diff --git a/apps/agent-zero/agent-zero.yaml b/apps/agent-zero/agent-zero.yaml
index 2ae50cb..56f9c9d 100644
--- a/apps/agent-zero/agent-zero.yaml
+++ b/apps/agent-zero/agent-zero.yaml
@@ -666,8 +666,9 @@ spec:
         - port: 5300
           protocol: TCP
     # FlowerCore DMS Manager MCP (product-manager fan-out) — in-cluster
-    # dms-web on port 80. Every in-cluster MCP target needs an explicit
-    # egress allow (the policy denies private ranges by default).
+    # dms-web. NetworkPolicy matches the destination POD port: dms-web svc:80
+    # targets containerPort 8080, so the egress MUST allow 8080 (not the svc
+    # port 80) — same as the fc-chat rule. Allow both for parity.
     - to:
         - namespaceSelector:
             matchLabels:
@@ -675,6 +676,8 @@ spec:
       ports:
         - port: 80
           protocol: TCP
+        - port: 8080
+          protocol: TCP
     # Allow internet (for kubectl image pull, etc)
     - to:
         - ipBlock: