indifferentketchup/boocode
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(openspec): drop 9 superseded proposals + 11 stub archive files

Browse Source 
Drop 9 batch proposals that are superseded by the boocode-lift-analysis
(boocontext-audit, conductor upgrades, self-healing/verify-gate skills):
add-3tier-memory, import-llm-evaluator, import-pregel-engine, plugin-platform,
conductor-evolution, code-intelligence-upgrade, dev-workflow, ui-overhaul,
agent-reliability.

Delete 11 stub archive files (49-66B each, 'Status: Shipped. Archived.' only)
that provide zero documentation value over the existing CHANGELOG.md + git tags.
This commit is contained in:
indifferentketchup
2026-06-07 22:15:38 +00:00
parent 0d6e9a2413
commit c935687725
119 changed files with 4897 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
openspec/changes/archived/2026-06-07-eval-sandbox-agent-runtime/specs/sandbox-network-policy/spec.md Normal file
View File

@@ -0,0 +1,52 @@
## ADDED Requirements
### Requirement: Network policy type
The system SHALL define a `NetworkPolicy` type with three forms:
- `"allow-all"` — full internet access (default)
- `"deny-all"` — no external access
- `{ allow?: string[] | Record<string, NetworkPolicyRule[]>; subnets?: { allow?: string[]; deny?: string[] } }` — custom rules
#### Scenario: Allow-all permits all traffic
- **WHEN** `networkPolicy: "allow-all"` is set
- **THEN** all outbound traffic SHALL be permitted
#### Scenario: Deny-all blocks all traffic
- **WHEN** `networkPolicy: "deny-all"` is set
- **THEN** all outbound traffic SHALL be denied
#### Scenario: Domain allowlist restricts access
- **WHEN** `networkPolicy: { allow: ["*.npmjs.org"] }` is set
- **THEN** traffic to `registry.npmjs.org` SHALL be allowed and all other traffic SHALL be denied
#### Scenario: Wildcard domains match subdomains
- **WHEN** a domain pattern starts with `*.` (e.g., `*.example.com`)
- **THEN** it SHALL match any subdomain of that domain
### Requirement: Network policy rules with transformers
The system SHALL support per-domain rules with request transformers for header injection.
Parameters per rule:
- `match?: { path?, method?, queryString?, headers? }` — request matchers
- `transform?: { headers: Record<string, string> }[]` — header injection
- `forwardURL?: string` — HTTPS proxy forwarding
#### Scenario: Header transform injects authorization
- **WHEN** a request matches a rule with `transform: [{ headers: { authorization: "Bearer token" } }]`
- **THEN** the `authorization` header SHALL be injected before forwarding
### Requirement: Subnet filtering
The system SHALL support subnet-level access control via CIDR notation.
#### Scenario: Subnet allow takes precedence over domain deny
- **WHEN** `subnets: { allow: ["10.0.0.0/8"] }` is set
- **THEN** traffic to `10.0.0.1` SHALL be allowed regardless of domain rules