indifferentketchup/boocode
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c860b6c4b76d49350e83aeca3647478c3d0bae37
boocode/openspec/changes/archived/2026-06-07-eval-sandbox-agent-runtime/specs/sandbox-network-policy/spec.md
indifferentketchup c935687725 chore(openspec): drop 9 superseded proposals + 11 stub archive files 
Drop 9 batch proposals that are superseded by the boocode-lift-analysis
(boocontext-audit, conductor upgrades, self-healing/verify-gate skills):
add-3tier-memory, import-llm-evaluator, import-pregel-engine, plugin-platform,
conductor-evolution, code-intelligence-upgrade, dev-workflow, ui-overhaul,
agent-reliability.

Delete 11 stub archive files (49-66B each, 'Status: Shipped. Archived.' only)
that provide zero documentation value over the existing CHANGELOG.md + git tags.
2026-06-07 22:15:38 +00:00

1.9 KiB
Raw Blame History

ADDED Requirements

Requirement: Network policy type

The system SHALL define a NetworkPolicy type with three forms:

  • "allow-all" — full internet access (default)
  • "deny-all" — no external access
  • { allow?: string[] | Record<string, NetworkPolicyRule[]>; subnets?: { allow?: string[]; deny?: string[] } } — custom rules

Scenario: Allow-all permits all traffic

  • WHEN networkPolicy: "allow-all" is set
  • THEN all outbound traffic SHALL be permitted

Scenario: Deny-all blocks all traffic

  • WHEN networkPolicy: "deny-all" is set
  • THEN all outbound traffic SHALL be denied

Scenario: Domain allowlist restricts access

  • WHEN networkPolicy: { allow: ["*.npmjs.org"] } is set
  • THEN traffic to registry.npmjs.org SHALL be allowed and all other traffic SHALL be denied

Scenario: Wildcard domains match subdomains

  • WHEN a domain pattern starts with *. (e.g., *.example.com)
  • THEN it SHALL match any subdomain of that domain

Requirement: Network policy rules with transformers

The system SHALL support per-domain rules with request transformers for header injection.

Parameters per rule:

  • match?: { path?, method?, queryString?, headers? } — request matchers
  • transform?: { headers: Record<string, string> }[] — header injection
  • forwardURL?: string — HTTPS proxy forwarding

Scenario: Header transform injects authorization

  • WHEN a request matches a rule with transform: [{ headers: { authorization: "Bearer token" } }]
  • THEN the authorization header SHALL be injected before forwarding

Requirement: Subnet filtering

The system SHALL support subnet-level access control via CIDR notation.

Scenario: Subnet allow takes precedence over domain deny

  • WHEN subnets: { allow: ["10.0.0.0/8"] } is set
  • THEN traffic to 10.0.0.1 SHALL be allowed regardless of domain rules
Reference in New Issue View Git Blame Copy Permalink