NVIDIA · mjamiv · May 25, 2026
@@ -723,6 +723,12 @@ fn expand_access_preset(protocol: &str, access: &str) -> Option<Vec<L7Rule>> {
 fn append_unique_binaries(existing: &mut Vec<NetworkBinary>, incoming: &[NetworkBinary]) {
     let mut seen: HashSet<String> = existing.iter().map(|binary| binary.path.clone()).collect();
     for binary in incoming {
+        if let Some(existing_binary) = existing.iter_mut().find(|item| item.path == binary.path) {
+            if !is_advisor_proposed_binary(binary) {
+                mark_user_declared_binary(existing_binary);
+            }
+            continue;
+        }
         if seen.insert(binary.path.clone()) {
             existing.push(binary.clone());
         }
@@ -778,8 +784,30 @@ fn dedup_strings(values: &mut Vec<String>) {
 }
 
 fn dedup_binaries(values: &mut Vec<NetworkBinary>) {
-    let mut seen = HashSet::new();
-    values.retain(|binary| seen.insert(binary.path.clone()));
+    let mut deduped: Vec<NetworkBinary> = Vec::with_capacity(values.len());
+    for binary in std::mem::take(values) {
+        if let Some(existing) = deduped.iter_mut().find(|item| item.path == binary.path) {
+            if !is_advisor_proposed_binary(&binary) {
+                mark_user_declared_binary(existing);
+            }
+        } else {
+            deduped.push(binary);
+        }
+    }
+    *values = deduped;
+}
+
+fn is_advisor_proposed_binary(binary: &NetworkBinary) -> bool {
+    #[allow(deprecated)]
+    let advisor_proposed = binary.harness;
+    advisor_proposed
+}
+
+fn mark_user_declared_binary(binary: &mut NetworkBinary) {
+    #[allow(deprecated)]
+    {
+        binary.harness = false;
+    }
 }
 
 fn dedup_l7_rules(values: &mut Vec<L7Rule>) {
@@ -878,6 +906,18 @@ mod tests {
         }
     }
 
+    fn advisor_binary(path: &str) -> NetworkBinary {
+        let mut binary = NetworkBinary {
+            path: path.to_string(),
+            ..Default::default()
+        };
+        #[allow(deprecated)]
+        {
+            binary.harness = true;
+        }
+        binary
+    }
+
     fn rest_rule(method: &str, path: &str) -> L7Rule {
         L7Rule {
             allow: Some(L7Allow {
@@ -949,6 +989,75 @@ mod tests {
         assert_eq!(rule.binaries.len(), 2);
     }
 
+    #[test]
+    fn add_rule_user_binary_clears_advisor_marker_for_same_path() {
+        let mut policy = restrictive_default_policy();
+        policy.network_policies.insert(
+            "existing".to_string(),
+            NetworkPolicyRule {
+                name: "existing".to_string(),
+                endpoints: vec![endpoint("api.github.com", 443)],
+                binaries: vec![advisor_binary("/usr/bin/curl")],
+            },
+        );
+
+        let incoming = NetworkPolicyRule {
+            name: "incoming".to_string(),
+            endpoints: vec![endpoint("api.github.com", 443)],
+            binaries: vec![NetworkBinary {
+                path: "/usr/bin/curl".to_string(),
+                ..Default::default()
+            }],
+        };
+
+        let result = merge_policy(
+            policy,
+            &[PolicyMergeOp::AddRule {
+                rule_name: "existing".to_string(),
+                rule: incoming,
+            }],
+        )
+        .expect("merge should succeed");
+
+        let rule = &result.policy.network_policies["existing"];
+        assert_eq!(rule.binaries.len(), 1);
+        #[allow(deprecated)]
+        {
+            assert!(!rule.binaries[0].harness);
+        }
+    }
+
+    #[test]
+    fn add_rule_duplicate_binaries_prefer_user_declared_marker() {
+        let incoming = NetworkPolicyRule {
+            name: "incoming".to_string(),
+            endpoints: vec![endpoint("api.github.com", 443)],
+            binaries: vec![
+                advisor_binary("/usr/bin/curl"),
+                NetworkBinary {
+                    path: "/usr/bin/curl".to_string(),
+                    ..Default::default()
+                },
+            ],
+        };
+
+        let result = merge_policy(
+            restrictive_default_policy(),
+            &[PolicyMergeOp::AddRule {
+                rule_name: "github".to_string(),
+                rule: incoming,
+            }],
+        )
+        .expect("merge should succeed");
+
+        let rule = &result.policy.network_policies["github"];
+        assert_eq!(rule.binaries.len(), 1);
+        #[allow(deprecated)]
+        {
+            assert!(!rule.binaries[0].harness);
+        }
+    }
+
     #[test]
     fn add_rule_merges_websocket_credential_rewrite_flag() {
         let mut policy = restrictive_default_policy();

