networks."
    },
    {
      "technology": "Local firewall",
      "required_for": "Enforce host-level inbound and routed traffic boundaries around public ports, restricted service ports and blocked service exposure.",
      "required_by_phase": "phase-04",
      "required_by_category": "container_network_policy",
      "required_by_buckets": [
        "Configuration",
        "Validation",
        "Observable Evidence",
        "Failure Modes & Recovery"
      ],
      "expected_version": "MISSING until firewall policy is mapped to container ingress and reverse proxy boundaries",
      "validation_command": "MISSING until firewall status can prove allowed inbound ports, denied internal service ports and routed traffic constraints",
      "evidence_path": "/home/yeff/public_html/devon/canon/execution/state/dh_sources/container_network_policy_canonical.json",
      "status_source": "Documentation Hub + future host runtime support + security monitoring",
      "blocking_if_missing": true,
      "failure_impact": "Without local firewall alignment, Docker or proxy configuration can accidentally expose sensitive services despite documented container policy."
    },
    {
      "technology": "Reverse proxy rules",
      "required_for": "Expose only approved public routes while keeping API, database, secrets, LLM runtime, vector index and restricted service surfaces behind explicit routing boundaries.",
      "required_by_phase": "phase-04",
      "required_by_category": "container_network_policy",
      "required_by_buckets": [
        "Installation",
        "Configuration",
        "Validation",
        "Observable Evidence",
        "Failure Modes & Recovery",
        "Completion & Promotion"
      ],
      "expected_version": "MISSING until reverse proxy/TLS baseline and route policy are materially defined",
      "validation_command": "MISSING until reverse proxy config can prove public routes, backend routes, blocked routes and service target mapping",
      "evidence_path": "/home/yeff/public_html/devon/canon/execution/state/dh_sources/container_network_policy_canonical.json",
      "status_source": "Documentation Hub + future reverse proxy config + host runtime support",
      "blocking_if_missing": true,
      "failure_impact": "Without reverse proxy rules, public ingress can bypass intended service boundaries or expose internal API surfaces directly."
    },
    {
      "technology": "Service allowlist",
      "required_for": "Declare which DEVON-DEV services may talk to each other and which service pairs are forbidden by architecture, risk or FSM boundary.",
      "required_by_phase": "phase-04",
      "required_by_category": "container_network_policy",
      "required_by_buckets": [
        "Configuration",
        "Validation",
        "Observable Evidence",
        "Failure Modes & Recovery",
        "Completion & Promotion"
      ],
      "expected_version": "MISSING until service communication matrix exists",
      "validation_command": "MISSING until service allowlist can prove allowed flow, denied flow, service class and access boundary",
      "evidence_path": "/home/yeff/public_html/devon/canon/execution/state/dh_sources/container_network_policy_canonical.json",
      "status_source": "Documentation Hub + future service registry + Execution Ledger",
      "blocking_if_missing": true,
      "failure_impact": "Without a service allowlist, DEVON-DEV cannot prove that sensitive services are reachable only by the backend, FSM or Tool Boundary."
    }
  ],
  "depends_on": [
    "cdms",
    "server_workspace_manager",
    "environment_registry",
    "container_image_registry_build_pipeline",
    "deployment_order",
    "tool_registry",
    "config_registry",
    "fsm_absolute_decision",
    "decision_rule_registry",
    "architecture_source_registry"
  ],
  "used_by": [
    "volume_persistence_governance",
    "production_deployment_gate",
    "runtime_status",
    "host_runtime_support",
    "docker_runtime_support",
    "security_monitoring",
    "rbac_permissions",
    "secrets_management",
    "observability_core",
    "future_execution_monitoring_panel"
  ]
}
