Skip to main content

Network Control and Proxy-Managed Credentials

The docker-review kit needed no network access. Most real kits do - they need to reach a package registry during install, or call an external API at runtime. This section covers how to declare those rules and wire up credentials so they never enter the VM.


How network control worksโ€‹

Every sandbox has an egress proxy. All outbound traffic from the sandbox goes through it. By default, a kit's allowedDomains are additive - they extend whatever the base network policy allows.

network:
allowedDomains:
- pypi.org
- files.pythonhosted.org
deniedDomains:
- telemetry.example.com # explicit block even if another policy permits it

Use sbx policy log to see every request the proxy handled - essential for debugging blocked domains during install.


How credential injection worksโ€‹

Here's the security property that makes kits more rigorous than a shell script: the raw credential never enters the VM.

Instead:

  1. You declare a credential source in the kit - where the proxy should look on the host
  2. The proxy reads it at request time
  3. The proxy injects it as an HTTP header on matching outbound requests
  4. The agent inside the sandbox never sees the raw value
credentials:
sources:
my-service:
env:
- MY_SERVICE_API_KEY # read from host environment

network:
serviceDomains:
api.my-service.com: my-service # link domain to credential source
serviceAuth:
my-service:
headerName: Authorization
valueFormat: "Bearer %s" # proxy injects this header
allowedDomains:
- api.my-service.com

environment:
proxyManaged:
- MY_SERVICE_API_KEY # visible as env var inside sandbox; value substituted at request time

Try it: verify Anthropic credential injectionโ€‹

The built-in claude agent already uses this pattern. Run:

sbx policy log

You'll see requests to api.anthropic.com logged as forward with the credential injected by the proxy. The API key is never written to the VM's environment - it's substituted per-request.


Compare: shell script vs kitโ€‹

Shell script (claude-sbx)Kit
Egress rulesEdit config/allowlist.txt + reloadDeclare in spec.yaml, enforced at creation
API keyMust be exported to shell environmentStays on host, proxy injects per-request
Credential scopeGlobal to the sessionPer-service, per-domain
Sharing rulesCopy file, document setup--kit flag or Git URL