.svg?fit=max&auto=format&n=nM2mZJMU7uXYPkZS&q=85&s=29b612f62877b603dd94f96feb774d3f)
.svg?fit=max&auto=format&n=nM2mZJMU7uXYPkZS&q=85&s=2d9f7d66947850756a7dab066026f65a)
Secret
Static factory for creating secret entries used inSandboxConfig.secrets.
Secret.env()
| Name | Type | Default | Description |
|---|---|---|---|
| env_var | str | - | Environment variable name (e.g. "OPENAI_API_KEY") |
| value | str | - | The real secret value. Never enters the guest VM. Required. |
| allow_hosts | Sequence[str] | () | Hosts allowed to receive the real value (exact match). The TLS proxy matches against the SNI. |
| allow_host_patterns | Sequence[str] | () | Wildcard host patterns (e.g. "*.googleapis.com") |
| placeholder | str | None | None | Custom placeholder string. Auto-generated as $MSB_<env_var> if not set. |
| require_tls | bool | True | Only substitute on TLS-intercepted connections. Disable only if you know the traffic is safe. |
| on_violation | ViolationAction | BLOCK_AND_LOG | Action when the placeholder is sent to a disallowed host |
| Type | Description |
|---|---|
SecretEntry | Secret entry for SandboxConfig.secrets |
Types
SecretEntry
Frozen dataclass returned bySecret.env() and used in SandboxConfig.secrets.
| Field | Type | Description |
|---|---|---|
| env_var | str | Environment variable name |
| value | str | Secret value |
| allow_hosts | tuple[str, ...] | Allowed hosts (exact match) |
| allow_host_patterns | tuple[str, ...] | Wildcard patterns |
| placeholder | str | None | Placeholder string |
| require_tls | bool | TLS requirement |
| on_violation | ViolationAction | Violation action |
ViolationAction
String enum (StrEnum) defining the action taken when a secret placeholder is sent to a disallowed host.
| Value | Description |
|---|---|
"block" | Silently drop the request. The guest sees a connection reset. |
"block-and-log" | Drop the request and emit a warning log on the host side. This is the default. |
"block-and-terminate" | Drop the request, log an error, and shut down the entire sandbox. |