Add Network Door, Mesh Door, BYOM, and native assistant contracts by mdheller · Pull Request #79 · SourceOS-Linux/sourceos-spec

mdheller · 2026-05-02T15:44:52Z

Summary

Adds SourceOS contracts for enterprise/user networking, firewall bindings, mesh bindings, bring-your-own-model endpoints, and native assistant bridges.

This responds to the enterprise and cross-device requirement: SourceOS must work behind corporate firewalls, user firewalls, service meshes, and native assistant surfaces without granting ambient network or device privileges.

Changes

Adds schemas:

schemas/NetworkAccessProfile.json
schemas/FirewallBindingProfile.json
schemas/MeshBindingProfile.json
schemas/ExternalModelProviderProfile.json
schemas/NativeAssistantBridgeProfile.json

Adds examples:

examples/network_access_profile.enterprise_and_user.json
examples/firewall_binding_profile.macos_lulu_user.json
examples/firewall_binding_profile.enterprise_gateway.json
examples/mesh_binding_profile.istio_admiral_enterprise.json
examples/external_model_provider_profile.byom_openai_compatible.json
examples/native_assistant_bridge_profile.apple_app_intents.json

Adds docs:

docs/contract-additions/network-assistant-model-doors.md
contract additions index update

Design posture

Separate enterprise and user network profiles.
Enterprise deny rules have precedence over user allow rules.
User firewall profiles may be stricter than enterprise profiles.
BYOM endpoints are first-class ExternalModelProviderProfile objects.
Endpoint auth is always a reference, never an inline secret.
Mesh policy and firewall policy are complementary.
Native assistant integration uses declared bridge profiles and explicit capabilities.
Apple/Siri/Shortcuts-style integration is modeled as an App Intents bridge, not raw assistant access.
Prompt egress and cross-device handoff are denied by default.

Boundary

This does not vendor or implement Istio, Admiral, LuLu, Cilium, enterprise gateways, or native assistant runtimes. It defines the contract layer for downstream implementation in sourceos-devtools, model-router, AgentPlane, Sociosphere, and guardrail/policy surfaces.

Validation

Expected validation:

python -m json.tool schemas/NetworkAccessProfile.json
python -m json.tool examples/network_access_profile.enterprise_and_user.json

mdheller added 13 commits May 2, 2026 11:33

Add NetworkAccessProfile schema

cc354e1

Add FirewallBindingProfile schema

864ba9c

Add MeshBindingProfile schema

9dd6acc

Add ExternalModelProviderProfile schema

76dd039

Add NativeAssistantBridgeProfile schema

1e5dde4

Add enterprise and user network access profile example

1f58bfc

Add macOS LuLu-style firewall binding example

e0de3f0

Add enterprise gateway firewall binding example

9c2cdaa

Add Istio/Admiral mesh binding example

0f73a3b

Add BYOM OpenAI-compatible provider example

2b0bc44

Add Apple App Intents native assistant bridge example

6cfcdd8

Document network assistant and BYOM contract additions

f40b93e

Index network assistant and BYOM contract addition

6eac960

mdheller merged commit 48f454f into main May 2, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add Network Door, Mesh Door, BYOM, and native assistant contracts#79

Add Network Door, Mesh Door, BYOM, and native assistant contracts#79
mdheller merged 13 commits intomainfrom
feat/network-assistant-model-doors

mdheller commented May 2, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

mdheller commented May 2, 2026

Summary

Changes

Design posture

Boundary

Validation

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant