You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix(sandbox-envs): store no egress policy when no allowed hosts
Address PR-review findings on the per-environment egress policy feature.
- An empty/untouched egress editor now stores egress_policy=None instead
of an explicit deny-all, so re-saving a network-enabled env no longer
changes its runtime network behavior. To block all egress, use Network
off.
- Reject credential header names with control chars / CR-LF and values
with newlines, guarding against header injection into the sidecar.
- Remove references to the nonexistent DAIV_SANDBOX_EGRESS_PROXY_ENABLED
setting from the error message, model comment, docs, and tests.
- Log egress-proxy-unavailable distinctly (still fail-closed) when a
fresh session aborts, instead of the generic seed-failure message.
- Trim the CHANGELOG entry to the user-facing feature (Keep a Changelog);
correct the "empty hosts = no outbound access" overstatement in docs.
- Drop dead code (has_egress property, blankHost label) and extract
_empty_egress_state() and the _MASK_SENTINEL constant to remove
duplicated literals.
Copy file name to clipboardExpand all lines: CHANGELOG.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,7 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
9
9
10
10
### Added
11
11
12
-
- Added per-environment network egress policy for sandbox environments. A `SandboxEnvironment` can now carry an `egress_policy` (default/intercept + per-host rules) and encrypted `egress_secrets` (named header credentials); when set, the agent provisions them onto the daiv-sandbox MITM egress proxy at session start so credentials are injected by the sidecar and never enter the sandbox container. The egress proxy is mandatory for network-enabled sessions: if the sandbox deployment has no egress proxy configured, a network-enabled run is rejected rather than falling back to unrestricted network. Note: a network-enabled environment **without** an egress policy receives the sidecar's default deny-all (no connectivity) — configure an egress policy on those environments. The egress policy is now configurable from the sandbox-environment form UI (shown only when **Network** is enabled): define allowed hosts (glob patterns), inject per-host credentials (HTTP header name + value, encrypted at rest and never rendered back), and set the `default` (deny/allow) and `intercept` (all/credentialed) modes. Fail-closed: an environment with no allowed hosts has no outbound access.
12
+
- Added a per-environment **network egress policy** for sandbox environments, configurable from the environment form when network is enabled. Restrict outbound traffic to an allow-list of hosts (glob patterns), attach per-host HTTP credentials (header name + value, encrypted at rest and never rendered back), and choose the `default` (deny/allow) and `intercept` (all/credentialed) traffic modes. Credentials are injected by the daiv-sandbox egress proxy and never enter the sandbox container. The egress proxy is mandatory for network-enabled sessions: if the sandbox deployment has no egress proxy configured, a network-enabled run is rejected rather than falling back to unrestricted network.
13
13
- Added `release_orphan_queued_threads` management command to recover `QUEUED` activities left behind on threads with no active sibling (rare TOCTOU loss).
14
14
- Added per-domain auth headers for the `web_fetch` tool to the configuration UI under **Web Fetch → Per-domain auth headers**. Each row pairs a domain (exact match) with an HTTP header name and a header value (encrypted at rest). Replaces the previous env-only `AUTOMATION_WEB_FETCH_AUTH_HEADERS` setting; the new env override is `DAIV_WEB_FETCH_AUTH_HEADERS` (same JSON shape). Operators using the old name must rename it.
15
15
- Added a "Start a run" page at `/dashboard/runs/new/` for launching new agent runs from the UI, and a "Retry" button on terminal non-webhook activities that pre-fills the form with the original prompt, repository, ref, and max-mode flag.
{% translate "Controls which hosts the sandbox can reach. Applies only when network is enabled; with no allowed hosts the sandbox can reach nothing." %}
207
+
{% translate "Restricts which hosts the sandbox can reach. With Default set to deny, only the listed hosts are reachable. Leave the list empty to apply no egress policy; to block all outbound access, set Network to off." %}
Copy file name to clipboardExpand all lines: docs/features/sandbox-environments.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -60,7 +60,7 @@ Environment-variable values are **Fernet-encrypted before they are stored** and
60
60
When **Network** is enabled, the **Egress** section appears at the bottom of the form. It lets you define exactly which outbound connections the sandbox container may make, with optional per-host credentials injected by the MITM proxy — credentials never enter the container.
61
61
62
62
!!! info "Requires the egress proxy"
63
-
Egress policy is provisioned by the daiv-sandbox MITM egress proxy (`DAIV_SANDBOX_EGRESS_PROXY_ENABLED`). If the sandbox does not have the proxy enabled, starting a run that uses an egress-configured environment will **abort** (fail-closed) rather than fall back to unrestricted network.
63
+
Egress policy is provisioned by the daiv-sandbox MITM egress proxy. If the sandbox does not have the egress proxy enabled, starting a run that uses an egress-configured environment will **abort** (fail-closed) rather than fall back to unrestricted network.
64
64
65
65
#### Allowed hosts
66
66
@@ -72,7 +72,7 @@ Each row in the **Allowed hosts** table defines one outbound rule:
72
72
|**Methods**| HTTP methods this rule applies to (leave empty to match all methods) |
73
73
|**Credential**| Optional: an HTTP header name and value injected by the proxy for every request to this host (see below) |
74
74
75
-
**Fail-closed:**if the allowed hosts list is empty, no outbound requests are permitted at all (equivalent to network off, even though networking is technically enabled).
75
+
An egress policy takes effect only when you add at least one allowed-host rule. With **Default**set to `deny`, only the listed hosts are reachable and every other outbound request is blocked. Leaving the allowed-hosts list empty stores **no** egress policy on the environment (the section is treated as untouched) — it does not block traffic. To disable networking entirely, set **Network** to **Off**.
0 commit comments