Skip to main content
Configure a sandbox’s network stack: a first-match-wins egress/ingress policy, published ports, DNS interception, TLS interception, and secret-violation handling. See Networking for the conceptual overview and TLS Interception for proxy details.

Typical flow

import { NetworkPolicy, Sandbox } from "microsandbox";

const policy = NetworkPolicy.builder()           // 1. compose a policy
  .defaultDeny()
  .egress((e) => e.tcp().port(443).allowPublic())
  .rule((r) => r.any().deny((d) => d.ip("198.51.100.5")))
  .build();

const sb = await Sandbox.builder("api")
  .image("python")
  .network((n) =>
    n                                            // 2. wire it into the sandbox
      .policy(policy)
      .port(8080, 80)
      .dns((d) => d.rebindProtection(true)),
  )
  .create();
The default policy denies egress except for an implicit allow-public rule (plus DNS), and allows ingress with no rules. See the defaults rationale for the asymmetry. NetworkPolicy, Rule, Destination, and PortRange each merge a value-type interface with a factory namespace under one name, all re-exported from microsandbox.

NetworkPolicy

A NetworkPolicy is an ordered rule list plus two per-direction defaults, evaluated first-match-wins. The presets below construct common shapes directly; for anything custom, start from builder() or write a literal and pass it to NetworkBuilder.policy().
import { NetworkPolicy, Rule, Destination } from "microsandbox";

// Custom policy literal
const custom: NetworkPolicy = {
  defaultEgress: "deny",
  defaultIngress: "allow",
  rules: [
    Rule.allowEgress(Destination.domain("api.example.com")),
    Rule.denyEgress(Destination.group("metadata")),
  ],
};

// Or via the builder
const built = NetworkPolicy.builder()
  .defaultDeny()
  .egress((e) => e.tcp().port(443).allowPublic())
  .build();

Rule order matters

The first matching rule wins, so a broad rule placed before a narrow one swallows it:
const policy: NetworkPolicy = {
  defaultEgress: "deny",
  defaultIngress: "allow",
  rules: [
    Rule.allowEgress(Destination.cidr("10.0.0.0/8")),  // matches everything in 10.x
    Rule.denyEgress(Destination.cidr("10.0.0.5/32")),  // never reached
  ],
};
Put specific rules before general ones.

Shadow detection

NetworkPolicyBuilder.build() walks the rules and warns when a rule is fully covered by an earlier one in the same direction. Only cidr and group destinations are checked; domain coverage depends on runtime DNS and is skipped. Builds still succeed; the warning surfaces as a host-side tracing::warn! from the Rust core:
WARN rule #1 (Egress Cidr(10.0.0.5/32) Deny) is shadowed by rule #0 (Egress Cidr(10.0.0.0/8) Allow); to narrow, place the more specific rule first
Policy literals constructed via Rule.allowEgress(...) etc. do not run through the builder and skip this check.

NetworkPolicy.builder()

builder(): NetworkPolicyBuilder
import { NetworkPolicy } from "microsandbox";

const policy = NetworkPolicy.builder()
  .defaultDeny()
  .egress((e) => e.tcp().port(443).allowPublic().allowPrivate())
  .build();
Start the fluent NetworkPolicyBuilder. Equivalent to new NetworkPolicyBuilder(). String inputs (.ip(), .cidr(), .domain(), .domainSuffix()) are stored raw and parsed at build(), so the chain stays clean and the first parse or validation failure surfaces there.

Returns

Empty builder.

NetworkPolicy.none()

none(): NetworkPolicy
Deny all traffic in both directions, no rules. The guest is fully offline. exec and fs still work since they use the host-guest channel, not the network.

NetworkPolicy.allowAll()

allowAll(): NetworkPolicy
Unrestricted network access: allow everything in both directions, no rules. Includes private addresses and the host machine.

NetworkPolicy.publicOnly()

publicOnly(): NetworkPolicy
Egress allowed only to public destinations (plus DNS to the gateway); ingress allowed by default. Blocks private address ranges and cloud metadata endpoints. This is the default policy.

