Fluid Forge
Why Forge
Concepts
Get Started
  • Consume a Data Product
  • See it run
  • Demos
  • Local (DuckDB)
  • Source-Aligned (Postgres → DuckDB)
  • AI Forge + Data Models
  • MCP Output Port — Serve to AI Agents
  • GCP (BigQuery)
  • Snowflake Team Collaboration
  • Declarative Airflow
  • Orchestration Export
  • Jenkins CI/CD
  • Universal Pipeline
  • 11-Stage Production Pipeline
  • Catalog Forge End-to-End
CLI Reference
  • Agent Policy (concept)
  • MCP Output Port — Serve to Agents
  • MCP deep-dive
  • AI-assisted authoring
  • LLM providers & backends
  • Overview
  • Quickstart
  • Examples
  • Your own CI
  • Your own scaffolding
  • Custom validator
  • Apply hook
  • Reference
  • Overview
  • Architecture
  • GCP (BigQuery)
  • AWS (S3 + Athena)
  • Snowflake
  • Local (DuckDB)
  • Custom Providers
  • Roadmap
GitHub
Why Forge
Concepts
Get Started
  • Consume a Data Product
  • See it run
  • Demos
  • Local (DuckDB)
  • Source-Aligned (Postgres → DuckDB)
  • AI Forge + Data Models
  • MCP Output Port — Serve to AI Agents
  • GCP (BigQuery)
  • Snowflake Team Collaboration
  • Declarative Airflow
  • Orchestration Export
  • Jenkins CI/CD
  • Universal Pipeline
  • 11-Stage Production Pipeline
  • Catalog Forge End-to-End
CLI Reference
  • Agent Policy (concept)
  • MCP Output Port — Serve to Agents
  • MCP deep-dive
  • AI-assisted authoring
  • LLM providers & backends
  • Overview
  • Quickstart
  • Examples
  • Your own CI
  • Your own scaffolding
  • Custom validator
  • Apply hook
  • Reference
  • Overview
  • Architecture
  • GCP (BigQuery)
  • AWS (S3 + Athena)
  • Snowflake
  • Local (DuckDB)
  • Custom Providers
  • Roadmap
GitHub
  • Introduction

    • Home
    • Why Fluid Forge
    • Getting Started
    • Snowflake Quickstart
    • See it run
    • Forge Data Model
    • Vision & Roadmap
    • Playground
    • FAQ
  • Concepts

    • Concepts
    • Builds, Exposes, Bindings
    • What is a contract?
    • Quality, SLAs & Lineage
    • Governance & Policy
    • Agent Policy (LLM/AI governance)
    • Providers vs Platforms
    • Fluid Forge vs alternatives
  • Data Products

    • Consume a Data Product
    • Product Types — SDP, ADP, CDP
  • Walkthroughs

    • Walkthrough: Local Development
    • Source-Aligned: Postgres → DuckDB → Parquet
    • AI Forge And Data-Model Journeys
    • Walkthrough: MCP Output Port
    • Walkthrough: Deploy to Google Cloud Platform
    • Walkthrough: Snowflake Team Collaboration
    • Declarative Airflow DAG Generation - The FLUID Way
    • Generating Orchestration Code from Contracts
    • Jenkins CI/CD for FLUID Data Products
    • Universal Pipeline
    • The 11-Stage Pipeline
    • End-to-End Walkthrough: Catalog → Contract → Transformation
  • CLI Reference

    • CLI Reference
    • Core workflow

      • fluid init
      • fluid demo
      • fluid forge
      • fluid validate
      • fluid plan
      • fluid apply
      • fluid diff
      • fluid status
    • Build & ship

      • fluid bundle
      • fluid generate
      • fluid generate artifacts
      • fluid validate-artifacts
      • fluid verify-signature
      • fluid generate iac
      • fluid generate-airflow
      • fluid generate-pipeline
      • fluid viz-graph
      • fluid publish
      • fluid ship
      • fluid rollback
      • fluid schedule-sync
    • AI & Agents

      • fluid ai
      • fluid agents
      • fluid mcp
      • fluid memory
      • fluid stats
      • fluid skills
    • Quality & governance

      • fluid test
      • fluid verify
      • fluid contract-tests
      • fluid contract-validation
      • fluid policy
      • fluid policy check
      • fluid policy compile
      • fluid policy apply
    • Standards & interoperability

      • fluid odps
      • fluid odps-bitol
      • fluid odcs
      • fluid export
      • fluid export-odps
      • fluid exporters
      • fluid import
      • fluid market
      • fluid datamesh-manager
    • Project & workspace

      • fluid product-new
      • fluid product-add
      • fluid workspace
      • fluid contract
      • fluid split
      • fluid config
      • fluid providers
      • fluid plugins
      • fluid provider-init
      • fluid auth
      • fluid secrets
      • fluid ide
      • fluid scaffold-ci
      • fluid scaffold-composer
      • fluid scaffold-ide
      • fluid docs
      • fluid runs
      • fluid retention
      • fluid describe
      • fluid doctor
      • fluid roadmap
      • fluid version
    • Catalog adapters

