Skip to content

docs(agents): qualify "safe inside E2B sandboxes" auto-approve claim#292

Open
OndrejDrapalik wants to merge 1 commit into
mainfrom
int-88-safe-claim
Open

docs(agents): qualify "safe inside E2B sandboxes" auto-approve claim#292
OndrejDrapalik wants to merge 1 commit into
mainfrom
int-88-safe-claim

Conversation

@OndrejDrapalik

Copy link
Copy Markdown
Contributor

What

The (safe inside E2B sandboxes) note next to the auto-approve flags read as a blanket safety guarantee. It isn't: sandboxes have open outbound internet by default (allowInternetAccess ?? true). An auto-approved agent with open egress can exfiltrate repo contents or injected secrets.

This scopes the claim to what the sandbox actually guarantees — host/filesystem/process isolation — and points readers to egress rules when input is untrusted or secrets are in play.

Changes

  • Reword the headless auto-approve sentence on claude-code, codex, grok, amp — drop the unqualified claim, link /docs/network/internet-access.
  • Add a shared <Note>: containment covers the host but not the network; configure allowInternetAccess + allow/deny lists (CIDR or hostname). Hostname rules are HTTP(S)-only — no overclaim about UDP/QUIC.
  • Same <Note> added to devin for consistency (it recommended --permission-mode dangerous with no safety context).

Verification

Empirically proven live in both SDKs (scratch app e2b-scratchpad/apps/egress-posture-test):

Posture Result
Sandbox.create() default curl https://example.com200 (open egress)
allowInternetAccess: false same request → blocked (curl exit 28)
allowOut: ['example.com'] + denyOut all allowlisted → 200, other host → blocked (exit 35, SNI)
host probe, every posture rm -rf /home/user/* + host-path probes: host marker stays intact

mintlify broken-links passes; all five pages render 200 in mintlify dev.

Closes INT-88

The unqualified "(safe inside E2B sandboxes)" note on the auto-approve
flags implied full safety, but sandboxes have open outbound internet by
default. Scope the claim to host/filesystem isolation and point readers
to egress network rules when handling untrusted input or secrets.

- Reword the headless auto-approve sentence on claude-code, codex, grok,
  and amp to drop the blanket claim and link /docs/network/internet-access
- Add a shared <Note> explaining containment covers the host but not the
  network, with allow/deny-list guidance (hostname rules = HTTP(S) only)
- Add the same <Note> to devin for consistency

Verified empirically: default sandbox egress is open (HTTP 200), and both
allowInternetAccess:false and hostname allow-lists block it, while the
host stays untouched in every posture.

Closes INT-88
@linear-code

linear-code Bot commented Jul 10, 2026

Copy link
Copy Markdown

INT-88

@cla-bot cla-bot Bot added the cla-signed label Jul 10, 2026
@mintlify

mintlify Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
e2b 🟢 Ready View Preview Jul 10, 2026, 10:16 PM

@OndrejDrapalik OndrejDrapalik marked this pull request as ready for review July 10, 2026 22:15
@OndrejDrapalik OndrejDrapalik requested a review from beran-t July 13, 2026 11:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant