Networking

use microsandbox::{Sandbox, NetworkPolicy};

// No network access
let sb1 = Sandbox::builder("isolated")
    .image("python:3.12")
    .disable_network()
    .create()
    .await?;

// Public internet only (default)
let sb2 = Sandbox::builder("web-agent")
    .image("python:3.12")
    .network(|n| n.policy(NetworkPolicy::public_only()))
    .create()
    .await?;

// Unrestricted access
let sb3 = Sandbox::builder("dev")
    .image("python:3.12")
    .network(|n| n.policy(NetworkPolicy::allow_all()))
    .create()
    .await?;

// Allow only specific hosts
let sb4 = Sandbox::builder("scoped-agent")
    .image("python:3.12")
    .network(|n| n.policy(NetworkPolicy::allowlist(["api.openai.com", "pypi.org"])))
    .create()
    .await?;

// Block specific destinations
let sb5 = Sandbox::builder("safe-agent")
    .image("python:3.12")
    .network(|n| n.policy(NetworkPolicy::denylist([
        DestinationGroup::CloudMetadata,
        DestinationGroup::PrivateNetworks,
    ])))
    .create()
    .await?;

use microsandbox::network::*;

let policy = NetworkPolicy::builder()
    .default_egress(Action::Deny)
    .default_ingress(Action::Deny)
    .egress(Rule::builder()
        .name("allow-https")
        .protocol(Protocol::Tcp)
        .ports(443)
        .action(Action::Allow)
        .build())
    .egress(Rule::builder()
        .name("allow-dns")
        .protocol(Protocol::Udp)
        .ports(53)
        .action(Action::Allow)
        .build())
    .deny_egress_to(Destination::Group(DestinationGroup::CloudMetadata))
    .deny_egress_to(Destination::Group(DestinationGroup::PrivateNetworks))
    .build();

let sb = Sandbox::builder("secure-agent")
    .image("alpine:latest")
    .network(|n| n.policy(policy))
    .create()
    .await?;

use microsandbox::{Sandbox, NetworkPolicy};

let sb = Sandbox::builder("api")
    .image("python:3.12")
    .port(8080, 80)
    .port_udp(5353, 5353)
    .network(|n| n.policy(NetworkPolicy::public_only()))
    .create()
    .await?;

use microsandbox::{Sandbox, NetworkPolicy, DnsMode};

let sb = Sandbox::builder("safe-agent")
    .image("python:3.12")
    .network(|n| n
        .policy(NetworkPolicy::public_only())
        .dns(DnsMode::Intercepted)
        .block_domain("malware.example.com")
        .block_domain("*.tracking.com")
    )
    .create()
    .await?;

use microsandbox::{Sandbox, SecretViolationAction};

let sb = Sandbox::builder("agent")
    .image("python:3.12")
    .secret(|s| s
        .env("GITHUB_TOKEN")
        .value(std::env::var("GITHUB_TOKEN")?)
        .allow_host("api.github.com")
        .allow_host_pattern("*.githubusercontent.com")
    )
    .secret_env("OPENAI_API_KEY", api_key, "api.openai.com")
    .on_secret_violation(SecretViolationAction::BlockAndLog)
    .create()
    .await?;

use microsandbox::tls::*;

let sb = Sandbox::builder("agent")
    .image("python:3.12")
    .network(|n| n
        .tls(|t| t
            .ca_storage("/var/lib/microsandbox/ca")
            .ca_cn("My Agent Sandbox CA")
            .bypass("pinned-api.example.com")
        )
    )
    .create()
    .await?;