.svg?fit=max&auto=format&n=nM2mZJMU7uXYPkZS&q=85&s=29b612f62877b603dd94f96feb774d3f)
.svg?fit=max&auto=format&n=nM2mZJMU7uXYPkZS&q=85&s=2d9f7d66947850756a7dab066026f65a)
Secret
Static factory for creating secret entries used inSandboxConfig.secrets.
Secret.env()
| Name | Type | Description |
|---|---|---|
| envVar | string | Environment variable name (e.g. "OPENAI_API_KEY") |
| opts | SecretEnvOptions | Secret configuration |
| Type | Description |
|---|---|
SecretEntry | Secret entry for SandboxConfig.secrets |
Types
SecretEnvOptions
Configuration for a secret created viaSecret.env().
| Field | Type | Default | Description |
|---|---|---|---|
| value | string | - | The real secret value. Never enters the guest VM. Required. |
| allowHosts? | Array<string> | [] | Hosts allowed to receive the real value (exact match). The TLS proxy matches against the SNI. |
| allowHostPatterns? | Array<string> | [] | Wildcard host patterns (e.g. "*.googleapis.com") |
| placeholder? | string | $MSB_<envVar> | Custom placeholder string. Override when you need a specific format. |
| requireTls? | boolean | true | Only substitute on TLS-intercepted connections. Disable only if you know the traffic is safe. |
| onViolation? | ViolationAction | 'block' | Action when the placeholder is sent to a disallowed host |
SecretEntry
The object returned bySecret.env() and used in SandboxConfig.secrets.
| Field | Type | Description |
|---|---|---|
| envVar | string | Environment variable name |
| value | string | Secret value |
| allowHosts? | Array<string> | Allowed hosts (exact match) |
| allowHostPatterns? | Array<string> | Wildcard patterns |
| placeholder? | string | Placeholder string |
| requireTls? | boolean | TLS identity requirement |
| onViolation? | string | Violation action |
ViolationAction
Action taken when a secret placeholder is sent to a disallowed host.| Value | Description |
|---|---|
'block' | Silently drop the request. The guest sees a connection reset. This is the default. |
'block-and-log' | Drop the request and emit a warning log on the host side. |
'block-and-terminate' | Drop the request, log an error, and shut down the entire sandbox. |