NetworkPolicy.nonLocal()

nonLocal(): NetworkPolicy
Egress allowed to public + private (LAN) destinations (plus DNS); ingress allowed by default. Local groups (loopback, link-local, host, metadata) stay denied.

Rule, Destination, PortRange

Factories for the building blocks of a policy literal. Rule values pair a Destination with a direction and action; Destination and PortRange construct the matchers.

Rule.allowEgress()

allowEgress(destination: Destination): Rule
import { Rule, Destination } from "microsandbox";

const r = Rule.allowEgress(Destination.domain("api.example.com"));
Allow rule with direction egress. Empty protocols and ports mean “any”.

Parameters

destinationDestination
Target filter.

Rule.denyEgress()

denyEgress(destination: Destination): Rule
Deny rule with direction egress.

Parameters

destinationDestination
Target filter.

Rule.allowIngress()

allowIngress(destination: Destination): Rule
Allow rule with direction ingress.

Parameters

destinationDestination
Target filter.

Rule.denyIngress()

denyIngress(destination: Destination): Rule
Deny rule with direction ingress.

Parameters

destinationDestination
Target filter.

Rule.allowAny()

allowAny(destination: Destination): Rule
Allow rule with direction any (matches in either direction).

Parameters

destinationDestination
Target filter.

Rule.denyAny()

denyAny(destination: Destination): Rule
Deny rule with direction any (matches in either direction).

Parameters

destinationDestination
Target filter.

Rule.allowDns()

allowDns(): Rule
import { NetworkPolicy, Rule } from "microsandbox";

const policy: NetworkPolicy = {
  defaultEgress: "deny",
  defaultIngress: "deny",
  rules: [Rule.allowDns()],
};
Allow plain DNS (UDP/53 and TCP/53) to the sandbox gateway, i.e. the in-process DNS forwarder. The standard one-liner for opening DNS under a deny-by-default policy. See DNS as egress for the underlying semantics. DoT (TCP/853) is intentionally not included; add an explicit Destination.group("host") tcp/853 allow rule if needed (and pair with TLS interception).

Destination.any()

any(): Destination
Match any destination.

Destination.cidr()

cidr(cidr: string): Destination
Match an IP range.

Parameters

cidrstring
CIDR notation, e.g. “10.0.0.0/8”.

Destination.domain()

domain(domain: string): Destination
Match an exact domain.

Parameters

domainstring
Fully qualified domain name.

Destination.domainSuffix()

domainSuffix(suffix: string): Destination
Match the apex domain and every subdomain.

Parameters

suffixstring
Domain suffix.

Destination.group()

group(group: DestinationGroup): Destination
Match a predefined address group.

Parameters

Group keyword.

PortRange.single()

single(port: number): PortRange
Match a single port. start and end are set to the same value.

Parameters

portnumber
Port number.

PortRange.range()

range(start: number, end: number): PortRange
Match an inclusive port range.

Parameters

startnumber
Lower bound (inclusive).
endnumber
Upper bound (inclusive).

NetworkBuilder

Passed to the callback you give SandboxBuilder.network(...). Every setter returns the same builder. The runtime serializes the accumulated config when the sandbox is created.

.policy()

policy(policy: NetworkPolicy | NetworkPolicyBuilder): this
import { NetworkPolicy, Sandbox } from "microsandbox";

const sb = await Sandbox.builder("api")
  .image("python")
  .network((n) => n.policy(NetworkPolicy.publicOnly()))
  .create();
Set the policy. Accepts a NetworkPolicy literal or factory result, or a NetworkPolicyBuilder (routed through the native bridge so lazy parse/validation errors surface at this call site).

Parameters

Policy literal, factory result, or builder.

.port()

port(host: number, guest: number): this
Publish a TCP port from the guest to the host. The default host bind address is 127.0.0.1.

