Document scoped network policies for sbx#24978
Conversation
✅ Deploy Preview for docsdocker ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
dvdksn
force-pushed
the
docs/sbx-scoped-kit-policies
branch
2 times, most recently
from
373fd11 to
a12f5fd
Compare
Kit network policy docs did not cover sandbox-scoped rules or kit-level deniedDomains. Update the Sandboxes policy and kits pages with scoped policy examples, deniedDomains guidance, and a small policy page formatting fix. Co-Authored-By: Codex <noreply@openai.com>
dvdksn
force-pushed
the
docs/sbx-scoped-kit-policies
branch
from
a12f5fd to
dcffd19
Compare
docker-agent
left a comment
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🔴 CRITICAL
The documentation changes in the markdown files look accurate and well-written — the new deniedDomains field, -g/--global flag, and sandbox-scoped policy examples are clearly documented. However, all four data/sbx_cli/*.yaml files modified in this PR are auto-generated CLI reference data (matching the data/*/*.yaml pattern flagged as auto-generated in the project guidelines). These files should be regenerated from the upstream CLI source rather than edited manually. See inline comments.
Findings summary:
- 🔴 4× HIGH —
data/sbx_cli/*.yamlfiles hand-edited (should be regenerated from upstream)
dvdksn
changed the title
docker-agent
left a comment
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟡 NEEDS ATTENTION
2 medium-severity documentation issues found in the new sbx policy ls output section. No high-severity issues, no vendored file edits flagged, no missing redirects.
| ID TYPE DECISION RESOURCES | ||
| a1b2c3d4-e5f6-7890-abcd-ef1234567890 network allow api.anthropic.com, *.npmjs.org | ||
| f9e8d7c6-b5a4-3210-fedc-ba0987654321 network deny ads.example.com | ||
| NAME TYPE ORIGIN DECISION STATUS RESOURCES |
There was a problem hiding this comment.
[MEDIUM] sbx policy ls output has unexplained ORIGIN and STATUS columns
The new sample output introduces two columns — ORIGIN and STATUS — that are not described anywhere in the surrounding prose. While the example values (local, sandbox:my-sandbox, active) are partially guessable, the ORIGIN column in particular represents a scoping concept (global vs. sandbox-scoped rules) that is central to this PR's new functionality.
Consider adding a brief explanation after the code block, for example:
The
ORIGINcolumn shows whether a rule is global (local) or scoped to a specific sandbox (sandbox:<name>). TheSTATUScolumn shows whether the rule is currently active.
| ``` | ||
|
|
||
| Use `--type network` to show only network policies. | ||
| Use `--type network` to show only network policies. Specify a sandbox name to |
There was a problem hiding this comment.
[MEDIUM] Contradictory description of sbx policy ls with and without a sandbox argument
The prose says: "Specify a sandbox name to show global rules plus rules scoped to one sandbox" — implying the no-argument form shows something different. However, the sample output for sbx policy ls (no argument, lines 100–106) already includes sandbox-scoped rows with ORIGIN: sandbox:my-sandbox.
A reader will reasonably ask: if sbx policy ls already shows all rules (including sandbox-scoped ones), what does sbx policy ls my-sandbox add?
The documentation should clarify the distinction. For example:
- Does
sbx policy ls(no argument) show rules for all sandboxes? - Does
sbx policy ls my-sandboxfilter to show only global rules and rules scoped to that specific sandbox?
If the no-argument form shows every rule for every sandbox (potentially a long list across many sandboxes), and the sandbox-argument form filters to just one, the prose should say so explicitly.
3 participants
Summary
Document sandbox-scoped network policy behavior for Sandboxes kits, including kit-level
deniedDomains, scopedsbx policy [cmd] [sandbox]examples, and the updatedsbx policy lsoutput shape.Also fixes a small formatting issue in the policy reset section.
https://deploy-preview-24978--docsdocker.netlify.app/ai/sandboxes/security/policy/
Generated by Codex