@@ -152,6 +152,32 @@ binary_allowed(policy, exec) if {
 	glob.match(b.path, ["/"], p)
 }
 
+user_declared_binary_allowed(policy, exec) if {
+	some b
+	b := policy.binaries[_]
+	not object.get(b, "advisor_proposed", false)
+	not contains(b.path, "*")
+	b.path == exec.path
+}
+
+user_declared_binary_allowed(policy, exec) if {
+	some b
+	b := policy.binaries[_]
+	not object.get(b, "advisor_proposed", false)
+	not contains(b.path, "*")
+	ancestor := exec.ancestors[_]
+	b.path == ancestor
+}
+
+user_declared_binary_allowed(policy, exec) if {
+	some b in policy.binaries
+	not object.get(b, "advisor_proposed", false)
+	contains(b.path, "*")
+	all_paths := array.concat([exec.path], exec.ancestors)
+	some p in all_paths
+	glob.match(b.path, ["/"], p)
+}
+
 # --- Network action (allow / deny) ---
 #
 # These rules are mutually exclusive by construction:
@@ -638,6 +664,21 @@ matched_endpoint_config := _matching_endpoint_configs[0] if {
 	count(_matching_endpoint_configs) > 0
 }
 
+_policy_has_exact_declared_endpoint(policy) if {
+	some ep
+	ep := policy.endpoints[_]
+	not contains(ep.host, "*")
+	lower(ep.host) == lower(input.network.host)
+	ep.ports[_] == input.network.port
+}
+
+exact_declared_endpoint_host if {
+	some pname
+	policy := data.network_policies[pname]
+	user_declared_binary_allowed(policy, input.exec)
+	_policy_has_exact_declared_endpoint(policy)
+}
+
 # Hosted endpoint: exact host match + port in ports list.
 endpoint_matches_request(ep, network) if {
 	not contains(ep.host, "*")

@@ -143,10 +143,17 @@ pub fn generate_proposals(summaries: &[DenialSummary]) -> Vec<PolicyChunk> {
         let binaries: Vec<NetworkBinary> = if binary.is_empty() {
             vec![]
         } else {
-            vec![NetworkBinary {
+            let mut proposal_binary = NetworkBinary {
                 path: binary.clone(),
                 ..Default::default()
-            }]
+            };
+            // The deprecated harness bit is ignored by policy YAML, but OPA
+            // maps it to advisor_proposed to preserve the SSRF two-step flow.
+            #[allow(deprecated)]
+            {
+                proposal_binary.harness = true;
+            }
+            vec![proposal_binary]
         };
 
         let proposed_rule = NetworkPolicyRule {
@@ -500,6 +507,10 @@ mod tests {
         assert_eq!(rule.endpoints[0].port, 443);
         assert_eq!(rule.binaries.len(), 1);
         assert_eq!(rule.binaries[0].path, "/usr/bin/curl");
+        #[allow(deprecated)]
+        {
+            assert!(rule.binaries[0].harness);
+        }
 
         // No L7 fields when no samples provided.
         assert!(rule.endpoints[0].protocol.is_empty());