Parameters

hostnumber
Port on the host.
guestnumber
Port inside the sandbox.

.portBind()

portBind(bind: string, host: number, guest: number): this
Publish a TCP port on a specific host bind address, such as 0.0.0.0.

Parameters

bindstring
Host bind address.
hostnumber
Port on the host.
guestnumber
Port inside the sandbox.

.portUdp()

portUdp(host: number, guest: number): this
Publish a UDP port from the guest to the host. The default host bind address is 127.0.0.1.

Parameters

hostnumber
Port on the host.
guestnumber
Port inside the sandbox.

.portUdpBind()

portUdpBind(bind: string, host: number, guest: number): this
Publish a UDP port on a specific host bind address.

Parameters

bindstring
Host bind address.
hostnumber
Port on the host.
guestnumber
Port inside the sandbox.

.dns()

dns(configure: (b: DnsBuilder) => DnsBuilder): this
.network((n) => n.dns((d) => d.rebindProtection(true).queryTimeoutMs(2000)))
Configure DNS interception. See DnsBuilder.

Parameters

configureDnsBuilder
Configure DNS.

.tls()

tls(configure: (b: TlsBuilder) => TlsBuilder): this
Configure TLS interception. See TlsBuilder.

Parameters

configureTlsBuilder
Configure TLS.

.trustHostCAs()

trustHostCAs(enabled: boolean): this
Whether to ship the host’s trusted root CAs into the guest at boot. Default: false. Opt in for corporate MITM proxies (Cloudflare Warp Zero Trust, Zscaler, Netskope, etc.) whose gateway CA is installed on the host but unknown to the guest’s stock Mozilla bundle.

Parameters

enabledboolean
Ship host CAs into the guest.

.maxConnections()

maxConnections(max: number): this
Limit the maximum number of concurrent network connections from the sandbox.

Parameters

maxnumber
Maximum concurrent connections.

.ipv4Pool()

ipv4Pool(pool: string): this
Set the IPv4 pool used to derive per-sandbox /30 guest subnets. Defaults to 172.16.0.0/12.

Parameters

poolstring
IPv4 CIDR pool.

.ipv6Pool()

ipv6Pool(pool: string): this
Set the IPv6 pool used to derive per-sandbox /64 guest prefixes. Defaults to fd42:6d73:62::/48.

Parameters

poolstring
IPv6 CIDR pool.

.interface()

interface(configure: (b: InterfaceOverridesBuilder) => InterfaceOverridesBuilder): this
.network((n) => n.interface((i) => i.mtu(1400).ipv4("172.16.0.2")))
Override per-sandbox interface attributes (MAC, MTU, fixed IPv4 / IPv6 address). The InterfaceOverridesBuilder exposes .mac(), .mtu(), .ipv4(), and .ipv6().

Parameters

Configure interface overrides.

.enabled()

enabled(enabled: boolean): this
Enable or disable networking entirely. When false, no network interface is created.

Parameters

enabledboolean
Master enable flag.

.onSecretViolation()

onSecretViolation(configure: (b: ViolationActionBuilder) => ViolationActionBuilder): this
.network((n) =>
  n.onSecretViolation((v) =>
    v.blockAndLog().passthroughHost("api.anthropic.com"),
  ),
)
Configure the action taken when a secret reaches a disallowed host. See ViolationActionBuilder.

Parameters

Configure the violation action.
Passthrough hosts receive placeholders unchanged. They do not receive real secret values.

.secret()

secret(configure: (b: SecretBuilder) => SecretBuilder): this
Add a secret with full configuration. See SecretBuilder.

Parameters

configureSecretBuilder
Configure the secret.

.secretEnv()

secretEnv(envVar: string, value: string, placeholder: string, allowedHost: string): this
Four-arg explicit-placeholder shorthand for adding a secret without opening a builder callback.

Parameters

envVarstring
Environment variable name (non-empty, no = or NUL).
valuestring
Real secret value.
placeholderstring
Placeholder string: non-empty, up to 1024 bytes, no NUL/CR/LF.
allowedHoststring
Single hostname allowed to receive the real value.

