Skip to content

Network Isolation

dcluomax edited this page Jun 1, 2026 · 1 revision

Network Isolation

Each Hen can be held to its own network egress policy so one chicken can't reach hosts it shouldn't β€” or the network at all. This is the per-instance isolation layer that complements the per-hen bash OS sandbox (filesystem + env confinement).

For the full design + threat model, see docs/net-isolation.md in the repo. This page is the operator's summary.

The two egress surfaces

A hen reaches the network two ways, enforced differently:

Surface Runs where Enforcement
http tool in-process, in coopd L7 host+port allowlist on top of the SSRF guard (portable, all OSes)
bash tool + tmux CLI agents child process OS network sandbox β€” Linux empty netns (bwrap --unshare-net); macOS Seatbelt (deny network*)

Policy model

Add an optional top-level network: block to a manifest:

spec_version: coop/v1
name: aria
brain:
  provider_id: vault:byok-anthropic
  model: claude-sonnet-4-5-20250929
tools: [bash, file_read, file_write, http]

network:
  policy: allowlist          # off | allowlist | open
  allow:
    - host: api.anthropic.com
      ports: [443]
    - host: "*.githubusercontent.com"   # suffix wildcard (not the apex)
      ports: [443]
    - host: example.com
      ports: [80, 443]

Policies

policy Meaning
off No egress at all β€” neither bash nor the http tool can reach the network.
allowlist Egress only to hosts/ports in allow (default-deny). In v1, bash gets no direct egress; allow-listed egress is delivered through the http tool.
open Unrestricted egress. The http tool still applies SSRF protection (loopback / RFC1918 / link-local always blocked).

Host matching

  • Exact: api.anthropic.com matches only that host.
  • Suffix wildcard: a single leading *. β€” *.example.com matches a.example.com and a.b.example.com but not the apex example.com (add an explicit entry for the apex). No other wildcard forms are accepted.
  • Ports: allow[].ports defaults to [443]. A connection is allowed iff host matches and port is listed. Governs TCP; UDP/QUIC/ICMP get no egress under off/allowlist.
  • IP literals are allowed as hosts but are still subject to the private/loopback block β€” listing 127.0.0.1 or an RFC1918 literal won't open it.

Default & backward compatibility

  • Absent network: block = open, with a one-time deprecation warning. Existing manifests keep working unchanged.
  • The recommended authored default is allowlist with an explicit allow list.
  • A future coop/v2 may flip the absent-default to allowlist.

Fail-closed (important)

Coop refuses to run a hen with a policy it cannot actually enforce, rather than silently running it open:

  • A hen requesting a policy stricter than open on a host that can't enforce it (no Linux user namespaces, no macOS Seatbelt, or COOP_SANDBOX=0) refuses to hatch.
  • A tmux CLI agent (agent_kind != anthropic) is an unconfined egress surface in v1, so under any policy stricter than open it refuses to hatch too.

Platform support matrix

Platform off allowlist open
Linux (userns + bwrap) βœ… empty netns βœ… http-tool egress; bash no direct egress βœ…
macOS (Seatbelt) βœ… (deny network*) βœ… http-tool egress; bash no direct egress βœ…
Windows / no sandbox fail-closed (refuse to hatch under strict policy) fail-closed βœ…

Deferred to follow-up

The Linux forced-egress proxy that would give bash itself allow-listed egress (rather than denying bash all direct egress under allowlist), SNI re-verification, pasta NAT for open, and sentinel-token secret injection. See Β§9 of the in-repo spec for exact v1 scope.

Related

  • Security Model β€” hardening table (C5/C6/H7/H8)
  • BYOK Secrets β€” keep the model key off the box entirely with Azure Key Vault

Clone this wiki locally