sandbox allowed/blocked domains

[kcoopermiller]

Note

Medium Risk
Egress domain controls affect sandbox network security; this PR only extends SDK/CLI request and display fields—actual enforcement depends on the backend.

Overview
Adds allowed_domains and blocked_domains to sandbox create/read models so callers can configure egress domain filtering alongside network_access.

allowed_domains is an allowlist for restricted sandboxes (network_access=false); blocked_domains is a blocklist when outbound network stays enabled. Both are rejected for VM sandboxes. CreateSandboxRequest enforces these rules via Pydantic validators; the prime sandbox create command mirrors them with --allowed-domain / --blocked-domain (repeatable, wildcards documented in help) and shows the lists in the create confirmation and sandbox get detail output (with getattr for older SDK wheels).

^{Reviewed by Cursor Bugbot for commit c583d27. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit c583d27. Configure here.}

[cursor]

Domain flags omit SDK guard

Medium Severity

prime sandbox create always passes allowed_domains and blocked_domains into CreateSandboxRequest and prints them in the confirmation summary, but unlike idle_timeout_minutes it never checks CreateSandboxRequest.model_fields. An older prime-sandboxes wheel drops unknown fields, so egress allowlists/blocklists can be shown and validated in the CLI yet never reach the API.

Additional Locations (1)

• packages/prime/src/prime_cli/commands/sandbox.py#L737-L741

 

^{Reviewed by Cursor Bugbot for commit c583d27. Configure here.}