.secretEnvSimple()

secretEnvSimple(envVar: string, value: string, allowedHost: string): this
.network((n) =>
  n.secretEnvSimple("OPENAI_API_KEY", process.env.OPENAI_API_KEY!, "api.openai.com"),
)
Three-arg auto-placeholder shorthand. Auto-generates the placeholder as $MSB_<envVar>, so it is the terse counterpart to secretEnv() when you do not need a custom placeholder. The full secret API also lives on the secrets page.

Parameters

envVarstring
Environment variable name (non-empty, no = or NUL).
valuestring
Real secret value.
allowedHoststring
Single hostname allowed to receive the real value.

.build()

build(): NetworkConfig
Materialize the accumulated state into a NetworkConfig. The native bridge returns snake_case serde output, which the wrapper remaps to camelCase keys before handing back a plain JS object. Inside SandboxBuilder.network(...) the runtime calls this for you; call it directly only when you want to inspect or persist the resolved config.

Returns

The materialized network configuration.

NetworkPolicyBuilder

Fluent builder for NetworkPolicy. The closure passed to .rule() / .egress() / .ingress() / .any() receives a RuleBuilder; state setters and rule-adders chain freely. The first parse / validation failure surfaces from build().
import { NetworkPolicy } from "microsandbox";

const policy = NetworkPolicy.builder()
  .defaultDeny()
  .egress((e) => e.tcp().port(443).allowPublic().allowPrivate())
  .rule((r) => r.any().deny((d) => d.ip("198.51.100.5")))
  .build();

.defaultDeny()

defaultDeny(): this
Set both defaultEgress and defaultIngress to "deny".

.defaultAllow()

defaultAllow(): this
Set both defaultEgress and defaultIngress to "allow".

.defaultEgress()

defaultEgress(action: "allow" | "deny"): this
Per-direction override for the egress default action.

Parameters

action”allow” | “deny”
Default action for egress.

.defaultIngress()

defaultIngress(action: "allow" | "deny"): this
Per-direction override for the ingress default action.

Parameters

action”allow” | “deny”
Default action for ingress.

.egress()

egress(configure: (rb: RuleBuilder) => RuleBuilder): this
Sugar for rule() with direction pre-set to egress.

Parameters

configureRuleBuilder
Add egress rules.

.ingress()

ingress(configure: (rb: RuleBuilder) => RuleBuilder): this
Sugar for rule() with direction pre-set to ingress.

Parameters

configureRuleBuilder
Add ingress rules.

.any()

any(configure: (rb: RuleBuilder) => RuleBuilder): this
Sugar for rule() with direction pre-set to any. Rules committed inside apply in both directions.

Parameters

configureRuleBuilder
Add bidirectional rules.

.rule()

rule(configure: (rb: RuleBuilder) => RuleBuilder): this
Open a multi-rule batch closure. Direction must be set inside via .egress(), .ingress(), or .any() before any rule-adder.

Parameters

configureRuleBuilder
Add rules; set direction first.

.build()

build(): NetworkPolicy
Materialize the accumulated state into a NetworkPolicy. Lazily parses every recorded .ip() / .cidr() / .domain() / .domainSuffix() input, validates direction-set and ICMP-egress-only invariants, and emits a host-side warning for each shadowed rule pair.

Returns

The materialized policy.

RuleBuilder

Per-rule-batch builder. Lives only inside the callback passed to .rule() / .egress() / .ingress() / .any() on a NetworkPolicyBuilder. State setters and rule-adders interleave freely; state accumulates eagerly across the callback and is not reset between adders:
NetworkPolicy.builder()
  .egress((r) =>
    r
      .tcp().port(443).allowPublic()    // rule 1: egress, TCP, 443, allow Public
      .udp().allowPrivate(),            // rule 2: egress, [TCP, UDP], 443, allow Private
  )
  .build();
Use separate .rule() / .egress() callbacks for rules that need different state.