      • Source Catalog Integration (V1.5)
      • Publishing to a Catalog — Overview
      • BigQuery Catalog
      • Snowflake Horizon Catalog
      • Databricks Unity Catalog
      • Google Dataplex Catalog
      • AWS Glue Data Catalog
      • DataHub Catalog
      • Data Mesh Manager Catalog
      • OpenMetadata Catalog
    • CLI by task

      • CLI by task
      • Add quality rules
      • Add agent governance
      • Debug a failed pipeline run
      • Switch clouds with one line
  • Recipes

    • Recipes
    • Recipe — add a quality rule
    • Recipe — switch clouds with one line
    • Recipe — tag PII in your schema
    • Write a contract that consumes another contract
    • Generate per-environment overlays
  • SDK & Plugins

    • SDK & Plugins
    • Quickstart — your first plugin
    • Examples

      • Runnable examples
      • Example: hello-scaffold — the minimal viable plugin
      • Example: gitlab-ci-scaffold — generate a complete CI project
      • Example: steward-validator — a custom governance rule
      • Example: prod-key-guard — apply-time invariant check
    • Journeys

      • Journeys
      • Your own CI/CD

        • You have your own CI/CD setup, no problem
        • GitLab CI — the bundle template
        • GitHub Actions — the bundle template
        • Jenkins — the bundle template
        • CircleCI — the bundle template
      • You have a strict project layout, no problem
      • You have governance rules, no problem
      • You want a check at apply time, no problem
    • Reference

      • Reference
      • Roles reference
      • Entry points reference
      • Trust model
      • Packaging
      • Companion packages
  • Providers

    • Providers
    • Provider Architecture
    • GCP Provider
    • AWS Provider
    • Snowflake Provider
    • Local Provider
    • Creating Custom Providers
    • Provider Roadmap
  • AI & Agents

    • MCP Server
    • Built-in And Custom Forge Guidance
    • Forge Discovery Guide
    • Forge Memory Guide
    • Authoring Forge Tools
    • Guided fluid forge UX
    • LLM Providers
    • LiteLLM Backend
    • Capability Warnings
    • Cost Tracking
    • FLUID Forge Contract GPT Packet
    • Agentic Primitives
  • Operate & Deploy

    • Airflow Integration
    • Blueprints
    • Source-Aligned Acquisition
  • Govern & Secure

    • Governance, Compliance & the Business Case
    • Governance & Compliance
    • Network Safety
    • Credential Resolver — Security Model
  • Configuration & Reference

    • Environment Variables
    • Typed Errors
    • Typed CLI Errors
    • API Stability — fluid_build.api
  • Architecture & Releases

    • V1.5 Catalog Integration — Architecture Deep-Dive
    • V1.5 + V2 Hardening — Release Notes
  • Project

    • Contributing to Fluid Forge
    • Fluid Forge Docs Baseline: CLI 0.9.0
    • Fluid Forge Docs Baseline: CLI 0.8.11
    • Fluid Forge Docs Baseline: CLI 0.8.10
    • Fluid Forge Docs Baseline: CLI 0.8.9
    • Fluid Forge Docs Baseline: CLI 0.8.8
    • Fluid Forge Docs Baseline: CLI 0.8.7
    • Fluid Forge Docs Baseline: CLI 0.8.6
    • Fluid Forge Docs Baseline: CLI 0.8.5
    • Fluid Forge Docs Baseline: CLI 0.8.4
    • Fluid Forge Docs Baseline: CLI 0.8.3
    • Fluid Forge Docs Baseline: CLI 0.8.0
    • Fluid Forge Docs Baseline: CLI 0.7.11
    • Fluid Forge Docs Baseline: CLI 0.7.9
    • Fluid Forge v0.7.1 - Multi-Provider Export Release

Network Safety

Fluid Forge consolidates every outbound HTTP fetch behind one safe-HTTP layer. The defaults are conservative — most remote operations are off unless you opt in — and the guard runs at the connection layer so that DNS rebinding and IPv4-mapped IPv6 tricks can't sneak past it.

This page describes the user-visible behaviour: which flags opt in, which env vars allowlist hosts, where the defaults landed, and which legacy behaviours flipped (the BREAKING ones, listed below).

Defaults that flipped in v0.8.3 — what you may need to change

SurfaceOld defaultNew defaultOverride
fluid forge --seed-from <url>(didn't exist)Local-only; remote http(s) references rejected--seed-allow-remote
fluid odps import <url>Followed http(s) contractId referencesLocal-only; remote references rejected--allow-remote
BitolOdpsProvider().import_contract(...) (Python)allow_remote=Trueallow_remote=Falseallow_remote=True (kwarg)
ContractResolver(...) (Python)allow_remote=Trueallow_remote=Falseallow_remote=True (kwarg)
forge_copilot_seed.load_seed(...) (Python)allow_remote=Trueallow_remote=Falseallow_remote=True (kwarg)
Ollama endpointConfigurableLocalhost-only (127.0.0.1 / ::1)— (intentional)
HTTP redirects on any safe-HTTP clientFollowedNot followedfollow_redirects=True (per-call kwarg)

The CLI flags --no-remote / --seed-no-remote remain as hidden no-op aliases for back-compat in scripts.

