Threads the optional `NetworkPolicyDecider` from `EngineConfig` through to
`ToolContext.network_policy` and `McpPool::with_network_policy`. Each gate
point follows the same pattern: extract the host, call `decider.evaluate`,
then `Allow` proceeds, `Deny` returns a structured permission-denied error,
and `Prompt` falls through to the same denial with a hint pointing to
`/network allow <host>` (full modal flow lands in a follow-up).
* `fetch_url` — gates on the parsed URL host.
* `web_search` — gates DuckDuckGo (`html.duckduckgo.com`) and the Bing
fallback (`www.bing.com`) independently so a deny on one engine doesn't
silently let the other through.
* MCP — only the HTTP/SSE transport is gated; STDIO MCP servers are
unaffected. `McpConnection::connect_with_policy` replaces the old
`connect` (no external callers existed).
The session cache short-circuits `evaluate` once a host is approved, so
the existing `approve_session` hook is enough to wire the prompt-once
flow when the approval modal lands.
`NetworkPolicyDecider::with_default_audit` materializes the auditor at
`~/.deepseek/audit.log` when the config has `audit = true`.
Includes one tool-level test asserting `fetch_url` denies a blocked host
through the policy gate.
Hunter Bown
f82f162e7f