Direction setters

Last-write-wins. ICMP rule-adders are egress-only at build time.

.egress()

egress(): this
Set direction to egress for subsequent rule-adders.

.ingress()

ingress(): this
Set direction to ingress for subsequent rule-adders.

.any()

any(): this
Set direction to any for subsequent rule-adders. Rules committed after this apply in both directions.

Protocol setters

Protocols accumulate as a set; duplicates dedupe.

.tcp()

tcp(): this
Add tcp to the protocols set.

.udp()

udp(): this
Add udp to the protocols set.

.icmpv4()

icmpv4(): this
Add icmpv4 to the protocols set. Egress-only; an ICMP rule on an ingress or any direction fails build.

.icmpv6()

icmpv6(): this
Add icmpv6 to the protocols set. Egress-only; same rules as icmpv4().

Port setters

Ports accumulate as a set; duplicates dedupe. Always guest-side (egress destination port / ingress listening port).

.port()

port(port: number): this
Add a single port to the ports set.

Parameters

portnumber
Port number 0..=65535.

.portRange()

portRange(lo: number, hi: number): this
Add an inclusive port range. lo > hi records an error surfaced at build() time.

Parameters

lonumber
Lower bound (inclusive).
hinumber
Upper bound (inclusive).

.ports()

ports(ports: number[]): this
Add multiple single ports. Equivalent to calling port() once per element.

Parameters

portsnumber[]
Port numbers.

Group rule-adders

Each adder commits one rule using the current state and the named destination group.

.allowPublic()

allowPublic(): this
Allow the public group (complement of named categories: every IP not in any other group).

.denyPublic()

denyPublic(): this
Deny the public group.

.allowPrivate()

allowPrivate(): this
Allow the private group (RFC1918 + ULA + CGN).

.denyPrivate()

denyPrivate(): this
Deny the private group.

.allowLoopback()

allowLoopback(): this
Allow the loopback group (127.0.0.0/8, ::1). The guest’s own loopback, not the host. To reach a service on the host’s localhost, use allowHost() instead. See the loopback-vs-host watch-out.

.denyLoopback()

denyLoopback(): this
Deny the loopback group.

.allowLinkLocal()

allowLinkLocal(): this
Allow the link-local group (169.254.0.0/16, fe80::/10). Excludes the metadata IP 169.254.169.254.

.denyLinkLocal()

denyLinkLocal(): this
Deny the link-local group.

.allowMeta()

allowMeta(): this
Allow the metadata group (169.254.169.254). Dangerous on cloud hosts (exposes IAM credentials).

.denyMeta()

denyMeta(): this
Deny the metadata group.

.allowMulticast()

allowMulticast(): this
Allow the multicast group (224.0.0.0/4, ff00::/8).

.denyMulticast()

denyMulticast(): this
Deny the multicast group.

.allowHost()

allowHost(): this
Allow the host group: per-sandbox gateway IPs that back host.microsandbox.internal. This is the right shortcut for “let the sandbox reach my host’s localhost”, not allowLoopback().

.denyHost()

denyHost(): this
Deny the host group.

Composite rule-adders

.allowLocal()

allowLocal(): this
Add three allow rules atomically: loopback + link-local + host. Each uses the callback’s current state. metadata is intentionally not included; opt in via allowMeta() separately.

.denyLocal()

denyLocal(): this
Add three deny rules atomically: loopback + link-local + host. metadata is intentionally not included.

Domain rule-adders

Singular forms add one rule; plural forms add one rule per element.

.allowDomain()

allowDomain(name: string): this
Add one Destination::Domain allow rule.

Parameters

namestring
Fully qualified domain name.

.denyDomain()

denyDomain(name: string): this
Add one Destination::Domain deny rule.

Parameters

namestring
Fully qualified domain name.

.allowDomains()

allowDomains(names: string[]): this
Add one Destination::Domain allow rule per name.

