Skip to content

chore: sync infra OpenAPI specs #407

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ben-fornefeld merged 2 commits into from
Jun 15, 2026
Merged

chore: sync infra OpenAPI specs #407

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0c2116f
chore: sync infra OpenAPI specs
dobrac Jun 14, 2026
8a5b555
style: apply biome formatting
e2b-generated-code-auto-fixer[bot] Jun 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions spec/openapi.infra.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -298,6 +298,8 @@ components:
description: List of denied CIDR blocks or IP addresses for egress traffic. Domain names are not supported for deny rules.
items:
type: string
egressProxy:
$ref: "#/components/schemas/SandboxEgressProxyConfig"
maskRequestHost:
type: string
description: Specify host mask which will be used for all sandbox requests
Expand Down Expand Up @@ -326,6 +328,8 @@ components:
description: List of denied CIDR blocks or IP addresses for egress traffic. Domain names are not supported for deny rules.
items:
type: string
egressProxy:
$ref: "#/components/schemas/SandboxEgressProxyConfig"
rules:
type: object
description: Per-domain transform rules. Replaces all existing rules when provided.
Expand Down Expand Up @@ -359,6 +363,31 @@ components:
additionalProperties:
type: string

SandboxEgressProxyConfig:
type: object
nullable: true
description: >-
SOCKS5 proxy for sandbox egress. Outbound TCP is tunneled through the
proxy after allow/deny filtering; the sandbox is unaware. Domain-matched
flows use remote DNS (ATYP=domain).
required:
- address
properties:
address:
type: string
description: >-
SOCKS5 proxy address in host:port format (e.g. "proxy.example.com:1080").
username:
type: string
maxLength: 255
description: >-
Optional SOCKS5 username (RFC 1929), max 255 bytes.
password:

@cursor cursor Bot Jun 12, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Agentic Security Review
Severity: HIGH
The new SandboxEgressProxyConfig.password field is modeled on a schema that is also referenced by response-side sandbox network objects, so this change can expose proxy credentials in sandbox read responses.

Impact: Any principal that can read sandbox details may obtain reusable SOCKS5 credentials, leading to credential leakage and potential unauthorized proxy use.

Fix in Cursor Fix in Web

Reviewed by Cursor Security Reviewer for commit 3e9c338. Configure here.

type: string
maxLength: 255
description: >-
Optional SOCKS5 password (RFC 1929), max 255 bytes.

SandboxAutoResumeEnabled:
type: boolean
description: Auto-resume enabled flag for paused sandboxes. Default false.
Expand Down
11 changes: 11 additions & 0 deletions src/core/shared/contracts/infra-api.types.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2339,6 +2339,7 @@ export interface components {
allowOut?: string[]
/** @description List of denied CIDR blocks or IP addresses for egress traffic. Domain names are not supported for deny rules. */
denyOut?: string[]
egressProxy?: components['schemas']['SandboxEgressProxyConfig']
/** @description Specify host mask which will be used for all sandbox requests */
maskRequestHost?: string
/** @description Per-domain transform rules applied to matching egress HTTP/HTTPS requests. Keys are domains (e.g. "api.example.com", "example.com"). A domain listed here is not automatically allowed - use allowOut to permit the traffic. */
Expand All @@ -2352,6 +2353,7 @@ export interface components {
allowOut?: string[]
/** @description List of denied CIDR blocks or IP addresses for egress traffic. Domain names are not supported for deny rules. */
denyOut?: string[]
egressProxy?: components['schemas']['SandboxEgressProxyConfig']
/** @description Per-domain transform rules. Replaces all existing rules when provided. */
rules?: {
[key: string]: components['schemas']['SandboxNetworkRule'][]
Expand All @@ -2370,6 +2372,15 @@ export interface components {
[key: string]: string
}
}
/** @description SOCKS5 proxy for sandbox egress. Outbound TCP is tunneled through the proxy after allow/deny filtering; the sandbox is unaware. Domain-matched flows use remote DNS (ATYP=domain). */
SandboxEgressProxyConfig: {
/** @description SOCKS5 proxy address in host:port format (e.g. "proxy.example.com:1080"). */
address: string
/** @description Optional SOCKS5 username (RFC 1929), max 255 bytes. */
username?: string
/** @description Optional SOCKS5 password (RFC 1929), max 255 bytes. */
password?: string
} | null
/**
* @description Auto-resume enabled flag for paused sandboxes. Default false.
* @default false
Expand Down
Loading