-
Notifications
You must be signed in to change notification settings - Fork 0
Network Isolation
Each Hen can be held to its own network egress policy so one chicken can't
reach hosts it shouldn't β or the network at all. This is the per-instance
isolation layer that complements the per-hen bash OS sandbox (filesystem +
env confinement).
For the full design + threat model, see
docs/net-isolation.mdin the repo. This page is the operator's summary.
A hen reaches the network two ways, enforced differently:
| Surface | Runs where | Enforcement |
|---|---|---|
http tool |
in-process, in coopd
|
L7 host+port allowlist on top of the SSRF guard (portable, all OSes) |
bash tool + tmux CLI agents |
child process | OS network sandbox β Linux empty netns (bwrap --unshare-net); macOS Seatbelt (deny network*)
|
Add an optional top-level network: block to a manifest:
spec_version: coop/v1
name: aria
brain:
provider_id: vault:byok-anthropic
model: claude-sonnet-4-5-20250929
tools: [bash, file_read, file_write, http]
network:
policy: allowlist # off | allowlist | open
allow:
- host: api.anthropic.com
ports: [443]
- host: "*.githubusercontent.com" # suffix wildcard (not the apex)
ports: [443]
- host: example.com
ports: [80, 443]policy |
Meaning |
|---|---|
off |
No egress at all β neither bash nor the http tool can reach the network. |
allowlist |
Egress only to hosts/ports in allow (default-deny). In v1, bash gets no direct egress; allow-listed egress is delivered through the http tool. |
open |
Unrestricted egress. The http tool still applies SSRF protection (loopback / RFC1918 / link-local always blocked). |
-
Exact:
api.anthropic.commatches only that host. -
Suffix wildcard: a single leading
*.β*.example.commatchesa.example.comanda.b.example.combut not the apexexample.com(add an explicit entry for the apex). No other wildcard forms are accepted. -
Ports:
allow[].portsdefaults to[443]. A connection is allowed iff host matches and port is listed. Governs TCP; UDP/QUIC/ICMP get no egress underoff/allowlist. - IP literals are allowed as hosts but are still subject to the private/loopback
block β listing
127.0.0.1or an RFC1918 literal won't open it.
-
Absent
network:block =open, with a one-time deprecation warning. Existing manifests keep working unchanged. - The recommended authored default is
allowlistwith an explicitallowlist. - A future
coop/v2may flip the absent-default toallowlist.
Coop refuses to run a hen with a policy it cannot actually enforce, rather than silently running it open:
- A hen requesting a policy stricter than
openon a host that can't enforce it (no Linux user namespaces, no macOS Seatbelt, orCOOP_SANDBOX=0) refuses to hatch. - A tmux CLI agent (
agent_kind != anthropic) is an unconfined egress surface in v1, so under any policy stricter thanopenit refuses to hatch too.
| Platform | off |
allowlist |
open |
|---|---|---|---|
Linux (userns + bwrap) |
β empty netns | β http-tool egress; bash no direct egress | β |
| macOS (Seatbelt) | β
(deny network*)
|
β http-tool egress; bash no direct egress | β |
| Windows / no sandbox | fail-closed (refuse to hatch under strict policy) | fail-closed | β |
The Linux forced-egress proxy that would give bash itself allow-listed
egress (rather than denying bash all direct egress under allowlist), SNI
re-verification, pasta NAT for open, and sentinel-token secret injection.
See Β§9 of the in-repo spec for exact v1 scope.
- Security Model β hardening table (C5/C6/H7/H8)
- BYOK Secrets β keep the model key off the box entirely with Azure Key Vault
Coop is Apache-2.0 Β· pre-alpha (v0.1). Authoritative docs live in the repo.
Get started
Operate
Reference