Parameters

namesstring[]
Fully qualified domain names.

.denyDomains()

denyDomains(names: string[]): this
Add one Destination::Domain deny rule per name.

Parameters

namesstring[]
Fully qualified domain names.

.allowDomainSuffix()

allowDomainSuffix(suffix: string): this
Add one Destination::DomainSuffix allow rule. Matches the apex and any subdomain.

Parameters

suffixstring
Domain suffix.

.denyDomainSuffix()

denyDomainSuffix(suffix: string): this
Add one Destination::DomainSuffix deny rule. Matches the apex and any subdomain.

Parameters

suffixstring
Domain suffix.

.allowDomainSuffixes()

allowDomainSuffixes(suffixes: string[]): this
Add one Destination::DomainSuffix allow rule per suffix.

Parameters

suffixesstring[]
Domain suffixes.

.denyDomainSuffixes()

denyDomainSuffixes(suffixes: string[]): this
Add one Destination::DomainSuffix deny rule per suffix.

Parameters

suffixesstring[]
Domain suffixes.

Explicit-destination rule-adders

.allow() / .deny() open a RuleDestinationBuilder callback. Exactly one destination call commits the rule.
NetworkPolicy.builder()
  .egress((r) =>
    r
      .tcp().port(443).allow((d) => d.domain("api.example.com"))
      .deny((d) => d.cidr("198.51.100.0/24")),
  )
  .build();

.allow()

allow(configure: (d: RuleDestinationBuilder) => RuleDestinationBuilder): this
Begin an explicit-destination rule with action allow.

Parameters

Commit exactly one destination.

.deny()

deny(configure: (d: RuleDestinationBuilder) => RuleDestinationBuilder): this
Begin an explicit-destination rule with action deny.

Parameters

Commit exactly one destination.

RuleDestinationBuilder

Returned by RuleBuilder.allow(d => ...) / .deny(d => ...). Exactly one destination call commits the rule; dropping without a destination call silently does nothing.

.ip()

ip(ip: string): this
Commit with Destination::Cidr of the IP as /32 or /128.

Parameters

ipstring
Single IPv4 or IPv6 address.

.cidr()

cidr(cidr: string): this
Commit with Destination::Cidr.

Parameters

cidrstring
CIDR notation.

.domain()

domain(domain: string): this
Commit with Destination::Domain.

Parameters

domainstring
Fully qualified domain name.

.domainSuffix()

domainSuffix(suffix: string): this
Commit with Destination::DomainSuffix.

Parameters

suffixstring
Domain suffix.

.group()

group(group: string): this
Commit with Destination::Group. group is a DestinationGroup string.

Parameters

Group keyword.

.any()

any(): this
Commit with Destination::Any.

DnsBuilder

Builder for DNS interception settings. Used in NetworkBuilder.dns(d => ...). Owns rebind protection, nameserver pinning, and the per-query timeout.

.rebindProtection()

rebindProtection(enabled: boolean): this
Toggle DNS rebinding protection. When enabled, DNS responses resolving to private IPs are blocked.

Parameters

enabledboolean
Enable rebinding protection.

.nameservers()

nameservers(servers: string[]): this
Override upstream nameservers. Replaces any previously-set nameservers.

Parameters

serversstring[]
Each entry is IP, IP:PORT, HOST, or HOST:PORT.

.queryTimeoutMs()

queryTimeoutMs(ms: number): this
Per-DNS-query timeout in milliseconds.

Parameters

msnumber
Timeout in milliseconds.

TlsBuilder

Builder for TLS interception settings. Used in NetworkBuilder.tls(t => ...).

.bypass()

bypass(pattern: string): this
Skip TLS interception for hosts matching this glob (e.g. "*.internal.corp"). Use for domains with certificate pinning.

Parameters

patternstring
Glob pattern.

.verifyUpstream()

verifyUpstream(verify: boolean): this
Verify upstream server certificates. Default true. Set to false only for self-signed servers.

Parameters

verifyboolean
Verify upstream certs.