What the safe-HTTP layer enforces

Every outbound http(s) call from fluid goes through one factory that applies, in order:

  1. Scheme allowlist — only http and https. file://, gopher://, etc. are rejected.
  2. Post-DNS-resolution private-IP filter — RFC1918, link-local 169.254.0.0/16, loopback, reserved, CGNAT, 6to4, NAT64, ORCHIDv2, IPv6-SR, RFC-TEST-NET. IPv4-mapped IPv6 addresses are unwrapped before the check (closes a Python 3.10 / 3.11 stdlib bypass that didn't recurse into IPv4-mapped IPv6 until 3.12+).
  3. Reject on mixed-public-and-private DNS — if a hostname resolves to both public and private addresses, the entire fetch is refused (the canonical DNS-rebinding mitigation).
  4. Connection-layer DNS pin — the validated IP is pinned for the lifetime of the connection (httpx's sni_hostname extension). A second DNS lookup mid-connection can't redirect to a private IP.
  5. follow_redirects=False — redirects are off by default; the caller has to opt in per request.
  6. Streaming body cap at 10 MiB — bounded memory exposure for unknown upstream payload sizes.

The same factory powers seven fetch surfaces in one pass: the contract resolver, the Kafka Connect REST client and its schema-registry client, the Airbyte REST client, the three publish-side catalog registrars (DataHub, OpenMetadata, Data Mesh Manager), the Databricks auth-provider's API check, and the schema-manager remote fetcher.

Allowlists for outbound integrations

A handful of integrations need to call user-controlled hosts that the post-DNS filter would otherwise reject (e.g. an internal webhook receiver, a self-hosted catalog). Use the matching allowlist env var:

VariableSurface
FLUID_WEBHOOK_HOST_ALLOWLISTWebhook alerter (fluid_build/build_runners/_alerter.py). Comma-separated host suffixes — corp.example.com,vpn.internal.
FLUID_FEDERATION_HOST_ALLOWLISTFederation digests fetcher.
FLUID_COMMAND_CENTER_HOST_ALLOWLISTFLUID Command Center publish.

Allowlists are suffix matches — vpn.internal permits app.vpn.internal but not vpn.internal-evil.example.com.

Master toggles

VariableEffect
FLUID_SAFE_MODEMaster kill-switch. When set, every outbound HTTP fetch is refused — even those that would otherwise have gone through. Useful for air-gapped reviewers.
FLUID_ALLOW_METADATA_SERVICEAllow outbound calls to the cloud metadata service (169.254.169.254). Off by default. Only enable on hosts that need IAM/role auto-discovery and have no untrusted workload sharing the network.

Ollama is localhost-only

The Ollama provider is restricted to 127.0.0.1 and ::1. You cannot point fluid forge --llm-provider ollama at a remote Ollama instance — even via an SSH tunnel that terminates locally, the post-DNS filter accepts the local socket. If you need a remote LLM, use one of the SaaS providers (OpenAI / Anthropic / Gemini / Bedrock / Vertex) behind their first-party HTTP — those are not restricted by the SSRF guard, only filtered against the IPv4/IPv6 private-range list.

How a denied fetch surfaces

Denied fetches raise a typed NetworkSafetyError with one of these reasons:

  • scheme_not_allowed — non-http(s) URL.
  • private_address_blocked — the DNS resolved to a private / loopback / link-local / reserved address.
  • mixed_dns_resolution — the hostname resolves to a mix of public and private addresses; the fetch is refused without retry.
  • redirect_blocked — the upstream responded with a 3xx and the caller did not opt in to redirects.
  • body_cap_exceeded — the streaming download crossed the 10 MiB cap.

Each error carries what / where / why / fix / doc fields per the typed CLI errors shape.

Architecture contracts (enforced in CI)

v0.8.3 adds two declarative [tool.importlinter] contracts in pyproject.toml:

  1. observability ↛ build_runners — the observability layer cannot import the build-runner layer. Prevents the cycle that previously broke cli/__init__.py import.
  2. _net is tier-0 — the canonical post-DNS-resolution SSRF check module has no fluid_build.* upstreams. Makes the SSRF gate safely reusable from any layer.

These contracts are enforced by the upstream import-linter tool during development and in the import-hygiene CI job — they are not a runtime CLI feature. There is no fluid lint-imports subcommand. Contributors run them with:

pip install import-linter
lint-imports

See also

  • Environment variables — full env-var index including the SSRF allowlists
  • fluid forge — where --seed-allow-remote applies
  • fluid odps import — where --allow-remote applies
  • Catalog overview — publish-side registrars all use the safe-HTTP layer
Edit this page on GitHub
Last Updated: 6/25/26, 10:06 PM
Contributors: fas89, Claude Opus 4.7 (1M context)
Prev
Governance & Compliance
Next
Credential Resolver — Security Model