docs(agents): qualify "safe inside E2B sandboxes" auto-approve claim#292
Open
OndrejDrapalik wants to merge 1 commit into
Open
docs(agents): qualify "safe inside E2B sandboxes" auto-approve claim#292OndrejDrapalik wants to merge 1 commit into
OndrejDrapalik wants to merge 1 commit into
Conversation
The unqualified "(safe inside E2B sandboxes)" note on the auto-approve flags implied full safety, but sandboxes have open outbound internet by default. Scope the claim to host/filesystem isolation and point readers to egress network rules when handling untrusted input or secrets. - Reword the headless auto-approve sentence on claude-code, codex, grok, and amp to drop the blanket claim and link /docs/network/internet-access - Add a shared <Note> explaining containment covers the host but not the network, with allow/deny-list guidance (hostname rules = HTTP(S) only) - Add the same <Note> to devin for consistency Verified empirically: default sandbox egress is open (HTTP 200), and both allowInternetAccess:false and hostname allow-lists block it, while the host stays untouched in every posture. Closes INT-88
Contributor
|
Preview deployment for your docs. Learn more about Mintlify Previews.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
The
(safe inside E2B sandboxes)note next to the auto-approve flags read as a blanket safety guarantee. It isn't: sandboxes have open outbound internet by default (allowInternetAccess ?? true). An auto-approved agent with open egress can exfiltrate repo contents or injected secrets.This scopes the claim to what the sandbox actually guarantees — host/filesystem/process isolation — and points readers to egress rules when input is untrusted or secrets are in play.
Changes
claude-code,codex,grok,amp— drop the unqualified claim, link/docs/network/internet-access.<Note>: containment covers the host but not the network; configureallowInternetAccess+ allow/deny lists (CIDR or hostname). Hostname rules are HTTP(S)-only — no overclaim about UDP/QUIC.<Note>added todevinfor consistency (it recommended--permission-mode dangerouswith no safety context).Verification
Empirically proven live in both SDKs (scratch app
e2b-scratchpad/apps/egress-posture-test):Sandbox.create()defaultcurl https://example.com→ 200 (open egress)allowInternetAccess: falseallowOut: ['example.com']+denyOutallrm -rf /home/user/*+ host-path probes: host marker staysintactmintlify broken-linkspasses; all five pages render 200 inmintlify dev.Closes INT-88