.verifyUpstreamFor()

verifyUpstreamFor(pattern: string, verify: boolean): this
Verify upstream server certificates only when the upstream SNI matches pattern. Pattern syntax matches bypass(): exact hosts and *.suffix wildcards are supported. Setting verify to false is the proxy-side equivalent of curl -k for matching hosts; TLS interception still runs.

.interceptedPorts()

interceptedPorts(ports: number[]): this
TCP ports where interception is active. Default: [443].

Parameters

portsnumber[]
Intercepted TCP ports.

.blockQuic()

blockQuic(block: boolean): this
Block QUIC on intercepted ports, forcing TCP/TLS fallback.

Parameters

blockboolean
Block QUIC.

.interceptCaCert()

interceptCaCert(path: string): this
Path to a PEM file used as the intercepting CA’s certificate.

Parameters

pathstring
PEM cert path.

.interceptCaKey()

interceptCaKey(path: string): this
Path to a PEM file used as the intercepting CA’s private key.

Parameters

pathstring
PEM key path.

.upstreamCaCert()

upstreamCaCert(path: string): this
Path to a PEM file with extra root CAs the proxy should trust when verifying every upstream server.

Parameters

pathstring
PEM cert path.

.upstreamCaCertFor()

upstreamCaCertFor(pattern: string, path: string): this
Path to a PEM file with extra root CAs the proxy should trust only when the upstream SNI matches pattern. Pattern syntax matches bypass(): exact hosts and *.suffix wildcards are supported.

ViolationActionBuilder

Configures the action taken when a secret would be sent to a disallowed host. Used in NetworkBuilder.onSecretViolation(v => ...). Passthrough host calls accumulate; when passthrough hosts are configured, non-matching hosts use the default secret-violation action.

.block()

block(): this
Block the request silently.

.blockAndLog()

blockAndLog(): this
Block the request and emit a warning log.

.blockAndTerminate()

blockAndTerminate(): this
Block the request and terminate the sandbox.

.passthroughHost()

passthroughHost(host: string): this
Allow placeholders to pass through unchanged to an exact host. The host receives the placeholder, not the real secret value.

Parameters

hoststring
Exact host.

.passthroughHostPattern()

passthroughHostPattern(pattern: string): this
Allow placeholders to pass through unchanged to matching wildcard hosts.

Parameters

patternstring
Wildcard host pattern.

.passthroughAllHosts()

passthroughAllHosts(iUnderstand: boolean): this
Allow placeholders to pass through unchanged to any host. The explicit iUnderstand flag must be true to acknowledge the broad scope.

Parameters

iUnderstandboolean
Must be true to opt in.

Types

NetworkConfig

Returned by NetworkBuilder.build()

Built network configuration produced by NetworkBuilder.build(). Keys are camelCased from the Rust serde output.
FieldTypeDescription
enabledbooleanMaster enable flag
portsreadonly PublishedPort[]Port publishings
policyNetworkPolicy | nullActive policy
dnsDnsConfig | nullDNS interception
tlsTlsConfig | nullTLS interception
secretsreadonly SecretEntry[]Secret entries
secretViolationViolationAction | nullAction on disallowed secret use
maxConnectionsnumber | nullMaximum concurrent connections
interface{ ipv4Pool?, ipv6Pool?, ipv4Address?, ipv6Address?, mac?, mtu? }Optional interface overrides
trustHostCAsbooleanShip host CAs into the guest

NetworkPolicy

Used by NetworkBuilder.policy() · returned by NetworkPolicy factories

Ordered rule list with per-direction defaults. First-match-wins is evaluated independently for egress and ingress.
interface NetworkPolicy {
  readonly defaultEgress: Action;
  readonly defaultIngress: Action;
  readonly rules: readonly Rule[];
}

Rule

Used by NetworkPolicy.rules · built via Rule factories

A single ordered policy rule.
interface Rule {
  readonly direction: Direction;
  readonly destination: Destination;
  readonly protocols: readonly Protocol[]; // empty = any
  readonly ports: readonly PortRange[];    // empty = any
  readonly action: Action;
}

