# Socket Firewall bypass list — fleet-canonical source of truth.
#
# This file is the wheelhouse-tracked master. Every fleet repo gets a
# byte-identical copy at <repo>/.config/sfw-bypass-list.txt via the
# sync-scaffolding cascade, and consumers read their local copy to
# populate SFW_CUSTOM_REGISTRIES:
#
#   - socket-registry  → .github/actions/setup/action.yml grep-reads
#                        this list into SFW_CUSTOM_REGISTRIES in CI.
#   - socket-btm et al → scripts/install-sfw.mts writes the env to
#                        ~/.socket/_wheelhouse/env.sh so local sfw gets the
#                        same set the CI shared worker uses.
#
# Edit ONLY in socket-wheelhouse/template/.config/sfw-bypass-list.txt
# — downstream copies are regenerated by the cascade and any local
# fork will be clobbered on the next sync.
#
# Format: one `<kind>:<fqdn>` entry per line. Comments + blank lines
# ignored. Kinds accepted: npm, pypi, golang, maven, gem, cargo, nuget,
# block, wrap, bypass. The bundled defaults baked into sfw live at
# SocketDev/firewall:src/lib/registries/default.ts — entries here ship
# *over* a binary release without waiting for a re-publish.
#
# When adding a host, group it with the ecosystem comment that owns it
# and keep within-group ordering stable so cascades produce minimal
# diffs.

# GitHub release-asset CDNs (targets of github.com/*/releases/download/*
# and github.com/*/archive/* redirects).
bypass:objects.githubusercontent.com
bypass:release-assets.githubusercontent.com
bypass:raw.githubusercontent.com
bypass:gist.githubusercontent.com

# VCS fallbacks (Go modules, npm git-deps, Ruby git sources).
bypass:gitlab.com
bypass:bitbucket.org

# Build-tool toolchain downloads.
bypass:ziglang.org
bypass:cmake.org
bypass:sh.rustup.rs
bypass:nodejs.org
bypass:bootstrap.pypa.io

# Go module proxy + toolchain auto-download. proxy.golang.org serves
# modules and 302s to storage.googleapis.com for the
# `go: downloading go1.x.y` flow; sum.golang.org is the checksum DB.
# Without these, `go build` fails with `tls: failed to verify
# certificate: x509: certificate signed by unknown authority` because
# SFW's MITM breaks the cert chain at the redirect target.
bypass:proxy.golang.org
bypass:sum.golang.org
bypass:storage.googleapis.com

# Cargo web portal (search/info API).
bypass:crates.io

# Conda ecosystem.
bypass:repo.anaconda.com
bypass:conda.anaconda.org
bypass:anaconda.org
bypass:conda-forge.org

# Composer (PHP).
bypass:packagist.org
bypass:repo.packagist.org

# Conan (C/C++).
bypass:center.conan.io
bypass:conan.io

# CocoaPods (Swift/Obj-C).
bypass:cdn.cocoapods.org

# Hackage (Haskell).
bypass:hackage.haskell.org

# Hex (Elixir/Erlang).
bypass:hex.pm
bypass:repo.hex.pm
bypass:builds.hex.pm

# HuggingFace model hub.
bypass:huggingface.co

# Julia.
bypass:pkg.julialang.org
bypass:julialang-s3.julialang.org

# LuaRocks.
bypass:luarocks.org

# OPAM + OCaml toolchain.
bypass:opam.ocaml.org
bypass:ocaml.org

# pub.dev (Dart / Flutter).
bypass:pub.dev

# CPAN (Perl).
bypass:metacpan.org
bypass:cpan.metacpan.org

# CRAN (R).
bypass:cran.r-project.org
bypass:cran.rstudio.com
bypass:bioconductor.org

# Bitnami.
bypass:downloads.bitnami.com

# Swift toolchain + package index.
bypass:swift.org
bypass:download.swift.org
bypass:swiftpackageindex.com

# VSCode extension marketplace.
bypass:marketplace.visualstudio.com

# Bazel external workspace mirror.
bypass:mirror.bazel.build

# Homebrew anonymous analytics (InfluxDB Cloud bucket). brew sends
# usage telemetry on every command; the writes fail-fast and silent if
# blocked, but listing as bypass avoids users debugging phantom
# timeouts on runners that have brew installed.
# HOMEBREW_NO_ANALYTICS=1 opts out at the source.
bypass:eu-central-1-1.aws.cloud2.influxdata.com
