docs: add HTTP ACL documentation to READMEs

Add HTTP ACL feature documentation:
- CLI examples (--http-allow, --http-deny, --https-ca/--https-key)
- Python API example with http_allow/http_deny
- Rust API example with http_allow/http_deny
- Feature comparison table entry
- Policy reference with all HTTP ACL fields
- Python SDK README: new HTTP ACL section with parameter table,
  rule format docs, and code example

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: congwang-mk

README.md

@@ -23,6 +23,7 @@ protects your working directory automatically.
 | Kernel | Shared | Shared | Separate guest |
 | Filesystem isolation | Landlock + seccomp COW | Overlay | Block-level |
 | Network isolation | Landlock + seccomp notif | Network namespace | TAP device |
+| HTTP-level ACL | Method + host + path rules | N/A | N/A |
 | Syscall filtering | seccomp-bpf | seccomp | N/A |
 | Resource limits | seccomp notif + SIGSTOP | cgroup v2 | VM config |
 
@@ -102,6 +103,19 @@ sandlock run -m 512M -P 20 -t 30 -- ./compute.sh
 # Domain-based network isolation
 sandlock run --net-allow-host api.openai.com -r /usr -r /lib -r /etc -- python3 agent.py
 
+# HTTP-level ACL (method + host + path rules via transparent proxy)
+sandlock run \
+  --http-allow "GET docs.python.org/*" \
+  --http-allow "POST api.openai.com/v1/chat/completions" \
+  --http-deny "* */admin/*" \
+  -r /usr -r /lib -r /etc -- python3 agent.py
+
+# HTTPS MITM with user-provided CA (enables ACL on port 443)
+sandlock run \
+  --http-allow "POST api.openai.com/v1/*" \
+  --https-ca ca.pem --https-key ca-key.pem \
+  -r /usr -r /lib -r /etc -- python3 agent.py
+
 # TCP port restrictions (Landlock)
 sandlock run --net-bind 8080 --net-connect 443 -r /usr -r /lib -r /etc -- python3 server.py
 
@@ -151,6 +165,14 @@ result = Sandbox(policy).run(["python3", "-c", "print('hello')"])
 assert result.success
 assert b"hello" in result.stdout
 
+# HTTP ACL: only allow specific API calls
+agent_policy = Policy(
+    fs_readable=["/usr", "/lib", "/etc"],
+    http_allow=["POST api.openai.com/v1/chat/completions"],
+    http_deny=["* */admin/*"],
+)
+result = Sandbox(agent_policy).run(["python3", "agent.py"])
+
 # Confine the current process (Landlock filesystem only, irreversible)
 confine(Policy(fs_readable=["/usr", "/lib"], fs_writable=["/tmp"]))
 
@@ -259,6 +281,14 @@ let policy = Policy::builder()
 let result = Sandbox::run(&policy, &["echo", "hello"]).await?;
 assert!(result.success());
 
+// HTTP ACL: restrict API access at the HTTP level
+let policy = Policy::builder()
+    .fs_read("/usr").fs_read("/lib").fs_read("/etc")
+    .http_allow("POST api.openai.com/v1/chat/completions")
+    .http_deny("* */admin/*")
+    .build()?;
+let result = Sandbox::run(&policy, &["python3", "agent.py"]).await?;
+
 // Confine the current process (Landlock filesystem only, irreversible)
 let policy = Policy::builder()
     .fs_read("/usr").fs_read("/lib")
@@ -342,7 +372,7 @@ The async notification supervisor (tokio) handles intercepted syscalls:
 |---|---|
 | `clone/fork/vfork` | Process count enforcement |
 | `mmap/munmap/brk/mremap` | Memory limit tracking |
-| `connect/sendto/sendmsg` | IP allowlist + on-behalf execution |
+| `connect/sendto/sendmsg` | IP allowlist + on-behalf execution + HTTP ACL redirect |
 | `bind` | On-behalf bind + port remapping |
 | `openat` | /proc virtualization, COW interception |
 | `unlinkat/mkdirat/renameat2` | COW write interception |
@@ -469,6 +499,13 @@ Policy(
     net_bind=[8080],               # TCP bind ports (Landlock ABI v4+)
     net_connect=[443],             # TCP connect ports
 
+    # HTTP ACL (transparent proxy)
+    http_allow=["POST api.openai.com/v1/*"],  # Allow rules (METHOD host/path)
+    http_deny=["* */admin/*"],     # Deny rules (checked first)
+    http_ports=[80],               # Ports to intercept (default: [80])
+    https_ca="ca.pem",             # CA cert for HTTPS MITM (adds port 443)
+    https_key="ca-key.pem",        # CA key for HTTPS MITM
+
     # Socket restrictions
     no_raw_sockets=True,           # Block SOCK_RAW (default)
     no_udp=False,                  # Block SOCK_DGRAM

python/README.md

@@ -67,6 +67,37 @@ Unset fields mean "no restriction" unless noted otherwise.
 | `no_raw_sockets` | `bool` | `True` | Block raw IP sockets |
 | `no_udp` | `bool` | `False` | Block UDP sockets |
 
+#### HTTP ACL
+
+Enforce method + host + path rules on HTTP traffic via a transparent
+MITM proxy. When `http_allow` is set, all non-matching HTTP requests are
+denied by default. Deny rules are checked first and take precedence.
+
+| Parameter | Type | Default | Description |
+|-----------|------|---------|-------------|
+| `http_allow` | `list[str]` | `[]` | Allow rules in `"METHOD host/path"` format |
+| `http_deny` | `list[str]` | `[]` | Deny rules in `"METHOD host/path"` format |
+| `http_ports` | `list[int]` | `[80]` | TCP ports to intercept (443 added when `https_ca` is set) |
+| `https_ca` | `str \| None` | `None` | CA certificate for HTTPS MITM |
+| `https_key` | `str \| None` | `None` | CA private key for HTTPS MITM |
+
+Rule format: `"METHOD host/path"` where method and host can be `*` for
+wildcard, and path supports trailing `*` for prefix matching. Paths are
+normalized (percent-decoding, `..` resolution, `//` collapsing) before
+matching to prevent bypasses.
+
+```python
+policy = Policy(
+    fs_readable=["/usr", "/lib", "/etc"],
+    http_allow=[
+        "GET docs.python.org/*",
+        "POST api.openai.com/v1/chat/completions",
+    ],
+    http_deny=["* */admin/*"],
+)
+result = Sandbox(policy).run(["python3", "agent.py"])
+```
+
 #### IPC and process isolation
 
 | Parameter | Type | Default | Description |