Action

Used by Rule.action · NetworkPolicy defaults

Action taken on a matching rule (or the per-direction default).
type Action = "allow" | "deny";

Direction

Used by Rule.direction

Direction the rule applies to.
type Direction = "egress" | "ingress" | "any";

Destination

Used by Rule.destination · built via Destination factories

Destination filter. An internally-tagged union; use the Destination factory for constructors.
type Destination =
  | { kind: "any" }
  | { kind: "cidr"; cidr: string }
  | { kind: "domain"; domain: string }
  | { kind: "domainSuffix"; suffix: string }
  | { kind: "group"; group: DestinationGroup };

DestinationGroup

Used by Destination.group() · RuleDestinationBuilder.group()

Predefined address group keyword. The runtime constant DestinationGroups lists all values.
type DestinationGroup =
  | "public"
  | "loopback"
  | "private"
  | "link-local"
  | "metadata"
  | "multicast"
  | "host";
ValueDescription
'public'Public internet (everything not in another group)
'loopback'Guest’s own 127.0.0.0/8 / ::1
'private'RFC1918 LAN ranges (+ ULA + CGN)
'link-local'169.254.0.0/16 / fe80::/10
'metadata'Cloud metadata endpoint (169.254.169.254)
'multicast'224.0.0.0/4 / ff00::/8
'host'The host machine, reached via host.microsandbox.internal

Protocol

Used by Rule.protocols

Transport protocol filter. Empty Rule.protocols means “any protocol”.
type Protocol = "tcp" | "udp" | "icmpv4" | "icmpv6";

PortRange

Used by Rule.ports · built via PortRange factories

Inclusive port range. Always interpreted as the guest-side port.
interface PortRange {
  readonly start: number;
  readonly end: number;
}

PublishedPort

Used by NetworkConfig.ports

A published port mapping from the guest to the host.
interface PublishedPort {
  readonly hostPort: number;
  readonly guestPort: number;
  readonly protocol: "tcp" | "udp";
  readonly hostBind: string;
}

DnsConfig

Used by NetworkConfig.dns

DNS interception configuration.
FieldTypeDescription
nameserversreadonly string[]Upstream nameservers
rebindProtectionboolean | nullDNS rebinding protection toggle
queryTimeoutMsnumber | nullPer-query timeout

TlsConfig

Used by NetworkConfig.tls

TLS interception configuration.
FieldTypeDescription
bypassreadonly string[]Bypass globs (e.g. "*.googleapis.com")
verifyUpstreamboolean | nullVerify upstream certs
interceptedPortsreadonly number[]Intercepted TCP ports
blockQuicboolean | nullBlock QUIC on intercepted ports
upstreamCaCertPathsreadonly string[]Extra trust roots for upstream verification
scopedUpstreamCaCertsreadonly ScopedUpstreamCaCert[]Host-scoped extra trust roots for upstream verification
scopedVerifyUpstreamreadonly ScopedVerifyUpstream[]Host-scoped upstream certificate verification overrides
interceptCaCertPathstring | nullCustom intercept CA cert (PEM)
interceptCaKeyPathstring | nullCustom intercept CA key (PEM)

ScopedUpstreamCaCert

FieldTypeDescription
patternstringExact host or *.suffix wildcard
pathstringCA bundle path trusted for matching upstream hosts

ScopedVerifyUpstream

FieldTypeDescription
patternstringExact host or *.suffix wildcard
verifybooleanWhether to verify certificates for matching upstream hosts

InterfaceOverridesBuilder

Used by NetworkBuilder.interface()

Builder for per-sandbox network interface overrides.
MethodDescription
.mac(mac)Set the interface MAC address
.mtu(mtu)Set the interface MTU
.ipv4(address)Pin a fixed IPv4 address
.ipv6(address)Pin a fixed IPv6 address