diff --git a/spec/openapi.infra.yaml b/spec/openapi.infra.yaml index d149bea91..bc0c17228 100644 --- a/spec/openapi.infra.yaml +++ b/spec/openapi.infra.yaml @@ -298,6 +298,8 @@ components: description: List of denied CIDR blocks or IP addresses for egress traffic. Domain names are not supported for deny rules. items: type: string + egressProxy: + $ref: "#/components/schemas/SandboxEgressProxyConfig" maskRequestHost: type: string description: Specify host mask which will be used for all sandbox requests @@ -326,6 +328,8 @@ components: description: List of denied CIDR blocks or IP addresses for egress traffic. Domain names are not supported for deny rules. items: type: string + egressProxy: + $ref: "#/components/schemas/SandboxEgressProxyConfig" rules: type: object description: Per-domain transform rules. Replaces all existing rules when provided. @@ -359,6 +363,31 @@ components: additionalProperties: type: string + SandboxEgressProxyConfig: + type: object + nullable: true + description: >- + SOCKS5 proxy for sandbox egress. Outbound TCP is tunneled through the + proxy after allow/deny filtering; the sandbox is unaware. Domain-matched + flows use remote DNS (ATYP=domain). + required: + - address + properties: + address: + type: string + description: >- + SOCKS5 proxy address in host:port format (e.g. "proxy.example.com:1080"). + username: + type: string + maxLength: 255 + description: >- + Optional SOCKS5 username (RFC 1929), max 255 bytes. + password: + type: string + maxLength: 255 + description: >- + Optional SOCKS5 password (RFC 1929), max 255 bytes. + SandboxAutoResumeEnabled: type: boolean description: Auto-resume enabled flag for paused sandboxes. Default false. diff --git a/src/core/shared/contracts/infra-api.types.ts b/src/core/shared/contracts/infra-api.types.ts index e2a76ca09..fd88950af 100644 --- a/src/core/shared/contracts/infra-api.types.ts +++ b/src/core/shared/contracts/infra-api.types.ts @@ -2339,6 +2339,7 @@ export interface components { allowOut?: string[] /** @description List of denied CIDR blocks or IP addresses for egress traffic. Domain names are not supported for deny rules. */ denyOut?: string[] + egressProxy?: components['schemas']['SandboxEgressProxyConfig'] /** @description Specify host mask which will be used for all sandbox requests */ maskRequestHost?: string /** @description Per-domain transform rules applied to matching egress HTTP/HTTPS requests. Keys are domains (e.g. "api.example.com", "example.com"). A domain listed here is not automatically allowed - use allowOut to permit the traffic. */ @@ -2352,6 +2353,7 @@ export interface components { allowOut?: string[] /** @description List of denied CIDR blocks or IP addresses for egress traffic. Domain names are not supported for deny rules. */ denyOut?: string[] + egressProxy?: components['schemas']['SandboxEgressProxyConfig'] /** @description Per-domain transform rules. Replaces all existing rules when provided. */ rules?: { [key: string]: components['schemas']['SandboxNetworkRule'][] @@ -2370,6 +2372,15 @@ export interface components { [key: string]: string } } + /** @description SOCKS5 proxy for sandbox egress. Outbound TCP is tunneled through the proxy after allow/deny filtering; the sandbox is unaware. Domain-matched flows use remote DNS (ATYP=domain). */ + SandboxEgressProxyConfig: { + /** @description SOCKS5 proxy address in host:port format (e.g. "proxy.example.com:1080"). */ + address: string + /** @description Optional SOCKS5 username (RFC 1929), max 255 bytes. */ + username?: string + /** @description Optional SOCKS5 password (RFC 1929), max 255 bytes. */ + password?: string + } | null /** * @description Auto-resume enabled flag for paused sandboxes. Default false. * @default false